[CentOS] [OT] Corporate Firewall

Neil Thompson abraxis at telkomsa.net
Thu Nov 10 07:49:25 UTC 2005

On Wed, Nov 09, 2005 at 11:23:59PM -0800, Ajay Sharma wrote:
> I think Checkpoint is overkill for our needs and very expensive, plus I 
> don't like the "per-user" charges of some commercial solutions.  What do 
> you guys suggest that we upgrade to?  Here are some of the features that 

It depends very much on you and how much knowledge and work you're prepared
to put into it.  Pretty much everything you want can be done with a hardened
CentOS 4.x box and a couple of extra packages.  There is one exception, which
I will address below.

> I would like:
> 1) decent gui, either web based or a local client
If you use Shorewall (http://www.shorewall.net) there is a webmin gui module for

> 2) usage graphs based on protocol.  So if our tiny T1 is saturated, I 
> want to be able to find out what's eating up the bandwidth

There are a number of packages on Freshmeat that will do this.

> 3) VPN-friendly for a couple of road-warriors.  There won't be any 
> remote offices so no server-to-server setups, just remote clients.
OpenVPN will handle this no problem (Windows and Linux clients) it also
integrates well with shorewall.  (http://openvpn.net/)

> 4) we have a DMZ and about 30 machines on the local network.  Everyone 
> has a "normal" IP address, meaning that no one is behind NAT.  So it 
> needs to handle this (which is pretty basic stuff)

Standard stuff - no problem.
> 5) high-availablity.  So if I buy two machines, one can successfully die 
> and the other take over.

This is where you could have a problem - if you want hot failover, with
no interruption to service, I don't think the current state-of-the-art is
capable of handling it.  The problem is synchronising the iptables state
tables between the two machines.  There is a project working on this, but
I'm not sure what the present status is - have a look on http://www.linux-ha.org/

> 6) no per-user charges.  If the company hires a dozen people next year, 
> we shouldn't have to "upgrade" our license.
No problem there either.

Cheers! (Relax...have a homebrew)


THEOREM: VI is perfect.
PROOF: VI in roman numerals is 6.  The natural numbers < 6 which divide 6 are
1, 2, and 3. 1+2+3 = 6.  So 6 is a perfect number.  Therefore, VI is perfect.
                                                    -- Arthur Tateishi

More information about the CentOS mailing list