Mailinglist Archive: opensuse (2912 mails)

< Previous Next >
Re: [SLE] a good firewall?
  • From: Henry Tang <henry@xxxxxxxxxxxxxx>
  • Date: Sun, 06 Feb 2005 16:36:27 -0600
  • Message-id: <42069BEB.8090809@xxxxxxxxxxxxxx>
Thanks you all for the info! I greatly appreciate it.

Based on all the inputs I felt that my knowledge of firewall is not good enough for the coorporate environment, but I decided that I will stick with Sonicwall while I sharpen up my skill in this area. I really want to learn how to configure a good trustworthy firewall, but I need to get this up and running quick. I guess I just can't trust thirdparty hardware ^.^/ My sonicwall partially stop working and it is doing a strange behavior where wan can't access the wan port of sonicwall and after a reboot it will start working and then wan would die again. I check my sonicwall support and they won't help me since my tech support expired three month ago and to renew is 300 dollars, which includes hardware replacement..really strange. Anyway, I really appreciate the input and hopefully sonicwall won't crap out on me again after the tech support contract is over. If it happens again.. something is fishy.

Thank you!
henry

Darryl Gregorash wrote:



Henry Tang wrote:

Our company's sonicwall just died out and i need a firewall replacement. Sonicwall is really strange.. The sonicwall has two ports wan and lan.. The wan is hooked up to the csu/dsu router and the lan is hooked up to a hub for internal networks. The sonicwall is only used to block ports but all computers in the lan, sonicwall, and csu/dsu router uses static ip provided by our internet provider. It is really a weird setup which i don't approve of, but I need something that can do the job like sonicwall. I dunno if it is possible.. I have a firewall at home but the lan is a internal ips 192.xxx



If all you need is something to block a few ports, then stick with what you already know. Iptables and its cousin iproute2 together can provide a fully stateful firewall, plus fully classful traffic shaping, but you need to invest the time to learn them. A decent software tool to assist the design process also helps (and SuSEfirewall2 is *not* a decent tool in a corporate environment). Shorewall is another good tool, in addition to the ones already mentioned by others. It's advantage is that it's all under the GPL.

Based on your description above, iptables is really overkill. However, it can replace everything you have mentioned, and do a heck of a lot more besides (most of which you don't seem to need right now, but it's there in the future if you ever do need it) Personally, I think it is definitely worth the effort to learn iptables and iproute2 now, and try to convince the powers-that-be to replace all that stuff with a Linux box. But if you don't think you have much chance to convince them, stick with what you know.




I really wouldn't complain too much about static IPs all over the place; using them saves you from having to do anything more complicated than some simple routing, and maybe a bit of port forwarding :-)




< Previous Next >