[CentOS] More about firewalling

Mon Oct 5 22:06:25 UTC 2009
nate <centos at linuxpowered.net>

ML wrote:

> I have a Comcast business circuit with 13 IP's. The gateway device
> they provide is a 'pass through' device. They sent traffic for all 13
> IP's my way. It just allows traffic through. So if I put in a device
> to firewall (like Ipcop or Vyatta or something) in front, say it has 3
> NICS, how do I do that?

If your just interested in firewalling (i.e. not NAT or something)
then you can put the firewall in transparent bridging mode.

> How fast does this device need to be?

Depends on your throughput, and conns/sec. I use a Soekris at home for
my ~10-30Mbps comcast line, that has a 500Mhz AMD Geode, and usually
sits at less than 1% cpu (though I don't use it too often). I have
OpenBSD running on it in routed mode for firewall+NAT. I would
wager anything in the last 5-6 years would be more than enough. A good
NIC is important too.

Does linux's firewall support even have stuff like stateful failover
these days? I've been using OpenBSD(vs linux at least) since 2004
for any firewalls that I deemed "serious", FreeBSD before that.

I hate *BSD user land stuff, but I do like pf.

nate