Debian GNU/Linux based Firewall (FOSS)

Would You like to be in control of your own firewall?

Inspired by the "Ubuntu Firewall build" by Joff Thyer of Blackhills Information Security - please send some beer tokens his way - I wanted a Firewall built on FOSS whereever possible. While there's some driver blobs, if you choose the PC Engines APU system the BIOS is coreboot based moving the HW in the right direction too.

This is a companion blog post, the Bash shell script for a semi-automated installation of the Firewall is on my github

So what is in the build:
  • Debian 10 (Buster): Install this yourself (Install on APU w serial)
  • BIND9: For local Domain Name Resolution
  • ISC-DHCP-SERVER: For providing DHCP to the internal network(s)
  • NTP: It's worth your time. Installation should disable timesyncd but the script do some cleanup to make sure.
  • DShield iptables client: Quote: "DShield provides a platform for users of firewalls to share intrusion information. DShield is a free and open service". We must give back when we can, and this is a good opportunity.
  • Filebeat: Ingest logs into a local Elastic Stack setup (if you don't use it yet, you should :)
Using the APU4C4 with a wle600vx card* the NICs and their usage is as follows:

Connection IP address NIC
Internet DHCP (ISP) enp1s0
homenet enp2s0
homenet enp3s0
homenet enp4s0
homenet wlan0

The nets are all /24. the name "homenet" is used when configuring BIND9, but call it what you want :)

*Wanted to use the WL900vx but there are only 2 cutouts for antennas in the case for the version with 4 NICs, so chose the WL600.

The hardware

Since 2016 this firewall setup has been running on different HW, starting with an Intel Atom based system, over a Intel Celeron based system, to the current setup with the PC Engines APU4C4. The shell scripts provided on github use those specific NIC names, however all I did for the new install was search and replace the previous names with the new ones, and everything worked after that.

PC Engines APU4C4



Q: Why didn't you just use PFSense or OPNSense?
A: Doesn't support the Wireless Card used & Debian is preferred distro

Q: Why DShield? Can they be trusted?
A: DShield does a lot of work for us in the community and we should give back. I believe they can be trusted, but do exclude other information than "just" the defaults from the iptables client.

Q: Is the shell script thoroughly tested?
A: Not really, it certainly need (way) more testing, and changes have been made that have only been tested in isolation, so please provide feedback/raise a bug or PR. I also changed the subnets and some settings of iptables for obscurity.

No comments: