[KLUG Members] A plea for firewall ideas
Adam Tauno WIlliams
adam at morrison-ind.com
Tue Aug 31 08:39:54 EDT 2004
> We have ~40 servers, the majority of which are linux. We currently have
> two linux routers created by imagestream (www.imagestream.com), which
> aren't enough. An 'outside consultant' has decided that our best route
> (based on anecdotal evidence - ONE EXAMPLE of a high-traffic example in
> CA) is to drop in a few OpenBSD boxes into a almost complete linux
> environment.
An IBM x300 with SuSe 9.1 Thats our corporate "firewall" of choice.
If you can shovel enough packets to swamp a 1Ghz processor, something is
seriously messed up.
> I'm having a bloody heart attack, since I'm the only sysadmin and
> currently have way too much work to do. I'm recommending some sort of
> firewall appliance (something sturdy, something strong) but I don't
> think it's taking hold anywhere.
I'd go with something-normal-that-will-be-around-tomorrow.
The BSD-IP-Faster card is old, 2.6.x Linux holds its own and BSD is an
ugly scabby old dinosaur that should have been crushed under a glacier a
very long time ago. The administration of BSD is like going back to AIX
3.2.5 - no thanks.
> If you have ideas for firewall distros for heavy use (sorry, smoothwall
> and the like won't cut it),
Thats right, they won't. Use a real distribution on a real box.
> let me know. Doesn't matter if it's linux
> based, or something 'appliance-like' , I just need to have enough ideas
> to at least drown out the OpenBSD idea.
Here the OpenBSD idea would be drowned out by my laughter.
> Please, flood my inbox; I really don't have the time, to deal with yet
My suggestion -
1.) Install SuSe.
2) Install fwbuilder (drag-n-drop GUI, CLI shy minions will be falling
over with glee - and you can still do all the crazy advanced stuff, very
nice. Remember, if you get hit by a bus, probably no one will be able
to understand you iptables.sh - but they will be able to understand an
fwbuilder display).
3.) Setup the firewall.
4.) Walk away.
> another type of system on my network, let alone having to go from zero
> to 100 with an operating system AND all the routing behind it - load
> balancing/failover, etc (I've used OpenBSD before, but nothing like this).
More information about the Members
mailing list