Subject: Re: What plateform for a home Firewall ?
To: Eric Delcamp <e.delcamp@wanadoo.fr>
From: Miles Nordin <carton@Ivy.NET>
List: current-users
Date: 12/13/1999 17:03:46
On Mon, 13 Dec 1999, Eric Delcamp wrote:

> I want to avoid Intel

seems wise.  there are cost, reliability, power consumption, and ethical
problems with their architecture.

Unfortunately, I think the cheapest way to complete your project is by
using used Wintel junk.  If you try anything else in Quantity 1, you're
only fooling yourself.

Which is why, with the Playstation 2,....   bah.

> My first think was about StrongARM architecture. But I don't know hardware
> manufacturers for this.

They do seem to be keeping rather quiet.  When Funai showed up, i wrote
them an email and begged them to please give me an address where i could
send them some money in exchange for hardware--no response.  Would you
call that a lack of marketing?  Ignoring emails sent to sales@corp.com
really ought to be called something else.

And, IMHO, the window of opportunity for the DNARD is shut.  With no USB,
FireWire, or 3D acceleration it seems rather odd to advance that archaic
thing as a generic low-cost computer.  It is an old design, and it's in
the hands of people who aren't even capable of selling it, much less
revising it.  

I am concerned about the platform's future manufacturability, too, because
it is tied to specific ASIC's, and I think some of them aren't used in
PeeCee's, so we need only wait for Intel to buy said ASIC's manufacturer
and shut them down, as they have done repeatedly in the past.  Why do you
think Apple is doing this UMA thing?

The DNARD advocates completely dropped the ball. I've always been
preferential to the arm32--its the only list i'm on that i don't own
hardware to match.  But, i'd suggest you forget about it for now at least.
It will do nothing but play time-wasting games with you.

> - Easy to install. No keyboard, no screen, just 2 network ports, and power
> (by AC Adapter or direct plug)

you might have better luck asking for just power and PC Card.  the problem
is that you really need 3 card slots:
 o Ethernet
 o Ethernet
 o storage

or, you might look at some of the embedded boards NetBSD supports.  if you
could get a minimal board with built-in Ethernet and a mezzanine PCI
Ethernet card, you might be in business.  This has the advantage that
there are a lot of (supported, i think) mezzanine PCI cards to do stranger
things like V.35.  you could have a more general product.  the
disadvantage is that they're meant to be used in ``hosted'' environments,
so when you wanted to unplug the thing from its development host you might
be expected to burn ROMs, thus limiting some of your ``upgradeability''
requirement, possibly.  

NetBSD depends on IDE-emulating flash cards, so having a generic Flash ROM
on the embedded board wouldn't be good enough to host a read/write
persistent filesystem.  There's no FTL or Flash-sane filesystem in BSD
yet.  The method I've heard discussed on the list is to link the root
filesystem into the kernel as an md.  It loads from flash into RAM at
boot, and then just stays there--you're not allowed to write to the
flash, except as part of the development cycle.  This kills your
upgradeability requirement--the only way I see to meet that is with PC
Card and an IDE-emulating Flash disk.

I wonder if LFS with a specialized cleaner would lend itself to Flash
adaption? Writing things that are temporally near each other close
together on the ``disk'' sounds Flash-friendly, as does the idea of
appending to a ``log'' all changes rather than rewriting blocks.  But I
don't understand LFS well, praticularly how deletes work.  I'm lead to
believe deletes/rewrites are the real problem--Flash can only be deleted
and rewritten large-block-at-a-time.

> - Easy to use. No knowledge of networking. Minimal configuration by
> Web-browser (with statistics) or telnet (expert mode ?)

I think the real ``easy to use'' path is to have someone else take care of
the thing.  For example, Netcom will sell you a T1 and install a router at
your site.  You may well own the router, but as far as the administrative
domains go, they provide you with a working, firewalled Ethernet jack, and
if you get anything short of that you complain to them and they help you.

If you want to do RealAudio and can't, you email them and they will
(theoretically) discuss the implications with you and make the change.  In
practice, they sent me a copy of the raw table, told me to make changes,
and did no security analysis whatsoever.

I'll agree that firewall consultants and commercial firewalls are
FUD-based charletans, but firewalls are not simple enough that you can
crack open a can of MGD and write one from your WebTV browser over
Half-time.  I think it would be wiser to expand your offering and make it
subscription-based.

> - Reliabilty. No mechanical parts, no drives, no floppy. Maybe just a fan.

No.  no fan.  fans are completely unacceptable.

-- 
Miles Nordin / v:1-888-857-2723 fax:+1 530 579-8680
555 Bryant Street PMB 182 / Palo Alto, CA 94301-1700 / US