Mailinglist Archive: opensuse (2912 mails)

< Previous Next >
Re: [SLE] a good firewall?
  • From: Darryl Gregorash <raven@xxxxxxxxxxxxx>
  • Date: Sun, 06 Feb 2005 15:21:10 -0600
  • Message-id: <42068A46.7050502@xxxxxxxxxxxxx>

Henry Tang wrote:

Our company's sonicwall just died out and i need a firewall replacement. Sonicwall is really strange.. The sonicwall has two ports wan and lan.. The wan is hooked up to the csu/dsu router and the lan is hooked up to a hub for internal networks. The sonicwall is only used to block ports but all computers in the lan, sonicwall, and csu/dsu router uses static ip provided by our internet provider. It is really a weird setup which i don't approve of, but I need something that can do the job like sonicwall. I dunno if it is possible.. I have a firewall at home but the lan is a internal ips

If all you need is something to block a few ports, then stick with what you already know. Iptables and its cousin iproute2 together can provide a fully stateful firewall, plus fully classful traffic shaping, but you need to invest the time to learn them. A decent software tool to assist the design process also helps (and SuSEfirewall2 is *not* a decent tool in a corporate environment). Shorewall is another good tool, in addition to the ones already mentioned by others. It's advantage is that it's all under the GPL.

Based on your description above, iptables is really overkill. However, it can replace everything you have mentioned, and do a heck of a lot more besides (most of which you don't seem to need right now, but it's there in the future if you ever do need it) Personally, I think it is definitely worth the effort to learn iptables and iproute2 now, and try to convince the powers-that-be to replace all that stuff with a Linux box. But if you don't think you have much chance to convince them, stick with what you know.

I really wouldn't complain too much about static IPs all over the place; using them saves you from having to do anything more complicated than some simple routing, and maybe a bit of port forwarding :-)

< Previous Next >
Follow Ups