passive firewall?

TheSovereign · Post by **TheSovereign** » Sun Aug 13, 2006 1:21 pm

hey guys need a quick favor does anyone know of a product that is a passive firewall

meaning it doesnt have to be the local gateway to do its job filtering
i have a company that wishes to continue using their software filter but they want firewall protection and i wanna do it right not have 2 nat servers working on 1 connect

anyone know of anything?

Post by **FlyingPenguin** » Sun Aug 13, 2006 2:15 pm

There's nothing wrong with "stacking" NAT routers. I do it all the time. Nowadays most of your DSL ISPs give you a modem/router and not just a bridged modem. If you need to have a router after it then you have two choices: stack the routers (which does make port forwarding a little bit more complicated - you need to forward all ports fro mthe first to the 2nd router and then forward from the 2nd router to the specific PC) or ask the ISP how to reconfigure the modem as a "bridged" modem (disabling the modem's NAT router) so you're directly exposed on your public IP address.

While I have stacked routers, I do like to use a bridged DSL connection around here because Sprint's routers (the only DSL ISP in town) doesn't stealth all it's ports. Any decent off-the shelf $50 router nowadays stealths all it's ports so I'd rather have my router sitting on the public IP. Not so important maybe, but it might invite extra traffic from port scanners which could bog down the connection.

TheSovereign · Post by **TheSovereign** » Sun Aug 13, 2006 2:25 pm

i guess its the purist in me, but stacking nat to me is very bad ive seen some issues with SSL over natx2
and these are corporate connections

professional all the way i dont care if the firewall costs 5k

Post by **FlyingPenguin** » Sun Aug 13, 2006 3:05 pm

Well is there any reason you can't eliminate the existing NAT router?

TheSovereign · Post by **TheSovereign** » Sun Aug 13, 2006 9:50 pm

web filtering software lol

ZYFER · Post by **ZYFER** » Mon Aug 14, 2006 5:44 am

It seems like the Penguin there has the best suggestion short of getting a whole new router which does everything you need, something I am sure the company wouldn't want to do.

Post by **FlyingPenguin** » Mon Aug 14, 2006 9:21 am

So if I understand there's web filtering software on their existing router they want to keep?

You might look into the Astaro Security Appliance. They're all supposed to be gateways (NAT routers) though, but they're sophisticated enough that you might be able to use them as a firewall only.

http://www.astaro.com/products/security_appliances

You can also download a free linux distro of their gateway software an run it on on an old PC. I haven't tried it yet but it's supposed to be good.

I honestly don't think anyone makes a straight firewall without a NAT router anymore. Part of the function of modern firewalling is to reject unsolicted incoming traffic, and there is no better way to do that than with a NAT router.