Gateway Box Iptables Overhead (was Re: Iptables initialization)

Bill's LFS Login lfsbill at
Sat Feb 14 09:36:16 PST 2004

On Sat, 14 Feb 2004, Dagmar d'Surreal wrote:

> On Fri, 2004-02-13 at 11:08, Bill's LFS Login wrote:
> > On Thu, 12 Feb 2004 ken_i_m at wrote:
> >
> > > On Thu, Feb 12, 2004 at 07:32:11PM -0500, Archaic (archaic at wrote:
> > > ><snip>

> > My particular interest ATM is deciding if I can use my DX2/66 as a
> > gateway (not a lot of services to be exposed from behind the firewall)
> > and firewall, or if I should used the AMD 5x86 100MHz, or separate the
> > to functions. [...]
> You'll be pleased to hear that some of the models Cisco has out for
> routing/filtering T1 lines only have 33Mhz CPUs in them, so give it a
> shot with the 66Mhz machine just filtering traffic and put the services
> on the 100Mhz machine box.  If at all possible you want the firewall to
> only be firewalling things, as this means there's going to be fewer
> avenues for failure or entry into the bastion host.

My real goal in asking the question was that I wanted to use the slow
box for gateway only and move the filtering to another box. But knowing
that things fail, I always try to have a pre-configured fall-back ready.

My reliability efforts are going to include: reduction of moving parts
on the gateway (hopefully leaving only fans, FD and CD in the mechanical
arena) and use Archaic's hint about read-only setup to make that
feasible. Logging would be to net-mounted places (if that can be
*securely*done) to drives that are part of my normal backup process).

Then, for the inevitable day when it does fail, I just activate the
other box, having it also act as gateway and keep trucking. Now, since
the failure could also be on the filter machine, I wanted to also have
the ability for the gateway to also serve as filter, with an
*acceptable* amount of degradation. If the slow box would be *too* slow
for this, I was prepared to use a couple of my faster boxes (*sob*) for
this setup.

Your add'l info gives me encouragement.

For the same availability reasons, I still maintain my dial-in
capability, in case the cable modem ever fails (when I become gainfully
employed again, I'll acquire a backup unit). During the first month,
before the cable co. found the (apparently) last loose connection, I
used that ability about a dozen times. Just copy over a couple backup
scripts and resolv.conf, reboot (I really should write a small script
that just does all this and restart the appropriate services) and I'm
connected again, relatively securely.

Thanks for taking the time and interest Dag!

NOTE: I'm on a new ISP, if I'm in your address book ...
Bill Maltby
Fix line above & use it to mail me direct.

More information about the hlfs-dev mailing list