creating a DMZ -- seeking firewall advice

Eric Jensen eric at emstraffic.com
Tue Mar 8 12:44:09 MST 2005


Eric Jensen wrote:

> As far as efficiency, I gathered from various research that the Linux 
> distros that are focused on being firewalls and pretty good at it and 
> not nearly as much bloat to trim from just a generic Linux install.  
> And if Cisco does all the "features" that most commercial firewalls 
> do, I.E. employee micromanagement, then I doubt that are all that 
> efficient anyway.  Our Firebox does what a firewall should, no doubt, 
> but it does a very large list of other things as well.  I think if you 
> take a Linux distro that intends to be nothing but a firewall, you 
> would end up being more efficient then a commercial device.  But I'm 
> not a Firewall guru by any means, just spent a few months using our 
> Firebox and some casual reading.
>
> Eric Jensen
> .===================================.
> | This has been a P.L.U.G. mailing. |
> |      Don't Fear the Penguin.      |
> |  IRC: #utah at irc.freenode.net   |
> `==================================='
>
Distracting day, so excuse the multiple e-mails.  Don't want to sound 
like there is no good reason to go with hardware solutions, most of the 
micromanagement I complain about can be turned off if you spend enough 
time in their manual.  And they will definately do the firewall job.

My problem with them is I am a control freak.  No matter how much time 
we spent in the manual we still run accross things that it is doing that 
we don't want it to and it is causing us greif.  For example, it will 
lock up web pages, including ones we design.  No scripting of any kind 
is done, just very simple HTML and some cookies.  You browse around and 
then bam, you can't load anything on that site for a good 20-30 minutes 
(we beleive it is cookie related because of that).  Happens to sites we 
commonly go to outside of work too.  We try the exact same process on 
dozens of computers outside of the firewall and it works smoothly.  We 
have a laundry list of odd things like that.  It screws with e-mail, 
file transfers, all kinds of web browsing, etc.  So no matter how 
familiar we get with the manual and the interface we are always feeling 
like it is doing something that will give us a headache sooner or 
later.  I haven't tried a Linux distro that is supposed to be for 
firewalls, but from my experience with server and desktop Linux installs 
I will feel like I am finally in full control of the firewall and can 
know and understand everything it is doing to our packets.

Eric Jensen



More information about the PLUG mailing list