Re: I have $300

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: I have $300

Bob Ababurko-3
Graham Toal wrote:

>Depends if you're saying "embedded" because you need the form factor,
>or just to keep the price low.  If the latter, you can get some
>good deals on desktops if you look around.
>
>I bought a nice Dell server for about $240 last year, leaving change
>for a couple of extra ether cards.  1Gb cards are dirt cheap nowadays;
>I got both of mine for about $30 at one of those weekend sales
>from CompUSA and Office Max (very suprised about the latter).  Both
>were on one-per-customer mailin rebates...
>
>So I got an OpenBSD firewall/spamfilter *and* a server I could use
>for backing up my PC out of the deal...  (Disk drive was 250Gb SATA
>which was effectively free because I'd had one die on me earlier in
>the year which I'ld already replaced, then for this server I sent
>the dead one back to Maxtor who replaced it for free with a new one)
>
>The server was on the Dell "small business" program.  Quite often near
>the end of a quarter they'll dump stuff at or below cost just to bump
>up their numbers for their quarterly report.  Obviously you need
>patience to wait for one of these - they don't happen every day :-)
>
>(Slightly related; I picked up a 200Gb Maxtor IDE drive in the
>Black Friday sales for $30.  It'll sit waiting for the next
>project.  Finally in rebellion for thirty years of paying through
>the nose for bleeding-edge early adopter prices, I've decided that
>from now on I'll only buy loss-leader sale items as much as
>I possibly can :-)  )
>
>
>Graham
>
>
>  
>
The biggest reason I was choosing to go embedded is that I wanted a
system that did not have moving parts.  This was to hopefully extend the
life of the machine and increase uptime by eliminating the hard drives
and power supplies with moving parts.  I am not paying for power so I
can say that I am not concerned about consumption at this point.  This
is only due to the fact that $ is finite at the present time and cannot
weigh heavily on the list of importance.

The alternative is to use a dual P3 that we have but I am still
interested in optimum availibility.  Do I implement RAID 1 with two
drives.....OR does this create more problems that it is worth by
introducing more parts to fail(two drives.  Do I implement a Flash card
reader and install OpenBSD/pf on a compact flash drive?  I am not sure
where I should be drawing the line...I mean do I pay attention to drive
redundency or power redundency....or even actual firewall redundency?

What is the most bang for the buck in terms of availibility short of a
hot standby firewall configuration?

Reply | Threaded
Open this post in threaded view
|

Re: I have $300

Sean Comeau-2
On Mon, Nov 28, 2005 at 02:29:21PM -0500, Bob Ababurko wrote:

> The alternative is to use a dual P3 that we have but I am still
> interested in optimum availibility.  Do I implement RAID 1 with two
> drives.....OR does this create more problems that it is worth by
> introducing more parts to fail(two drives.  Do I implement a Flash card
> reader and install OpenBSD/pf on a compact flash drive?  I am not sure
> where I should be drawing the line...I mean do I pay attention to drive
> redundency or power redundency....or even actual firewall redundency?
>
> What is the most bang for the buck in terms of availibility short of a
> hot standby firewall configuration?
>

try these:

http://www.commell-sys.com/News/COMMELL_20040610_EMB564.htm

Buy two of them. They cost about $300 a piece. The 256MB of ram and 4 NICs
they have onboard is sufficient. The 512MB CF disks are $80 each. $800 for
a fully fault tolerent firewall setup is about as cheap as you're going to
get unless you're willing to go rob somewhere or you want to use old hand-
me-down machines.

If you have two independant power sources in your datacenter you could
plug one firewall into each so you're safe from the odd power maintainence
outage.

Reply | Threaded
Open this post in threaded view
|

Re: I have $300

Joachim Schipper
In reply to this post by Bob Ababurko-3
On Mon, Nov 28, 2005 at 02:29:21PM -0500, Bob Ababurko wrote:

> ... I wanted a
> system that did not have moving parts.  This was to hopefully extend the
> life of the machine and increase uptime by eliminating the hard drives
> and power supplies with moving parts.  I am not paying for power so I
> can say that I am not concerned about consumption at this point.  This
> is only due to the fact that $ is finite at the present time and cannot
> weigh heavily on the list of importance.
>
> The alternative is to use a dual P3 that we have but I am still
> interested in optimum availibility.  Do I implement RAID 1 with two
> drives.....OR does this create more problems that it is worth by
> introducing more parts to fail(two drives.  Do I implement a Flash card
> reader and install OpenBSD/pf on a compact flash drive?  I am not sure
> where I should be drawing the line...I mean do I pay attention to drive
> redundency or power redundency....or even actual firewall redundency?
>
> What is the most bang for the buck in terms of availibility short of a
> hot standby firewall configuration?

