Originally Posted by JohnRock
Is it neccessary for me to run the default CentOS firewall on each server if they are already behind a firewall? (And the database server is not even accessible outside the private lan)
Same question for SELinux?
Would it be better for performance to disable them entirely? Are they still neccessary even if behind an external firewall?
Thanks for any advice you can give!
This is more of a question of how paranoid you are - your paranoia level dictates if it's necessary or not and there's no way for us to know just how paranoid you are 8).
Your system will work fine without a local firewall policy, but having it will increase your security posture. If the rules are written efficiently, it probably wont have any negative effects on performance. However, it will be slightly more work to manage your firewall policies. Everything is a trade off: performance, usability, security...
As for SELinux, it was written mostly by NSA to harden the OS. Again, your paranoia level can only decide to keep it or disable it. Personally, I would leave it enabled.
If the service you're providing is taking a dump because of load, then perhaps you should look at the design and expandability of your systems rather than eliminate what are considered core security features.