[MLUG] [ot] Looking for high performance open source firewall

Andy Pintar andy at hapoteh.net
Thu Dec 18 18:20:39 EST 2008 

Yeah, you can have 2 firewalls between the ciscos and the switch and join 
them using pfsync.  It's a common setup, only problem is they can't be in 
bridge mode if he wants to run a tcp syn proxy.  Since he really wants 
bridge mode then that is out.
A reference is:
http://www.openbsd.org/faq/pf/carp.html#pfsyncintro

On Thu, 18 Dec 2008, Nicholas Accad wrote:

> Just a though, I am not really good at networking beyond the basic levels
> Can't you add a BSD firewall before the LVS? Let it deal with the SYN
> stuff, and let IPTables/Linux deal with the rest.
> I have no idea how doable is this though.
> -nick (petting his CheckPoint/IPSO combos)
>
> On Thu, Dec 18, 2008 at 9:36 AM, Emery Guevremont
> <emery.guevremont at gmail.com> wrote:
>>
>>
>> On Thu, Dec 18, 2008 at 8:32 AM, David Filion <david at filiontech.com> wrote:
>>>
>>> Just for the record, I had simplified things.  Our setup actually looks
>>> like:
>>>
>>>   FIBRE    FIBRE
>>>     ||       ||
>>>   CISCO----CISCO
>>>     \\     //
>>>      ||   //
>>>      SWITCH===OTHER STUFF ON SWITCH
>>>      //  \\
>>>     LB    LB
>>>     ||    ||
>>>     SWITCH(ES)
>>>     // || \\
>>>   S E R V E R S
>>>
>>>
>>> As Jen-Francois said, "Videotron doesn't allow you to terminate your
>>> loop into something that doesn't belong to them.  Their router is the
>>> demarc."  The routers belong to Videotron, I have no control over or
>>> access to them.  Only one fibre is active at a time, spanning tree is
>>> used to switch between them is one of the routers/fires fails.
>>
>> Spanning-tree is for running redundant switches btw. Helps prevents
>> switching loops and adds redundancy. The routers are probably using ibgp or
>> eigrp.
>>>
>>>
>>> My goal was to try and get a synproxy setup somewhere in front of the
>>> load balancers so that if a syn attacked occurred,  we'd be saving our
>>> servers behind the load balancers from getting overloaded with SYNs.
>>> So far, getting more servers, breaking TCPs timeout settings,  and/or
>>> replacing our Linux load balancers with a version of BSD seem to be the
>>> only solutions.
>>>
>>> Iptables is setup on the load balancers.  Iptables doesn't help because
>>> it lets the SYNs go right through to the servers because it doesn't know
>>> the incoming SYN is an invalid SYN.  The only thing it can provide it
>>> rate limiting, but that is not currently an option.
>>>
>>> Seems a "drop in" solution is not in my future.  Oh well.
>>>
>>> Thanks to all that answered/suggested.
>>>
>>> David
>>>
>>>
>>> Andy Pintar wrote:
>>>> I'd say that the solution has presented itself.  As far as I see it, you
>>>> only have to readdress your load balancers. If you have a big block of
>>>> IPs
>>>> you won't have to run NAT on your firewall.  I'm guessing it looks like
>>>> this:
>>>>
>>>>      FIBRE
>>>>        ||
>>>>      CISCO
>>>>        ||
>>>>      SWITCH===OTHER STUFF ON SWITCH
>>>>        ||
>>>>      LOAD BALANCER
>>>>      ||   ||   ||
>>>>          LVS
>>>>
>>>>
>>>> Why don't you hook up a firewall between the cisco and the switch, give
>>>> it
>>>> a public IP, and forget about it?  Sure you'll have to reconfig your
>>>> routing a bit but all traffic will *NOT* look like it came from a
>>>> private
>>>> IP space.  I mean, even in the basic home user NAT case where you have a
>>>> single dynamic IP, incoming traffic doesn't look like it's from inside
>>>> the
>>>> network.  So if you have a big enough IP space and don't need NAT
>>>> anyway,
>>>> then you won't need to run NAT with the firewall operational.  In this
>>>> case you can run any of the expensive ones (checkpoint) or just use PF
>>>> with the syn proxy on.
>>>>
>>>> Please anyone correct me if I've misunderstood/miscommunicated.
>>>> Thanks;
>>>> -Andy.
>>>>
>>>> On Wed, 17 Dec 2008, David Filion wrote:
>>>> ...
>>>>
>>>>> OK, I'll keep it simple.
>>>>>
>>>>> ISP's fibre comes into our server room.  It's connected to a Cisco 3xxx
>>>>> series router.  That router is plugged into a switch.  Also plugged
>>>>> into
>>>>> the switch in a load balancer running Linux+LVS.  The side of the
>>>>> router
>>>>> facing us is providing our live ips, it's not NATing.  I'm assuming the
>>>>> interface facing the ISP is a 10.0.0.0/8 or something similar.   This
>>>>> results in us being able to assign our live IPs to our load balancer(s)
>>>>> and other server as needed.
>>>>>
>>>> ...
>>>>
>>>>> I was just hoping to find something to filter out some of the garbage
>>>>> traffic before it hit our systems.  I didn't want to add an additional
>>>>> layer of NATing because to our web servers, everything would look like
>>>>> it came from an private IP space and not from the real client.
>>>>>
>>>> _______________________________________________
>>>> mlug mailing list
>>>> mlug at listserv.mlug.ca
>>>>
>>>> https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
>>>>
>>>
>>> _______________________________________________
>>> mlug mailing list
>>> mlug at listserv.mlug.ca
>>> https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
>>
>>
>> _______________________________________________
>> mlug mailing list
>> mlug at listserv.mlug.ca
>> https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
>>
>>
> _______________________________________________
> mlug mailing list
> mlug at listserv.mlug.ca
> https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
>

More information about the mlug mailing list