[MLUG] [ot] Looking for high performance open source firewall

[David Filion]

Andy Pintar wrote:
> Yeah, well if your gateway is a bridge it's not feasible to run any sort 
> of proxy on it.  I would be surprised if any other firewall out there can 
> do what you want in bridge mode, but please fill us in if you find out.
> One thing I came across when searching is syn cookies:
> http://forums.whirlpool.net.au/forum-replies-archive.cfm/1071065.html
> http://cr.yp.to/syncookies.html
>
> The other idea is that if you're not getting hit by syn floods ever then 
> don't worry about it for now...  Anyway your net connection sounds weird, 
> not sure what you have going on there but INETS->ROUTER->LOAD_BALANCER is 
> weird.  Why don't you explain the setup a bit?  Maybe there's a better 
> spot to hide your firewall?
>
>   
<snip/>

OK, I'll keep it simple. 

ISP's fibre comes into our server room.  It's connected to a Cisco 3xxx 
series router.  That router is plugged into a switch.  Also plugged into 
the switch in a load balancer running Linux+LVS.  The side of the router 
facing us is providing our live ips, it's not NATing.  I'm assuming the 
interface facing the ISP is a 10.0.0.0/8 or something similar.   This 
results in us being able to assign our live IPs to our load balancer(s) 
and other server as needed.

It's just like a Videotron home connection, only with bigger toys.   And 
before it gets mentioned, all our "public" servers are firewalled.

I was just hoping to find something to filter out some of the garbage 
traffic before it hit our systems.  I didn't want to add an additional 
layer of NATing because to our web servers, everything would look like 
it came from an private IP space and not from the real client.

David



David