I am new to the forums, but can easily see myself spending a great deal of time here as I am not an amazing Linux administrator. I have spent a great deal of my career working in Windows environments. With that said I am about to be placed into a position that makes me a bit uncomfortable and would like some advice.

About 8 months ago I was tasked with moving our company from a managed hosting solution to a collocation setup. I proceeded to purchase 3 servers and was given a firewall and 2 switches they had already purchased. I went ahead and created a network topography and all kinds of graphs and flowcharts to plan our move. I will cut the background a bit short as to not bore anyone too much. I was given a SonicWalls firewall to use. I was very unfamiliar with the firewall, so I went ahead and used it. The firewall does not allow the servers inside of it to have public IP addresses assigned to them. They must have internal IP addresses assigned and then the firewall will translate the external IP addresses to internal IP addresses. I am currently experiencing issues with the firewall. It has become a real inconvenience for me and is causing more trouble than it is worth. As with many companies right now we are under some real strict budgeting (nothing ).

So my main question is this. If I were to remove this hardware firewall will I be experiencing a great deal of trouble relying on the software firewall in CentOS? Our servers consists of 2 CentOS machines. One is our database server and the other is our webserver. We have a Windows machine handing our mail and DNS. I know it is hard to predict what kind of attacks I could be facing here in the next three or six months, but how reliable is the built in firewall? Is it something I should not even consider?

I am sorry this post got a bit long. I hope a few people were able to read it all. I do appreciate any help or advice given.

Thank you in advance.

Hi -

Welcome to LQ forums

Before talking about Netfilter - IPtables, the default Firewall framework in Linux, do you have information of your network capacity like pipe size, connections count, connections rate, how many ACL rules, number of NAT rules?

Netfilter:

Netfilter is a popular firewall solution and is widely used in many of the security appliances. It has extensive features, you will rarely see a miss as compared to any other dedicated security solution.

NAT is cool. It has an optimized conntrack table that ensures O(1) for packets that go through address translation.

Performance:

Performance is dictated by the number of ACL and mangle rules. You will see no difference in throughput till 700 to 1000 rules. The number differs based on the power of CPU as well.

If you feel that you are going to have more than 700 rules, nf-HiPAC/ipset patch is available to give a boost. So, with nf-HiPAC, you will see negligible dip in throughput.

Configuration:

IPtables is the user-space command line utility to configure firewall. However, GUIs are available to ease its configuration.

Check out for
Firewall builder: http://www.fwbuilder.org/
Turtle firewall: http://www.turtlefirewall.com/

There are other GUIs available. However the aforementioned are the best.

Feel free to ask more. Will try our best to answer.

HTH!

1 members found this post helpful.

Hello HTH. Thank you for the quick reply. To answer a few of your questions. Our servers are sitting in a data center in Atlanta. They have a 100MB connection. As for connections. Just looking at the firewall during the day (which is our main busy time as that is when our clients are awake working) we will have anywhere from 1000 to 1600 live connections. As for ports and rules the count should be well under the 700. We really only need access to web, ssh, and database ports.

I hope that answers your questions. After your reply and a little more research I am feeling a little more comfortable with the firewall. This will hopefully only be a temporary fix until I can budget in some money for a new hardware firewall.

Thank you once again for the reply.

Hi -

From what you have said about your network, Linux Netfilter - iptables will do the job with no concerns.

1 members found this post helpful.

Well it looks like I have my answer than. Thank you once again for the quick replies. I am sure to be seeing you around the forums again.

I have no direct experience with Sonicwall, but they do have a decent reputation. So, the first thing that i would ask is whether you think the SWs themselves are in some way incapable or whether you think that you just don't know them well enough to get the best out of them?

If it is the latter, and you feel that your general networking knowledge is up to the job, getting training on the SWs is one possibility to be considered, amongst others.

This is a normal enough configuration...it is unclear whether this is anything to do with...

Can you say something about these issues? Debugging, logging, lost packets, performance, difficult-to-configure? What? It would help in coming up with advice to know what the problem is.

I think if you were replacing a separate proprietary box which was providing firewall facilities, my default starting point would be to think about using a separate Linux box as a firewall. It sounds like you are asking whether the server boxes could act as their own firewalls in addition to whatever else they are doing. It is a bit difficult to comment on that sensibly without knowing a whole lot about their existing load, specification, free memory, disk bandwidth, etc, etc, but I would certainly advise that you should use caution, and try to think about it from all points of view, before to committing to that route.

In general, iptables is a good and capable firewall system, but it can't work miracles, and particularly the add-on modules can be a bit heavyweight, if thrown around with the level of consideration that a starving man would use when confronted with an all-you-can-eat buffet. And, if subjected to an attempted DoS/DDoS attack, this can all get too much, so be careful and don't just try to asses the normal operating condition.

One specific here; in general, there are good iptables tutorial materials scattered around the 'net, and, assuming a decent starting point of knowledge, you can basically train yourself from the available tutorials. While this is definitely still 'work', it is work that you can do at your own pace, and, in that respect, you might be better off with training that is completely under your control (and zero cost) than external training that is only available at times and locations at the convenience of a proprietary provider.

A lot of this depends on you, what works for you, and the situation that you find yourself in, but, unless you have particular obscure requirements, my biggest concern isn't about whether iptables is a good tool for firewalling but whether you are heading towards the correct architecture and whether you have the time to devote to this project that it needs.