RE: [suse-security] SuSEfirewall2 on multiple servers but no "firewall"
Hi Peter
From: Peter Romianowski [mailto:antarapero@gmx.de] Hi,
I will have to install several servers all connected only with a switch and no standalone Firewall-Server. Looks like this:
( | ISP ROUTER | ) | | | SWITCH | | ----------------------- ... | | | SERVER #1 | | SERVER #2 | ...
I plan to install SuSEfirewall2 on every server and blocking all traffic from other IP-Adresses than my own range. All servers do only have public IP-Adresses. My Question:
I would use a setup like this: (|ISP-Router|) | | (|Firewall|) | ---------(|SWITCH|)--------------- ... | | | (|Server 1|)(|Server 2|)(|Server 3|) ...
1. Is that feasable? Theoretically yes, though I think portforwarding on the firewall is a much more secure way to handle incomming requests.
2. Is that total nuts? No, just nuts ;-) Nah, couldn't resist. It's possible, though it's much harder to administer (if you have something like 20 Servers ;).
3. Has running the firewall on every server a hard performance impact? I run a firewall on every server I use without recognizable performance-loss.
4. If 2.) is true, how would I set up a failsafe setup with 2 SuSEfirewall2 Servers? What do you mean by failsafe setup? Do you use clusters? If so, do yourself a favor and use one firewall in front of your cluster. You can even use something like heartbeat to create a firewall-cluster (for failover purpose only). It's very easy to set this up.
Many thanks for digging into my humble mind :)
You're welcome.
Peter
regards, Stefan
Hi Peter, When you say "failsafe", did you intend to be redundant through that setup with multiple servers behind that router ? Then I would add to the setup that Stefan recommended (which is the same I would prefer over yours ...;-) ) as follows: (|ISP-Router|) | ---------(|1st SWITCH|)------------ ... | | (|1st Firewall|) (|2nd Firewall|) | | ---------(|2nd SWITCH|)------------ ... | | | (|Server 1|)(|Server 2|)(|Server 3|) ... what you have here is a redundant Setup of your firewall, if one goes down, the other is taking over the whole traffic. You don't need a complicated setup for this, in the simplest way you could do this by adding alternative routes and duplicate the DNS entries of your firewall (internal and external). The rest is done by the DNS and its "round robin" should give you a simple kind of load balancing, if both systems are up. I do this at two sites with very good success and I am able to do maintenance on that systems, while everybody keeps on working, without them even noticing my reboots ;-) Regards, Philipp Rusch Peer Stefan schrieb:
Hi Peter
From: Peter Romianowski [mailto:antarapero@gmx.de] Hi,
I will have to install several servers all connected only with a switch and no standalone Firewall-Server. Looks like this:
( | ISP ROUTER | ) | | | SWITCH | | ----------------------- ... | | | SERVER #1 | | SERVER #2 | ...
I plan to install SuSEfirewall2 on every server and blocking all traffic from other IP-Adresses than my own range. All servers do only have public IP-Adresses. My Question:
I would use a setup like this:
(|ISP-Router|) | | (|Firewall|) | ---------(|SWITCH|)--------------- ... | | | (|Server 1|)(|Server 2|)(|Server 3|) ...
1. Is that feasable? Theoretically yes, though I think portforwarding on the firewall is a much more secure way to handle incomming requests.
2. Is that total nuts? No, just nuts ;-) Nah, couldn't resist. It's possible, though it's much harder to administer (if you have something like 20 Servers ;).
3. Has running the firewall on every server a hard performance impact? I run a firewall on every server I use without recognizable performance-loss.
4. If 2.) is true, how would I set up a failsafe setup with 2 SuSEfirewall2 Servers? What do you mean by failsafe setup? Do you use clusters? If so, do yourself a favor and use one firewall in front of your cluster. You can even use something like heartbeat to create a firewall-cluster (for failover purpose only). It's very easy to set this up.
Many thanks for digging into my humble mind :)
You're welcome.
Peter
regards, Stefan
Hi Philipp,
Hi Peter, When you say "failsafe", did you intend to be redundant through that setup with multiple servers behind that router ?
Yes.
Then I would add to the setup that Stefan recommended (which is the same I would prefer over yours ...;-) ) as follows:
(|ISP-Router|) | ---------(|1st SWITCH|)------------ ... | | (|1st Firewall|) (|2nd Firewall|) | | ---------(|2nd SWITCH|)------------ ... | | | (|Server 1|)(|Server 2|)(|Server 3|) ...
what you have here is a redundant Setup of your firewall, if one goes down, the other is taking over the whole traffic. You don't need a complicated setup for this, in the simplest way you could do this by adding alternative routes and duplicate the DNS entries of your firewall (internal and external). The rest is done by the DNS and its "round robin" should give you a simple kind of load balancing, if both systems are up.
That's another nice solution. But I still wonder if "my way" ( firewall on every server) is more feasable in the case of running only 3 servers. I see, I forgot to say, that I will only have 3 servers for now. I think if the number goes up to 5 then I will implement the one or the other solution (now that I have enough ideas) And until then I have enough time for playing around with all that.
I do this at two sites with very good success and I am able to do maintenance on that systems, while everybody keeps on working, without them even noticing my reboots ;-)
I always try to pretend there was no reboot :) "The server wasn't up? Must be something with your network connection" :) Thanks a lot! This list is really helpful (both reading and asking (partly dumb :) questions). Peter
participants (3)
-
Peer Stefan
-
Peter Romianowski
-
Philipp Rusch