There are a couple of other options, depending on your space, and what
kind of server you are running.

RAID is cool, and not all that difficult. One thing to keep in mind is
that a failing drive is likely to take the whole IDE bus it's connected
to with it - usually it just confuses it, but there are tales of dying
drives frying the connected controller and any other drives connected to
the controller.

However, if you keep that in mind, I've personally had little or no
trouble with RAID, and it has saved my backside at least once (very,
very old disk I was testing in a rather old machine - I put it in for a
little extra capacity, but, luckily, was smart enough not to trust it).

Also, depending on what you want to do with the machine, hot standby is
likely to be a good plan. ;-)

OpenBSD can do failover firewalls very well. If you have a server with
data that does not change too often, rsync is likely able to keep up and
you can cobble a couple of simple scripts together to do failover.

If, on the other hand, we are talking something as highly variable as a
mailserver, well... keeping the data synchronized will be rather
difficult.

                Joachim

Reply | Threaded
Open this post in threaded view
|

Re: I have $300

beck-7
In reply to this post by Bob Ababurko-3
        Actually, when I am in a position to use carp and pfsync
I often do not bother with embedded, unless I have power concerns.
If you want embedded buy the comell box suggested earlier, but if
you really have no budget, dont bother with raid or other such nonsense.
go find two cheap garage-a-tronics or used i386 boxes with two NICs,
rig up carp and pfsync between them, and be done with it.

        I love raid, and use it where I have *DATA* that matters.
if it's just systems and gateways, etc, multiple cheap systems
set up with carp between them work better and cheaper than one system
with dual power supplies, raid controller, etc. etc. etc.

        -Bob


> The biggest reason I was choosing to go embedded is that I wanted a
> system that did not have moving parts.  This was to hopefully extend the
> life of the machine and increase uptime by eliminating the hard drives
> and power supplies with moving parts.  I am not paying for power so I
> can say that I am not concerned about consumption at this point.  This
> is only due to the fact that $ is finite at the present time and cannot
> weigh heavily on the list of importance.
>
> The alternative is to use a dual P3 that we have but I am still
> interested in optimum availibility.  Do I implement RAID 1 with two
> drives.....OR does this create more problems that it is worth by
> introducing more parts to fail(two drives.  Do I implement a Flash card
> reader and install OpenBSD/pf on a compact flash drive?  I am not sure
> where I should be drawing the line...I mean do I pay attention to drive
> redundency or power redundency....or even actual firewall redundency?
>
> What is the most bang for the buck in terms of availibility short of a
> hot standby firewall configuration?
>

--
| | |      The ASCII Fork Campaign
 \|/   against gratuitous use of threads.
  |

Reply | Threaded
Open this post in threaded view
|

Re: I have $300

Marco Peereboom
I have an anecdote when it comes to disk in a firewall.  My good old  
trusty sparc64 firewall's disk had died.  At first I didn't notice it  
because the packets kept flowing but after a while I noticed some  
strange behavior so I decided to login to it and see what was wrong.  
Hmmm no login, *sigh* alright I'll go drag a monitor into my computer  
closet (not serial attached due to serial cable shortage at the  
time).  Ha, hundreds of failed reads and writes.

I replaced the sparc64 with my previous firewall box that had been  
collecting dust since it retired (pentium pro 200) and packets flowed  
again.  Fixed up the sparc64 with a brand-spanking-old 4G IDE disk,  
installed whatever was current and copied /etc back from backup.  The  
whole operation didn't take more than 30 mins and I had even less  
downtime.  All that I lost were logs and a very old disk (hangs on my  
wall now).

The moral of the story is that you don't need much disk for a  
firewall.  Besides you said "no moving parts", RAID by definition  
adds more moving parts of the kind that fail most often.

