Gateway Box Iptables Overhead (was Re: Iptables initialization)
Bill's LFS Login
lfsbill at nospam.dot
Sat Feb 14 09:36:16 PST 2004
On Sat, 14 Feb 2004, Dagmar d'Surreal wrote:
> On Fri, 2004-02-13 at 11:08, Bill's LFS Login wrote:
> > On Thu, 12 Feb 2004 ken_i_m at elegantinnovations.net wrote:
> > > On Thu, Feb 12, 2004 at 07:32:11PM -0500, Archaic (archaic at indy.rr.com) wrote:
> > > ><snip>
> > My particular interest ATM is deciding if I can use my DX2/66 as a
> > gateway (not a lot of services to be exposed from behind the firewall)
> > and firewall, or if I should used the AMD 5x86 100MHz, or separate the
> > to functions. [...]
> You'll be pleased to hear that some of the models Cisco has out for
> routing/filtering T1 lines only have 33Mhz CPUs in them, so give it a
> shot with the 66Mhz machine just filtering traffic and put the services
> on the 100Mhz machine box. If at all possible you want the firewall to
> only be firewalling things, as this means there's going to be fewer
> avenues for failure or entry into the bastion host.
My real goal in asking the question was that I wanted to use the slow
box for gateway only and move the filtering to another box. But knowing
that things fail, I always try to have a pre-configured fall-back ready.
My reliability efforts are going to include: reduction of moving parts
on the gateway (hopefully leaving only fans, FD and CD in the mechanical
arena) and use Archaic's hint about read-only setup to make that
feasible. Logging would be to net-mounted places (if that can be
*securely*done) to drives that are part of my normal backup process).
Then, for the inevitable day when it does fail, I just activate the
other box, having it also act as gateway and keep trucking. Now, since
the failure could also be on the filter machine, I wanted to also have
the ability for the gateway to also serve as filter, with an
*acceptable* amount of degradation. If the slow box would be *too* slow
for this, I was prepared to use a couple of my faster boxes (*sob*) for
Your add'l info gives me encouragement.
For the same availability reasons, I still maintain my dial-in
capability, in case the cable modem ever fails (when I become gainfully
employed again, I'll acquire a backup unit). During the first month,
before the cable co. found the (apparently) last loose connection, I
used that ability about a dozen times. Just copy over a couple backup
scripts and resolv.conf, reboot (I really should write a small script
that just does all this and restart the appropriate services) and I'm
connected again, relatively securely.
Thanks for taking the time and interest Dag!
NOTE: I'm on a new ISP, if I'm in your address book ...
Fix line above & use it to mail me direct.
More information about the hlfs-dev