[unisog] IPTables as high banwidth firewall

Russell Fulton r.fulton at auckland.ac.nz
Mon Aug 1 20:13:55 GMT 2005

Michael Holstein wrote:
>>Have any members on this list had any experience using a linux host with 
>>iptables as a firewall handling and filtering high volume traffic. I am 
> This is where the maxim "just because it *can* be done, doesn't mean it 
> should be done".
> With the right hardware (PCI-X or faster) interfaces and enough 
> horsepower behind it, it's possible -- but it's far easier (and far more 
> reliable) to just buy a purpose-built hardware firewall (eg: PIX).
> Sure, you could implement failover and all the same features in a Linux 
> box, but by that time, you've created something so complex it can't be 
> easily administered (sure, *you* know how it's setup .. what happens 
> when you win the lottery and the next guy/gal has to troubleshoot?)
this is certainly a consideration, the cost of maintainence verus the cost of purchase.

We use FW1 boxes in the internal network where the requirements are fairly standard but still use OpenBSD on the perimeter where we have 1000s of machines registered some are fixed and rules loaded from a mysql database and some are dynamic and loaded as part of the network login process.  Standard commercial systems don't cope well with this sort of requirement.

As usual it is a case of horses for courses.


More information about the unisog mailing list