Re: Firewall solution.
2009/9/21 Leandro Quibem Magnabosco <leandro.magnabosco@fcdl-sc.org.br>:
> Jesús M. Navarro escreveu:
>
> You are aware you are comparing apples to oranges, aren't you? You asked
> for
> a firewall when it seems you are looking for a gateway solution. pfSense,
> as
> you certainly know is not a script or even a bunch of scripts but a whole
> system solution.
>
>
> Hmm...
> What I said was "I am searching for something like pfsense[1] for Linux to
> install in a production server.", which means I am looking for something
> with functionalities much like of what PFsense has.
> When I said it was supposed to be installed on a production server, I meant
> that I would not like to use a box just for that purpose.
>
> Maybe my English is not quite helpful in discerning concepts, not allowing
> me to be perfectly clear.
> But yeah... that is what I want.
>
> Since you are asking this on a Debian list, I can point you towards the
> likes
> of Gibraltar (http://www.gibraltar.at/) netward (http://www.netguard.gr/)
> XFwall (http://sourceforge.net/projects/xfwall/) or ips-qos
> (http://www.coolsolutions.eu/ipsqos/index.php) surely there must be others.
> and you can certainly taylor yourself out of packages with the needed
> features and a bit of script and web-fu.
>
>
> >From those you cited, ipsqos looks quite nice, I might give it a try in a
> testing environment.
>
>
> How your firewall on a virtual machine will protect the master host and/or
> how
> will it avoid any routing by bug or mistake at the master host level to pass
> through? How will you deal with traffic shaping on your virtual devices
> when
> it will be the master host the one queueing packets.
>
>
>
> Now you are the one comparing oranges to apples, right? :)
> The way I see it, host firewall and network firewall are different things.
> If Pfsense is in a virtual machine, it will work for the network and not for
> the host itself.
> The host would have it's own firewall that, in this case, it could be much
> much simplier, with just a few scripts.
>
>
>
> Since I posted that, I've been talking to some people on IRC that told
> me they implemented PFSense on ESXi on medium sizes networks (~500
> nodes) with 1G of RAM and it was running under 15% of cpu and about 25%
> of IO average, which sounds pretty good.
>
>
> That it can be done, I have no doubt of. I still think and reason that it's
> basically defeating a firewall's main purpouse serving it as a virtualized
> resource.
>
>
>
> I tested it...
> It works great, but ESXi is pretty picky about the hardware it supports...
> that's the only think I did not like.
> It is now working in a production environment with a CPU cost of only 6%
> average with all the features I need running.
>
> No doubt it would be best to avoid virtualization if possible, but not at
> all costs.
>
>
>
> I might try this with some "manual failover" on my hands, just in case...
>
>
> You are aware pfSense supports CARP, don't you? (last time I tested it was
> a
> bit buggy, though).
>
>
>
> Yes, but CARP is not needed for a test.
> The test is gone and PFSense @ ESXi is running.
>
> I'm happy! :)
>
> Thank you all for the help, really! :)
> -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a
> subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Pfsense is the best thing I've ever seen for firewall/router appliances/servers
You can use pfsense under KVM also
--
Linux User #452368
http://twitter.com/vpadro
"Everything that irritates us about others can lead us to an
understanding of ourselves"
Reply to: