Pretty much any relatively modern PC can be used as a firewall. How powerful a machine needs to be depends on the actual requirements. If the firewall is for a home or small office/home office, then any machine up to 10 years old should be able to do the job.
There are a number of open-source, Linux-based firewalls available, each with their own list of supported hardware configurations. For this article, we will walk through the installation and configuration of the IPFire open source firewall. The IPFire hardware recommendations are as follows:
Minimum - Basic protection for a handful of devices
The minimum specifications to run IPFire is relatively small.
|Processor||500MHz single core cpu—Intel Pentium I or newer (or a supported ARM SBC)|
|Storage||SD or CF card with a minimum of 2G|
|Network||2 x 100MBit/s or better network adapters|
Remarkably, this also sounds a lot like a $35 Raspberry Pi! Add on some network adapters dongles and this can still cost less than $100.
Reasonable - Perfect for home and SOHO
The reasonable specification to run all IPFire standard features, meaning that every feature is functional for a small number of users or low to medium loads.
|Processor||i586-compatible x86 CPU with 1 GHz or better|
|RAM||1 GB or greater|
|Storage||40 GB SATA Drive (SSD preferable)|
|Network||At least two 1000MBit/s Ethernet network adapters|
This sounds like an old PC. Recycling an unused PC makes for a very affordable firewall host. Just add network cards as required. Some can be found for about $15 or less.
Even if the host PC being recycled needs some extra RAM or a new hard disk, it may still be less expensive than buying a new PC.
Worst case, a new PC with these specifications is still considered an entry-level workstation, and can probably be found for under $500. (A current search found a PC with a 2.4GHz Quad Core processor, 4GB of RAM, and a 128G SSD drive starting at C$199.99. Pricing may vary!)
So, depending on the usage requirements, hardware should be a relatively inexpensive component, especially if a used donor PC can be found.
For Experimenting (or really small networks)
A Raspberry Pi model B or B+ can also be used as the firewall computer. It already has two USB ports and a network adapter.
Depending on your network topology, you probably want to invest in one or more additional network adapters. This will allow you to segment your network devices, effectively firewalling them off from one another. By doing this, you can protect higher-value devices from other higher-risk devices.
The main reason to create multiple network segments and separate devices is to protect them from one another. If one device gets hacked and infected, it can potentially infect other devices on the same network—this was how the WannaCry and Petya ransomware spread without any human intervention. By walling off the devices from one another, the firewall can act as a filter and potentially stop the spread of malware and hacking in the home or small office/home office.
Adding an adapter internally to a desktop machine is the best bet. If the computer is new enough, then a PCI or PCIe network adapter can probably still be found online for around $15.
Typical firewalls will have three or four network segments:
- WAN: This connects to the outside internet.
- Internal LAN: This is the primary segment.
- DMZ: A segment that doesn’t have as many controls on it; good for online gaming, but weak on security.
- WiFi: Connecting a WiFi segment to keep mobile and wireless traffic separate from the rest of the devices.
This is just one combination of segments. Depending on requirements, just having a WAN and a LAN segment can get a firewall connected. Add more segments as required.
For Raspberry Pi firewalls, a USB Ethernet adapter can be used.
The Good, the Bad, and the Ugly (Segments, that is!)
For homes and especially small office/home office use, segregating personal traffic from business traffic is a great idea. Put all of the home devices on one segment and all of the business devices on another. This not only protects the device groups from each other, but can also help in optimizing traffic through the firewall, including Quality of Service (QoS) definitions.
QoS allows certain types of traffic priority passage, like a HOV lane on the highway. This can give priority to streaming video (think Netflix) and voice traffic (like Skype) over basic browsing or certain online gaming, for example.