Re: WEB-Page: Debian based Firewall
Running a hamm based firewall here with a Sangoma Board. 4 Ethernet
Interfaces 2 of those are 100BT. Running Squid and DNS cache on the
machine. Using masquerading, transparent proxying, port forwarding the
whole shebang. Much better than the Livingston we had before and faster.
We save 40% of our bandwwidth through the squid on the firewall
redirecting all webtraffic through it using transparent proxying.
The system serves as a major IP router between 3 LANs on Campus and the
T1. It authenticates and filters on Campus traffic for the different
security zones we have.
It can saturate 10BT without problem. 100BT saturation is an issue since
the bay switches we have seem to have trouble at high transferrates.
They were probably never tested at the transferrates possible with Linux.
We are working with the bay people right now. Results from others show
that Linux (even with a P120) can saturate a 100BT network.
Our Traffic across the T1 is around 5 Gigabytes / day (Campus).
We have had a major improvement in security through the linux firewall
since we are able now to log all acess violations and have accurate
traffic reports through the accounting firewall in the linux kernel.
I am using the firewall to defragment all IP traffic and thus our Campus
is not vulnerable to the common IP fragment attacks at all.
I will never never again use a commercial firewall (unless management
forces me to do it of course). That stuff is just too primitive and really
a danger to your network since the "security" available is usually badly
Ok. Enough stuff for flaming....
On Tue, 3 Mar 1998, Martin Schulze wrote:
> On Tue, Mar 03, 1998 at 08:41:00AM -0600, Henry Hollenberg wrote:
> > > b) Upgrade your system from bo to hamm, using http://taz.net.au/autoup/
> > This sounds like the only viable solution...is it reliable (hamm)
> > for the purposes of a firewall?
> hamm is stable, it's only called unstable because it's our
> production release. Most of the developers have a ham system.
> It reflects recent software and library versions.
> / Martin Schulze * firstname.lastname@example.org * 26129 Oldenburg /
> / If you come from outside of Finland, you live in wrong country /
> / Featuring Debian GNU/Linux motd von irc.funet.fi /
> E-mail the word "unsubscribe" to email@example.com
> TO UNSUBSCRIBE FROM THIS MAILING LIST. Trouble? e-mail to firstname.lastname@example.org .
E-mail the word "unsubscribe" to email@example.com
TO UNSUBSCRIBE FROM THIS MAILING LIST. Trouble? e-mail to firstname.lastname@example.org .