Re: Firewall solution.

To: debian-user@lists.debian.org
Subject: Re: Firewall solution.
From: "Jesús M. Navarro" <jesus.navarro@undominio.net>
Date: Sat, 19 Sep 2009 01:30:15 +0200
Message-id: <[🔎] 200909190130.16120.jesus.navarro@undominio.net>
In-reply-to: <[🔎] 4AB3E29F.7000309@fcdl-sc.org.br>
References: <[🔎] 4AB28DF5.7050906@fcdl-sc.org.br> <[🔎] 200909182106.22187.jesus.navarro@undominio.net> <[🔎] 4AB3E29F.7000309@fcdl-sc.org.br>

Hi again, Leandro:

On Friday 18 September 2009 21:42:23 Leandro Quibem Magnabosco wrote:
> Hello Jesús,
>
> Jesús M. Navarro escreveu:
> > Hi, Leandro:
> >
> > Maybe you will be luckier if you explain a bit of the "why" instead of
> > only the "what".
>
> The why is this:
> http://www.pfsense.org/index.php?option=com_content&task=view&id=40&Itemid=
>43 I need at least 70% of those features and I don't want to deal with every
> new setup I do.

That's still the what, not the why, but let's let it there.

> >> arno-iptables-firewall is pretty good but it still lacks some of the
> >> funcionalities I am looking for.
> >
> > Like...
>
> Captive Portal, Web Interface, stats, etc.

You are aware you are comparing apples to oranges, aren't you?  You asked for 
a firewall when it seems you are looking for a gateway solution.  pfSense, as 
you certainly know is not a script or even a bunch of scripts but a whole 
system solution.

Since you are asking this on a Debian list, I can point you towards the likes 
of Gibraltar (http://www.gibraltar.at/) netward (http://www.netguard.gr/) 
XFwall (http://sourceforge.net/projects/xfwall/) or ips-qos 
(http://www.coolsolutions.eu/ipsqos/index.php) surely there must be others. 
and you can certainly taylor yourself out of packages with the needed 
features and a bit of script and web-fu.

> >> I am considering running PFSense on something like Xen/ESXi, have any of
> >> you guys done that before?
> >
> > It seems to defeat its very purpouse.  Except for testing I don't see
> > what for (and I doubt even this, since it's a routing device, I'd try to
> > test on "real iron" to avoid problems).
>
> I don't agree it would defeat it's very purpose.

How your firewall on a virtual machine will protect the master host and/or how 
will it avoid any routing by bug or mistake at the master host level to pass 
through?  How will you deal with traffic shaping on your virtual devices when 
it will be the master host the one queueing packets.

> Since I posted that, I've been talking to some people on IRC that told
> me they implemented PFSense on ESXi on medium sizes networks (~500
> nodes) with 1G of RAM and it was running under 15% of cpu and about 25%
> of IO average, which sounds pretty good.

That it can be done, I have no doubt of.  I still think and reason that it's 
basically defeating a firewall's main purpouse serving it as a virtualized 
resource.

> I might try this with some "manual failover" on my hands, just in case...

You are aware pfSense supports CARP, don't you?  (last time I tested it was a 
bit buggy, though).

Reply to:

Follow-Ups:
- Re: Firewall solution.
  - From: Leandro Quibem Magnabosco <leandro.magnabosco@fcdl-sc.org.br>

References:
- Firewall solution.
  - From: Leandro Quibem Magnabosco <leandro.magnabosco@fcdl-sc.org.br>
- Re: Firewall solution.
  - From: "Jesús M. Navarro" <jesus.navarro@undominio.net>
- Re: Firewall solution.
  - From: Leandro Quibem Magnabosco <leandro.magnabosco@fcdl-sc.org.br>

Prev by Date: java6update15 - how, where,..?
Next by Date: Re: Printing
Previous by thread: Re: Firewall solution.
Next by thread: Re: Firewall solution.
Index(es):
- Date
- Thread