If your company is like most, you probably have a PC graveyard filled with old systems that are too slow to run the latest versions of Windows. However, before you ship those systems off to technology recycling centres or give them away to employees, you should consider one possible way to reuse them: Turn them into Linux firewalls.

Many of these old PCs can easily run Linux, which requires less system resources than Windows. With a few hardware modifications, they can be turned into solid, reliable firewalls. These firewalls can be used to segment certain departments (such as accounting) from the rest of the network, or they can be used in remote offices and/or for telecommuters. Small businesses may even find that a Linux firewall can serve them well as their primary means of sharing Internet access and staying protected from Internet attackers.

Hardware considerations

Although you can run a Linux firewall on an old 386-SX, I wouldn't recommend it if you're going to use the firewall in any kind of business-critical environment. Instead, I would suggest that you adhere to the hardware recommendations in Table A.

Table A

Linux firewall: Recommended hardware requirements

Many people will argue that you can get away with less than even these miniscule hardware requirements, but I think this is a good starting point to be able to load a recent Linux distribution, build a basic firewall, and have the firewall be able to handle a decent load of network traffic.

Remember that to build a firewall, you'll need two network cards. Since the network cards are probably the most important piece of hardware in a firewall and you need them to function reliably, I strongly recommend that you use 3Com or Intel PCI network cards and not any of the cheap substitutes. If the PC already has a cheap NIC, remove it and replace it with a 3Com or Intel NIC. If the PC has a NIC built into the motherboard, disable it and install a 3Com or Intel NIC. Also, if the PC has an ISA network card (of any brand), do yourself a favor and replace it with a 3Com or Intel PCI network card, because configuring ISA NICs in Linux can be a real pain and can occasionally lead to problems down the road.

When recommissioning a PC as a firewall, you should remove any extraneous hardware from the machine (CDRW drives, SoundBlaster cards, video capture cards, modems, etc.). This can save hardware conflicts and minimise power and processor cycles used by unnecessary devices.

Firewall decision: iptables or ipchains?

Once you have your hardware situation under control and you've installed your preferred Linux distribution (I recommend Red Hat or SuSE), you need to decide which firewall software package to use: iptables or ipchains.

While ipchains is standard in 2.2.x kernels,iptables is built into 2.4.x Linux kernels and represents later, more advanced firewall technology.. In almost all cases, you'll want to use iptables, especially if you are new to Linux firewalls and need to choose which of the two technologies to learn. This link provides a nice look at the advantages of iptables over ipchains.

The one case where you want to consider using ipchains is when you or one of your fellow IT staff members has extensive experience with it. You can still build a good firewall with ipchains, and there are plenty of ipchains firewalls out there that are still doing their job to prove it. In fact, a recent NetAdmin poll (Figure A) indicated that at this point, there are still more firewalls running ipchains than its younger cousin, iptables.

Figure A

If you know ipchains well, it doesn't take much to learn the differences in iptables. And once you learn iptables, you can take advantage of the additional functionality it offers. It also often takes fewer lines of code to accomplish certain tasks with iptables than it does with ipchains, which can save you some time.

Simplify the task

Whether you build your firewall with iptables oripchains, a number of free utilities can aid you in the process of creating and managing your firewall. My favorite Linux firewall tool is Firestarter, an X Windows application with a nice, simple interface. It includes a firewall creation wizard that builds a firewall script for you. While most admins choose not to load X Windows on a Linux firewall machine, you can always run the Firestarter wizard on a test machine and then transfer the firewall script it creates to your production firewall.

Along those same lines, you can also use a Web-based GUI to help manage your firewall. For iptables, there is Bifrost, which is basically a CGI script that runs on Apache. For ipchains, there is the ipchains firewall module for Webmin.

If you're not into GUI tools, you can get your firewall started with some prepackaged firewall scripts. For iptables, take a look at MonMotha's iptables Firewall or Shoreline Firewall, both of which are free. For ipchains, Ocean Park Software offers a free firewall script that is customised to run on Red Hat 7.1.

Once you have your Linux firewall up and running, you can ease the task of managing it by installing firelogd to help you monitor firewall logs and set up alerts for suspicious activity.

Final word

Getting rid of old PCs can be a challenge, in and of itself. But don't discard those old systems yet. Because Linux typically does not require as much computing power as Windows, you may find that you can lengthen the life of some of your PCs by loading Linux on them and building basic firewalls.

One word of caution: Don't be enticed to run anything too powerful or mission-critical on these Linux systems. If you want to run a Linux database, Web site, or a domain controller (using Samba), for example, go out and buy a real server to put it on. Don't use an old PC. They work for firewalls because firewalls typically don't require fast processors and tons of RAM. Of course, to be on the safe side, you might want to keep some identically configured units around to replace one of these firewalls, if they do have a hardware failure.

TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to fire walls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.

©2001 TechRepublic, Inc.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.