Experiences with large Linux firewalls? (LONG)

[verland]

I'm working on a replacement for our company's current firewall. My plan involves several vanilla Linux boxes (running Netfilter, a sniffer, and some other monitoring packs) arranged in a DMZ configuration. The development version (only 4 machines) is about 50% complete and has been a blast to work on so far.



Is anyone out there running Linux firewalls on a large network? I'm afraid this all seems like a great idea in the lab, but is anyone doing it in the real world? I'm really looking for any stories, reccomendations, problems, triumphs, etc of custom Linux firewalls on a large network. Good stories, bad ones, I want it all. I've worked with a few different commercial firewalls and have reasons for trying Linux, but I want to hear what other people think.





I am in a very odd situation where our running firewall must be replaced asap, however the security firm that will audit us isn't available for a reccomendation for about a year. My biggest fear is that all my work will be scrapped for a "COMMERCIALLY AVAILABLE PRODUCT".... Which is odd since many current firewalls (even our current one) are based off Linux, Netfilter support is openly available (free or otherwise), there are commercial firewall distros, yet I digress.





This message was originally written differently and was intended to be posted in several firewall forums to get opinions from all views, but I'm still not sure what I'm after so I'll start with the Linux'rs first. Thanks for reading this rambly post and double thanks for any input.





-Vern

 

[marsd]

I can't speak to the corporate policy part of the issue:
IMO, consultants, resellers, and "Security Professionals"
are always going to be after the almighty $$ at the cost of your brow sweat and rep.

Speaking to the topic:
Linux firewalling is very simple to implement in
flexible script formats. For corporate "looks" (does it have a gui?) stick a tk face on your script, dialog is also an option. You can dump the output of your iptables output
to an html page, and post it to your webserver.


Large network rules?
I can't speak to large..The largest I did was about 300
hosts on two subnets. Worked well. The script was about
80 or 90 lines and I finagled an add/remove utility for
the ruleset.

Flexibility:
You can implement traffic shaping by marking packets in conjunction -w- linux ip routing.Netfilter is stateful which simplifies your service rules. You have multiple options when it comes to implementing a control set.
The -P, and -N options give you complete control over
your general strategy and method.
Want a straight logging rule without having to code for
each contingency? Easy to do with a custom -N set.
Want different rules for different times of the day?
A little more difficult but easy enough.


In short: if you want full control of your network
firewalling, and don't mind getting your hands dirty, or paying someone to get their hands dirty, linux is more
than enough for what you want.

 

[ady2k]

You can use netboz firewall from freebsd.
This firewall got GUI interface and you can burn to cd rom
Good Luck

 

[Cadwalader]

Vern,

I can't really speak for large nets, but I have a RedHat 7.3 box, firewall set to "Medium". I allow ssh, ftp, http, and mail. In a nut shell, last weekend at a LAN party, 2 individuals with rather "illicit" knowledge tried to get into it and couldn't. I was impressed, and that was without the port blocking support of the router.

What was scary is that they could tell me alot about the box, but couldn't crack in. They couldn't get into Win2K box either. However, my WinME laptop was ripped open with little effort(earth shattering news there, huh?).

I know that this probably sounds like a LAN battle rambling, but these dudes knew the IP, what the OS was, and pretty much how it was configured (from an earlier discussion that evening), and they knew there was no router to get around. Anyway, if I had 2 NIC's in it and using it as a firewall, I would feel darn confident.

Good luck, Vern. Let us know what you decide on. Hope I was of some help...
--OR--
Thanks for the help...
--Rich

 

[haneo]

I have used redhat 6.2 kernel 2.2 for a ....medium LAN at an ISP. 3 ethernet cards 300 PC connected to one, 1mail,5web,1Chat servers to the 2nd interface with >3000 connections per day, other interface connected to internet, with no probleme ? with the command "top" the CPU is running at 001% !!!!!!! 300Mhz Pentium

Recentlly i learned to work with PIX a CISCO firewall, and ...it do not PORT redirection!!!!

see my post here :

http://www.tek-tips.com/gthreadminder.cfm/lev2/3/lev3/21/pid/35