Quote:
Originally Posted by tspayde
I was given a SonicWalls firewall to use. I was very unfamiliar with the firewall, so I went ahead and used it. The firewall does not allow the servers inside of it to have public IP addresses assigned to them. They must have internal IP addresses assigned and then the firewall will translate the external IP addresses to internal IP addresses. I am currently experiencing issues with the firewall. It has become a real inconvenience for me and is causing more trouble than it is worth.
|
I have no direct experience with Sonicwall, but they do have a decent reputation. So, the first thing that i would ask is whether you think the SWs themselves are in some way incapable or whether you think that you just don't know them well enough to get the best out of them?
If it is the latter, and you feel that your general networking knowledge is up to the job, getting training on the SWs is one possibility to be considered, amongst others.
Quote:
Originally Posted by tspayde
The firewall does not allow the servers inside of it to have public IP addresses assigned to them. They must have internal IP addresses assigned and then the firewall will translate the external IP addresses to internal IP addresses.
|
This is a normal enough configuration...it is unclear whether this is anything to do with...
Quote:
Originally Posted by tspayde
I am currently experiencing issues with the firewall. It has become a real inconvenience for me and is causing more trouble than it is worth.
|
Can you say something about these issues? Debugging, logging, lost packets, performance, difficult-to-configure? What? It would help in coming up with advice to know what the problem is.
Quote:
Originally Posted by tspayde
So my main question is this. If I were to remove this hardware firewall will I be experiencing a great deal of trouble relying on the software firewall in CentOS?
|
I think if you were replacing a separate proprietary box which was providing firewall facilities, my default starting point would be to think about using a separate Linux box as a firewall. It sounds like you are asking whether the server boxes could act as their own firewalls in addition to whatever else they are doing. It is a bit difficult to comment on that sensibly without knowing a whole lot about their existing load, specification, free memory, disk bandwidth, etc, etc, but I would certainly advise that you should use caution, and try to think about it from all points of view, before to committing to that route.
In general, iptables is a good and capable firewall system, but it can't work miracles, and particularly the add-on modules can be a bit heavyweight, if thrown around with the level of consideration that a starving man would use when confronted with an all-you-can-eat buffet. And, if subjected to an attempted DoS/DDoS attack, this can all get too much, so be careful and don't just try to asses the normal operating condition.
One specific here; in general, there are good iptables tutorial materials scattered around the 'net, and, assuming a decent starting point of knowledge, you can basically train yourself from the available tutorials. While this is definitely still 'work', it is work that you can do at your own pace, and, in that respect, you might be better off with training that is completely under your control (and zero cost) than external training that is only available at times and locations at the convenience of a proprietary provider.
A lot of this depends on you, what works for you, and the situation that you find yourself in, but, unless you have particular obscure requirements, my biggest concern isn't about whether iptables is a good tool for firewalling but whether you are heading towards the correct architecture and whether you have the time to devote to this project that it needs.