Hi Peter
From: Peter Romianowski [mailto:antarapero@gmx.de] Hi,
I will have to install several servers all connected only with a switch and no standalone Firewall-Server. Looks like this:
( | ISP ROUTER | ) | | | SWITCH | | ----------------------- ... | | | SERVER #1 | | SERVER #2 | ...
I plan to install SuSEfirewall2 on every server and blocking all traffic from other IP-Adresses than my own range. All servers do only have public IP-Adresses. My Question:
I would use a setup like this: (|ISP-Router|) | | (|Firewall|) | ---------(|SWITCH|)--------------- ... | | | (|Server 1|)(|Server 2|)(|Server 3|) ...
1. Is that feasable? Theoretically yes, though I think portforwarding on the firewall is a much more secure way to handle incomming requests.
2. Is that total nuts? No, just nuts ;-) Nah, couldn't resist. It's possible, though it's much harder to administer (if you have something like 20 Servers ;).
3. Has running the firewall on every server a hard performance impact? I run a firewall on every server I use without recognizable performance-loss.
4. If 2.) is true, how would I set up a failsafe setup with 2 SuSEfirewall2 Servers? What do you mean by failsafe setup? Do you use clusters? If so, do yourself a favor and use one firewall in front of your cluster. You can even use something like heartbeat to create a firewall-cluster (for failover purpose only). It's very easy to set this up.
Many thanks for digging into my humble mind :)
You're welcome.
Peter
regards, Stefan