I am designing a commercial application that will ship on a Raspberry Pi. In some cases the Pi will be placed on a corporate network, in other cases it will be behind a home-office router/firewall.
The device provides an Onion service that is accessible from the public Tor network, and an authenticated Onion service that is accessible from within the local network only. I need to protect the device with a firewall that is already configured when the Pi is shipped.
One option is to install a firewall (or simply configure iptables) on the Pi. Alternatively, I could ship a dedicated firewall device in addition to the Pi. (This device could be a second Pi, configured as a firewall, or a HW firewall).
Are there any advantages in adding a second device? Would it provide better protection than combining it with my Onion service sever?
Note that my Onion service application is really quite small. It requires minimal disk space and CPU power.
EDIT:
For clarity, if I was using a second device then I would package it into a single case/box with the Pi itself. There should be no requirement for a network admin, since the Tor service would initiate all communication on well known http/https ports.
Most scompanies without a dedicated IT staff are not going to be able to get your proposed firewall installed on their own. They're also not going to want to pay an outside party to come in and install your firewall. You're just asking for a difficult time if you go this route.
Most companies with a dedicated IT staff are not going to deploy your firewall in their environment.
So my recommendation is that you build the firewall into the single Pi.
Just my two cents but I would only recommend to the customer that the device be installed behind a firewall - but not pre-install one or provide one. A firewall is a different product altogether and sounds like it is not related to your device/product directly. Perhaps what you could do is offer a preconfigured Pi firewall as a seperate ("certified to work with your device") product.
Also you could give directions on how customers shoudl configure their firewalls to work with your device.