[ale] stateful firewall?

jenn at colormaria.com jenn at colormaria.com
Wed Oct 17 22:42:50 EDT 2001 

John,
<random scattered iptables thoughts>

I'm using RH7.1, hardened with Bastille and my own various hardening voodoo,
(would prefer slack, but hey, the boss wants RH, I install RH).  I've got
kernel 2.4.7 running on 8 production machines, everything except the boxen
behind 2 firewalls doing stateful packet inspection.  The internal firewall
also does NAT, so there's a LOT of overhead on that box, and we're getting a
reasonable amount of traffic during our peak times (1.5-2mbps, for whatever
number of packets that translates to). It does a great job.

Others have pointed out the inherent limitations in using a PC as a
firewall, and I'll second that.  If you're going to be doing heavy traffic,
you want a dedicated firewall that was built to move packets.  I mean
something like Cisco.  Linux isn't built to move packets at massive rates.
PC bus's weren't built to move packets at massive rates.  That said, I love
my linux firewalls and put a lot of trust in them. If you're talking about
low to mid-range traffic, iptables should work out just fine. 

I'm still learning how all the rules can interact with each other. I'm using
stateful inspection to help control what comes from where, and it's working
quite well.  I'm trying to sift my rules down into a more streamlined
approach (instead of bastille + my NAT + my stateful all jumbled up in a big
box of magic) and it's harder than with ipchains, but also better IMHO. 
I've been having lots of packet loss (and posting ad nauseum here about it
too) recently and was blaming it on wierd firewall rules, but turns out to
be a bad NIC...I think.  So I'll render my final verdict after I replace the
NIC tomorrow night. :)

Of course the standard YMMV disclaimer, blah blah blah.  Good luck!!
</random scattered iptables thoughts>

jenn

> I know in Bob Toxen's book it's mentioned that the 2.4
> kernel provides a stateful firewall capability called
> NETFILTER.  Has anyone had any experience with this? 
> Good/bad?  Is it stable enough to use in a production
> environment?
> 



---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list