[CentOS] [OT] Corporate Firewall

Bryan J. Smith thebs413 at earthlink.net
Thu Nov 10 12:18:11 UTC 2005


Neil Thompson <abraxis at telkomsa.net> wrote:
> If you use Shorewall (http://www.shorewall.net) there is a
> webmin gui module for administration.

There are lots of GUI admin tools for the packet filter.
The question is what do you want around your packet filter?

IDS?
Proxy?
Etc...?

> There are a number of packages on Freshmeat that will do
> this.

But how "canned"?  MRTG is MRTG, but what do you feed into
it?  How do you collect those statistics?

I'm not questioning that there aren't some excellent projects
on Freshmeat.NET are built for accumulating data and feeding
it MRTG, but there is still a heafty number of them.  I agree
with your recommendations, but I just hope he knows what kind
of "project" he's getting himself into -- at least after
using more of an "appliance/software" solution prior.  ;->

Furthermore, what about presenting all that data?
You've now gotta setup all sorts of web administration.
Again, how much of a "project" should this be?  ;->

You and I might love doing this (and I noted below you are
actively involved with providing such software), but how much
for end-users who are used to "canned" appliances/software? 
;->

In all honesty, just stopped dealing with that assembly.  But
nowdays, I find it easier (and cheaper) to just buy an
appliance, or at least start with IPCop and modify it. 
Especially when an executive at a small client gets too much
of his info from his neighbor's kid and wonders why I can't
just use a $50 Linksys device.  (sigh, he gets IPCop ;-)

> OpenVPN will handle this no problem (Windows and Linux
> clients) it also integrates well with shorewall.
> (http://openvpn.net/)

IPSec is also an option, as well as MPPE support.  OpenVPN is
clearly much easier and more reliable.  But be wary that
you'll be providing your own software to the clients as well.

> This is where you could have a problem - if you want hot
> failover, with no interruption to service, I don't think
> the current state-of-the-art is capable of handling it.
> The problem is synchronising the iptables state tables
> between the two machines.  There is a project
> working on this, but I'm not sure what the present status
> is - have a look on http://www.linux-ha.org/

Neil is dead-on there.  There are many aspects to fail-over,
such as sharing a virtual interface with a virtual MAC
address (or even re-using the original systems physical one),
heartbeat and take-over, etc...  Linux-HA is addressing this,
in conjunction with LVS.

And as I pointed out, how much trouble is it worth in
addressing gateway redundancy if you haven't addressed it at
either your external router as well as your internal network?



-- 
Bryan J. Smith                | Sent from Yahoo Mail
mailto:b.j.smith at ieee.org     |  (please excuse any
http://thebs413.blogspot.com/ |   missing headers)



More information about the CentOS mailing list