>This really does not come close to addressing all your questions, but I
>would like to make a suggestion:
>
>Why not build a single IPTables box with multiple interfaces - one for
>the private net, one for the public net and one for a DMZ of sorts?
>
>
All 6 machines on that network must be exposed to the outside world
(over 1,000 ports on each machine), and low-latency is *very*
important. If we are going to put a single firewall machine in between
those machines and the outside world, then it is going to have to be
pretty beefy (hance the Enterprise-class Cisco 535 rather than a 501 or
516). It is sort-of like the entire network is a DMZ. In practice, we
would probably not have any ports or machines blocked by the firewall
rules (especially since those 1,000 'vulnerable' ports *must* be open to
the world). However, if we see an abusive pattern (or better yet, our
IDS software (snort) sees an abusive pattern) then we could blacklist an
IP address (or range) for 24 hours.
By running IPTables on each machine, we are splitting the firewalling
load: if 6 machines are each getting 30Mbit/s traffic, a single firewall
would have to be able to handle 180Mbit/s. Maybe IPTables could handle
30Mbit/s without unacceptable latency or CPU load?
--ronan
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:12:21 EDT