[MLUG] [ot] Looking for high performance open source firewall

[Andy Pintar]

I'd say that the solution has presented itself.  As far as I see it, you 
only have to readdress your load balancers. If you have a big block of IPs 
you won't have to run NAT on your firewall.  I'm guessing it looks like 
this:

     FIBRE
       ||
     CISCO
       ||
     SWITCH===OTHER STUFF ON SWITCH
       ||
     LOAD BALANCER
     ||   ||   ||
         LVS


Why don't you hook up a firewall between the cisco and the switch, give it 
a public IP, and forget about it?  Sure you'll have to reconfig your 
routing a bit but all traffic will *NOT* look like it came from a private 
IP space.  I mean, even in the basic home user NAT case where you have a 
single dynamic IP, incoming traffic doesn't look like it's from inside the 
network.  So if you have a big enough IP space and don't need NAT anyway, 
then you won't need to run NAT with the firewall operational.  In this 
case you can run any of the expensive ones (checkpoint) or just use PF 
with the syn proxy on.

Please anyone correct me if I've misunderstood/miscommunicated.
Thanks;
-Andy.

On Wed, 17 Dec 2008, David Filion wrote:
...
> OK, I'll keep it simple.
>
> ISP's fibre comes into our server room.  It's connected to a Cisco 3xxx
> series router.  That router is plugged into a switch.  Also plugged into
> the switch in a load balancer running Linux+LVS.  The side of the router
> facing us is providing our live ips, it's not NATing.  I'm assuming the
> interface facing the ISP is a 10.0.0.0/8 or something similar.   This
> results in us being able to assign our live IPs to our load balancer(s)
> and other server as needed.
...
> I was just hoping to find something to filter out some of the garbage
> traffic before it hit our systems.  I didn't want to add an additional
> layer of NATing because to our web servers, everything would look like
> it came from an private IP space and not from the real client.