Is there any benefit to having Shorewall running on the green side?
Pro: Multi-level protection. The main firewall can be seen as a single point of failure in case of to vulnerabilities, misconfiguration, etc, etc. Having a firewall per host allows for more fine-grained control, is more flexible just in case you want to test things out. Can also help curb the effects of LAN misuse/abuse (at least on mine).
Con: having to manage another set of FW rules. Well. That's a *huge* task, innit?..
If there isn't then I will disable it to shut down a few processes.
According to the site, Shorewall is just an iptables configuration utility. After the rules are set up Shorewall doesn't "run". If your boxen are capable and you're not DOSsing your own LAN you don't really waste CPU cycles.
|