FWIW :-)

On Nov 29, 2005, at 7:44 AM, Bob Beck wrote:

> Actually, when I am in a position to use carp and pfsync
> I often do not bother with embedded, unless I have power concerns.
> If you want embedded buy the comell box suggested earlier, but if
> you really have no budget, dont bother with raid or other such  
> nonsense.
> go find two cheap garage-a-tronics or used i386 boxes with two NICs,
> rig up carp and pfsync between them, and be done with it.
>
> I love raid, and use it where I have *DATA* that matters.
> if it's just systems and gateways, etc, multiple cheap systems
> set up with carp between them work better and cheaper than one system
> with dual power supplies, raid controller, etc. etc. etc.
>
> -Bob
>
>
>> The biggest reason I was choosing to go embedded is that I wanted a
>> system that did not have moving parts.  This was to hopefully  
>> extend the
>> life of the machine and increase uptime by eliminating the hard  
>> drives
>> and power supplies with moving parts.  I am not paying for power so I
>> can say that I am not concerned about consumption at this point.  
>> This
>> is only due to the fact that $ is finite at the present time and  
>> cannot
>> weigh heavily on the list of importance.
>>
>> The alternative is to use a dual P3 that we have but I am still
>> interested in optimum availibility.  Do I implement RAID 1 with two
>> drives.....OR does this create more problems that it is worth by
>> introducing more parts to fail(two drives.  Do I implement a Flash  
>> card
>> reader and install OpenBSD/pf on a compact flash drive?  I am not  
>> sure
>> where I should be drawing the line...I mean do I pay attention to  
>> drive
>> redundency or power redundency....or even actual firewall redundency?
>>
>> What is the most bang for the buck in terms of availibility short  
>> of a
>> hot standby firewall configuration?
>>
>
> --
> | | |      The ASCII Fork Campaign
>  \|/   against gratuitous use of threads.
>   |

Reply | Threaded
Open this post in threaded view
|

Re: I have $300

Sean Comeau-2
In reply to this post by Sean Comeau-2
On Mon, Nov 28, 2005 at 01:17:05PM -0800, Sean Comeau wrote:
> try these:
>
> http://www.commell-sys.com/News/COMMELL_20040610_EMB564.htm
>
> Buy two of them. They cost about $300 a piece. The 256MB of ram and 4 NICs
> they have onboard is sufficient. The 512MB CF disks are $80 each. $800 for
> a fully fault tolerent firewall setup is about as cheap as you're going to

Oops sorry, these are actually more like $800 each. I got mine second hand
and didn't realize the real price. Anyway, they are STILL cool and even
2 grand for a fully fault tolerant firewall with such a tiny footprint and
no moving parts is very reasonable.

Reply | Threaded
Open this post in threaded view
|

Re: I have $300

Rickie Kerndt
$537.50 here <http://www.bwi.com/prod/348333>. Picked one up a week ago
under a different brand name Jmatec vs Commell-sys.

--On Wednesday, November 30, 2005 07:24:50 -0800 Sean Comeau
<[hidden email]> wrote:

> Oops sorry, these are actually more like $800 each.

Reply | Threaded
Open this post in threaded view
|

Re: I have $300

Jacob Yocom-Piatt
In reply to this post by Bob Ababurko-3
---- Original message ----

>Date: Wed, 30 Nov 2005 07:24:50 -0800
>From: Sean Comeau <[hidden email]>  
>Subject: Re: I have $300  
>To: Bob Ababurko <[hidden email]>
>Cc: OpenBSD Misc <[hidden email]>
>
>On Mon, Nov 28, 2005 at 01:17:05PM -0800, Sean Comeau wrote:
>> try these:
>>
>> http://www.commell-sys.com/News/COMMELL_20040610_EMB564.htm
>>
>> Buy two of them. They cost about $300 a piece. The 256MB of ram and 4 NICs
>> they have onboard is sufficient. The 512MB CF disks are $80 each. $800 for
>> a fully fault tolerent firewall setup is about as cheap as you're going to
>
>Oops sorry, these are actually more like $800 each. I got mine second hand
>and didn't realize the real price. Anyway, they are STILL cool and even
>2 grand for a fully fault tolerant firewall with such a tiny footprint and
>no moving parts is very reasonable.
>

i wanted to build a couple small machines on the cheap a few months ago, so i
went to http://www.mini-box.com/s.nl/sc.8/category.99/.f and got a couple VIA
EPIA 5000 boards, bought the cases i used elsewhere, and plugged a 2-port NIC
into the pci slot on board. the cases came with a riser card, making for a real
easy setup. i find working with CF cards to be irritating, so i installed IDE
drives in these machines.

