Re: Firewall solution.

[Leandro Quibem Magnabosco <leandro.magnabosco@fcdl-sc.org.br>]

Jesús M. Navarro escreveu:

You are aware you are comparing apples to oranges, aren't you?  You asked for 
a firewall when it seems you are looking for a gateway solution.  pfSense, as 
you certainly know is not a script or even a bunch of scripts but a whole 
system solution.
  

Hmm...
What I said was "I am searching for something like pfsense[1] for Linux to install in a production server.", which means I am looking for something with functionalities much like of what PFsense has.
When I said it was supposed to be installed on a production server, I meant that I would not like to use a box just for that purpose.

Maybe my English is not quite helpful in discerning concepts, not allowing me to be perfectly clear.
But yeah... that is what I want.

Since you are asking this on a Debian list, I can point you towards the likes 
of Gibraltar (http://www.gibraltar.at/) netward (http://www.netguard.gr/) 
XFwall (http://sourceforge.net/projects/xfwall/) or ips-qos 
(http://www.coolsolutions.eu/ipsqos/index.php) surely there must be others. 
and you can certainly taylor yourself out of packages with the needed 
features and a bit of script and web-fu.
  

>From those you cited, ipsqos looks quite nice, I might give it a try in a testing environment.

  
How your firewall on a virtual machine will protect the master host and/or how 
will it avoid any routing by bug or mistake at the master host level to pass 
through?  How will you deal with traffic shaping on your virtual devices when 
it will be the master host the one queueing packets.

  

Now you are the one comparing oranges to apples, right? :)
The way I see it, host firewall and network firewall are different things.
If Pfsense is in a virtual machine, it will work for the network and not for the host itself.
The host would have it's own firewall that, in this case, it could be much much simplier, with just a few scripts.

Since I posted that, I've been talking to some people on IRC that told
me they implemented PFSense on ESXi on medium sizes networks (~500
nodes) with 1G of RAM and it was running under 15% of cpu and about 25%
of IO average, which sounds pretty good.
    

That it can be done, I have no doubt of.  I still think and reason that it's 
basically defeating a firewall's main purpouse serving it as a virtualized 
resource.

  

I tested it...
It works great, but ESXi is pretty picky about the hardware it supports... that's the only think I did not like.
It is now working in a production environment with a CPU cost of only 6% average with all the features I need running.

No doubt it would be best to avoid virtualization if possible, but not at all costs.

I might try this with some "manual failover" on my hands, just in case...
    

You are aware pfSense supports CARP, don't you?  (last time I tested it was a 
bit buggy, though).

  

Yes, but CARP is not needed for a test.
The test is gone and PFSense @ ESXi is running.

I'm happy! :)

Thank you all for the help, really! :)