Quote:
Originally Posted by pathological
But yes, it does go from Internet > Modem > Firewall (Hardware) > *.*.2.* Network. we have 2 outs form the firewall, the other one goes into another 2 network switch. (Replication) ... We get blasted with viruses like nobodies business, well we are BETTER now that we have some new firewall policies in place ... statics are more important, that is what my Bosses care about when they sign off on buying this stuff.
Well, OpenBSD is free so that price is always a winner in my book! As for hardware, this is of course dependent on the number of packets / size of the pipe you've got connected. An old pentium box will handle T1 speeds with relative ease. After you're read up on the basics of OpenBSD and pf, check out
CARP - this allows you to have redundant OpenBSD firewalls which failover in the event of a problem, and it is very configurable.
From what you described above, it sounds like you're trying to achieve redundancy through a partial mesh... it is worth remembering that the "hardware firewall", modem and link to the ISP are all single points of failure which could make all your other efforts moot. BTW, what is this other hardware firewall? Diagram below shows how you might get OpenBSD/pf/CARP in place... but it also shows your single points of failure!
Also, what measures are you taking to inspect traffic for malicious types? Are you running some form of mail/web inspection (MAILSweeper/WEBSweeper or maybe squid/postfix with clamav?)
Nick