[KLUG Members] A plea for firewall ideas

Adam Tauno WIlliams adam at morrison-ind.com
Tue Aug 31 08:39:54 EDT 2004

Previous message: [KLUG Members] A plea for firewall ideas
Next message: [KLUG Members] A plea for firewall ideas
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> We have ~40 servers, the majority of which are linux.  We currently have 
> two linux routers created by imagestream (www.imagestream.com), which 
> aren't enough.  An 'outside consultant' has decided that our best route 
> (based on anecdotal evidence - ONE EXAMPLE of a high-traffic example in 
> CA) is to drop in a few OpenBSD boxes into a almost complete linux 
> environment.

An IBM x300 with SuSe 9.1  Thats our corporate "firewall" of choice. 

If you can shovel enough packets to swamp a 1Ghz processor, something is
seriously messed up.

> I'm having a bloody heart attack, since I'm the only sysadmin and 
> currently have way too much work to do.    I'm recommending some sort of 
> firewall appliance (something sturdy, something strong) but I don't 
> think it's taking hold anywhere. 

I'd go with something-normal-that-will-be-around-tomorrow.

The BSD-IP-Faster card is old, 2.6.x Linux holds its own and BSD is an
ugly scabby old dinosaur that should have been crushed under a glacier a
very long time ago.  The administration of BSD is like going back to AIX
3.2.5 - no thanks.

> If you have ideas for firewall distros for  heavy use (sorry, smoothwall 
> and the like won't cut it),

Thats right, they won't.  Use a real distribution on a real box.

>  let me know. Doesn't matter if it's linux 
> based, or something 'appliance-like'  , I just need to have enough ideas 
> to at least drown out the OpenBSD idea. 

Here the OpenBSD idea would be drowned out by my laughter.

> Please, flood my inbox;  I really don't have the time, to deal with yet 

My suggestion -
1.) Install SuSe.  
2) Install fwbuilder (drag-n-drop GUI, CLI shy minions will be falling
over with glee - and you can still do all the crazy advanced stuff, very
nice.  Remember, if you get hit by a bus, probably no one will be able
to understand you iptables.sh - but they will be able to understand an
fwbuilder display).
3.) Setup the firewall. 
4.) Walk away.

> another type of system on my network, let alone having to go from zero 
> to 100 with an operating system AND all the routing behind it - load 
> balancing/failover, etc (I've used OpenBSD before, but nothing like this).

Previous message: [KLUG Members] A plea for firewall ideas
Next message: [KLUG Members] A plea for firewall ideas
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Members mailing list