I''m happily running two four zone/four nic shorewall firewall configuratoins. Great software, works as expected everytime! We are conteplating a larger and more complex firewall configuration that may include as many as twelve zones with trying to cram as many as 8+ interfaces into a single machine. Are there any draw backs to this amount of zones and interfaces into a single shorewall configuration? Thanks! -- Matt Burleigh Enterprise Integration, Inc. Senior Systems Engineer http://www.eiisolutions.com
Personally i think u are making your single point of failure very large, if that one FIREWALL/ROUTER drops, then that is 8 subnets down think about that first then, start planning the best approach> I''m happily running two four zone/four nic shorewall firewall > configuratoins. Great software, works as expected everytime! We are > conteplating a larger and more complex firewall configuration that may > include as many as twelve zones with trying to cram as many as 8+ > interfaces into a single machine. Are there any draw backs to this > amount of zones and interfaces into a single shorewall configuration? > > Thanks! > > -- > Matt Burleigh > Enterprise Integration, Inc. > Senior Systems Engineer > http://www.eiisolutions.com > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm----------------------------------------------------------- ~~ The Science of Doing it Right ~~ -----------------------------------------------------------
Reginald Richardson wrote:>Personally i think u are making your single point of failure very large, > >if that one FIREWALL/ROUTER drops, then that is 8 subnets down >think about that first then, start planning the best approach > >Good point. Is there any type of failover capibilities of shorewall? -- Matt Burleigh Enterprise Integration, Inc. Senior Systems Engineer http://www.eiisolutions.com
Hi, I''m just about to start making test using linux-ha.org software and linux-high-availability.com comercial solution RSF-1, to see how well works these solutions for clustering two firewalls. Thanks, regards Benton Mercado Electronico Dominicano ----- Original Message ----- From: "Matt Burleigh" <matt.burleigh@eiisolutions.net> To: "Shorewall Users Mailing List" <shorewall-users@lists.shorewall.net> Sent: Wednesday, December 03, 2003 2:03 PM Subject: Re: [Shorewall-users] Zone Scalability> Reginald Richardson wrote: > > >Personally i think u are making your single point of failure very large, > > > >if that one FIREWALL/ROUTER drops, then that is 8 subnets down > >think about that first then, start planning the best approach > > > > > Good point. Is there any type of failover capibilities of shorewall? > > -- > Matt Burleigh > Enterprise Integration, Inc. > Senior Systems Engineer > http://www.eiisolutions.com > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
A few months ago, someone posted a FAILOVER solution on the LEAF-USERS board, but to date, i was waiting for his configs, to check it out, but didn''t receive as yet i think u have to be little creative here.. such as having more than one firewall, running some ping script, if the main server can''t be ping, then the router is xferd to the 2ndary firewall..> Reginald Richardson wrote: > > >Personally i think u are making your single point of failure very large, > > > >if that one FIREWALL/ROUTER drops, then that is 8 subnets down > >think about that first then, start planning the best approach > > > > > Good point. Is there any type of failover capibilities of shorewall? > > -- > Matt Burleigh > Enterprise Integration, Inc. > Senior Systems Engineer > http://www.eiisolutions.com > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm----------------------------------------------------------- ~~ The Science of Doing it Right ~~ -----------------------------------------------------------
On Wed, 2003-12-03 at 10:38, Reginald Richardson wrote:> A few months ago, someone posted a FAILOVER solution on the > LEAF-USERS board, but to date, i was waiting for his configs, to > check it out, but didn''t receive as yetReginald, Benton, & Matt, The LEAF Bering uClibc team is actively working on a high-availability solution using linux-ha.org software. IPV6 and Zebra are already available. http://leaf-project.org/doc/guide/bucu-ipv6.html http://leaf-project.org/doc/guide/bucu-zebra.html> i think u have to be little creative here.. > such as having more than one firewall, running some ping script, > if the main server can''t be ping, then the router is xferd to the > 2ndary firewall.. > > > > > Reginald Richardson wrote: > > > > >Personally i think u are making your single point of failure very large, > > > > > >if that one FIREWALL/ROUTER drops, then that is 8 subnets down > > >think about that first then, start planning the best approach > > > > > > > > Good point. Is there any type of failover capibilities of shorewall?-- Mike Noyes <mhnoyes at users.sourceforge.net> http://sourceforge.net/users/mhnoyes/ SF.net Projects: ffl, leaf, phpwebsite, phpwebsite-comm, sitedocs
On Wed, 2003-12-03 at 08:49, Matt Burleigh wrote:> I''m happily running two four zone/four nic shorewall firewall > configuratoins. Great software, works as expected everytime! We are > conteplating a larger and more complex firewall configuration that may > include as many as twelve zones with trying to cram as many as 8+ > interfaces into a single machine. Are there any draw backs to this > amount of zones and interfaces into a single shorewall configuration? >The time required for [re]start is O(n**2) where n is the number of zones. Specifying a lightweight shell such as ''ash'' in SHOREWALL_SHELL helps keep the [re]start time within acceptable limits. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net