i think that a quad-port NIC would fit in these, but i just didn't need 5
ethernet ports on it. my total cost of assembly per machine was about 300 USD
after shipping and all that. it ends up costing about the same as a soekris and
is significanly easier to administrate, faster, has more memory (256MB) and is
somewhat modular.

/jake

Reply | Threaded
Open this post in threaded view
|

Re: I have $300

Stephan Tesch
In reply to this post by Marco Peereboom
Am Dienstag, 29. November 2005 15:16 schrieben Sie:

Hi Marco,

> The moral of the story is that you don't need much disk for a
> firewall.  Besides you said "no moving parts", RAID by definition
> adds more moving parts of the kind that fail most often.

Well, you could always do software RAID of CF-based disks ;-)

I'm outta here,
Stephan

Reply | Threaded
Open this post in threaded view
|

Re: I have $300

Bob Ababurko-2
In reply to this post by Jacob Yocom-Piatt
I totally appreciate everybodies comments and I have in fact decided to
pass over the embedded solution.  We just picked up a Sun Netra T105
(440Mhz, 512MB)on ebay.  It was about $135 shipped and have two onboard
NIC's.  I have always like Sun hardware and it works well with OpenBSD,
it is some of the best in quality.  Fits in one rack unit and will be
cheap to grab another to do a failover when the time comes.  I can even
dd the drive to make a disk for the new unit when I implement it.

I understand that running two cheap ones is better than running one
solid state machine.  Plus the horsepower leaves little to work with in
some of these tiny contraptions(soekris comes to mind).  Not to say that
they do not have their place, but I feel that this is the best answer.

-Bob

Reply | Threaded
Open this post in threaded view
|

Re: I have $300

Sean Comeau-2
In reply to this post by Jacob Yocom-Piatt
On Wed, Nov 30, 2005 at 10:11:26AM -0600, [hidden email] wrote:
> i wanted to build a couple small machines on the cheap a few months ago, so i
> went to http://www.mini-box.com/s.nl/sc.8/category.99/.f and got a couple VIA
> EPIA 5000 boards, bought the cases i used elsewhere, and plugged a 2-port NIC
> into the pci slot on board. the cases came with a riser card, making for a real
> easy setup. i find working with CF cards to be irritating, so i installed IDE
> drives in these machines.
>

nice.

CF is kinda slow and unsuitable for doing packet captures on fast links, however
most firewalls I have deployed don't need that functionality anyway. If they ever
do I can always use a USB drive.

Speaking of CF, recently I bought a few CF drives. All of them were in the same
packages. Most work, but one does not. The working ones are "HITACHI, FLASH, 5.0"
and the troubled one is "SAMSUNG, Rev A.0". All of them work fine in Windows
or Linux.

Still trying to figure out what the problem is....

Reply | Threaded
Open this post in threaded view
|

Re: I have $300

Ian-22
In reply to this post by Bob Ababurko-2
Awesome - good deal. I have a Netra X1 running openbsd and it's rock solid.

Good luck,

-Ian

On 11/30/05, Bob Ababurko <[hidden email]> wrote:

>
>
> I totally appreciate everybodies comments and I have in fact decided to
> pass over the embedded solution.  We just picked up a Sun Netra T105
> (440Mhz, 512MB)on ebay.  It was about $135 shipped and have two onboard
> NIC's.  I have always like Sun hardware and it works well with OpenBSD,
> it is some of the best in quality.  Fits in one rack unit and will be
> cheap to grab another to do a failover when the time comes.  I can even
> dd the drive to make a disk for the new unit when I implement it.
>
> I understand that running two cheap ones is better than running one
> solid state machine.  Plus the horsepower leaves little to work with in
> some of these tiny contraptions(soekris comes to mind).  Not to say that
> they do not have their place, but I feel that this is the best answer.
>
> -Bob