Re: [SLE] a good firewall?
From: Darryl Gregorash (raven_at_accesscomm.ca)
Date: 02/06/05
- Previous message: Keith Powell: "Re: [SLE] Apt-get problem [Solved]"
- In reply to: Henry Tang: "Re: [SLE] a good firewall?"
- Next in thread: Henry Tang: "Re: [SLE] a good firewall?"
- Reply: Henry Tang: "Re: [SLE] a good firewall?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sun, 06 Feb 2005 15:21:10 -0600 To: suse-linux-e@suse.com
Henry Tang wrote:
> Our company's sonicwall just died out and i need a firewall
> replacement. Sonicwall is really strange.. The sonicwall has two
> ports wan and lan.. The wan is hooked up to the csu/dsu router and the
> lan is hooked up to a hub for internal networks. The sonicwall is only
> used to block ports but all computers in the lan, sonicwall, and
> csu/dsu router uses static ip provided by our internet provider. It is
> really a weird setup which i don't approve of, but I need something
> that can do the job like sonicwall. I dunno if it is possible.. I have
> a firewall at home but the lan is a internal ips 192.xxx
If all you need is something to block a few ports, then stick with what
you already know. Iptables and its cousin iproute2 together can provide
a fully stateful firewall, plus fully classful traffic shaping, but you
need to invest the time to learn them. A decent software tool to assist
the design process also helps (and SuSEfirewall2 is *not* a decent tool
in a corporate environment). Shorewall is another good tool, in addition
to the ones already mentioned by others. It's advantage is that it's all
under the GPL.
Based on your description above, iptables is really overkill. However,
it can replace everything you have mentioned, and do a heck of a lot
more besides (most of which you don't seem to need right now, but it's
there in the future if you ever do need it) Personally, I think it is
definitely worth the effort to learn iptables and iproute2 now, and try
to convince the powers-that-be to replace all that stuff with a Linux
box. But if you don't think you have much chance to convince them, stick
with what you know.
I really wouldn't complain too much about static IPs all over the place;
using them saves you from having to do anything more complicated than
some simple routing, and maybe a bit of port forwarding :-)
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
- Previous message: Keith Powell: "Re: [SLE] Apt-get problem [Solved]"
- In reply to: Henry Tang: "Re: [SLE] a good firewall?"
- Next in thread: Henry Tang: "Re: [SLE] a good firewall?"
- Reply: Henry Tang: "Re: [SLE] a good firewall?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
