[unisog] IPTables as high banwidth firewall

Robert Kerr r.kerr at cranfield.ac.uk
Tue Aug 2 08:28:41 GMT 2005


On Mon, 2005-08-01 at 10:17 -0400, Michael Holstein wrote:

> Sure, you could implement failover and all the same features in a Linux 
> box, but by that time, you've created something so complex it can't be 
> easily administered (sure, *you* know how it's setup .. what happens 
> when you win the lottery and the next guy/gal has to troubleshoot?)

I don't think a linux iptables setup is inherently any more difficult to
administer than a PIX based one. Both allow you to design terribly ugly
or perfectly readable configurations. Really it just comes down to the
skillset of your admins, if you've got a lot of good people that
understand netfilter inside out, there's really not a lot of point in
using PIX and retraining them from scratch. Equally if you've got people
that know PIX inside out then linux may not be so good a choice.

Though as mentioned in other posts it's important to consider the
bandwidth requirements. PCI and even PCI-X do have some hardware limits,
and there are also limitations in some of the gig NIC drivers too. If
you are looking at gigabit speeds you need to be careful to ensure the
cards you use don't have drivers with braindead interrupt handling.

-- 
 Robert Kerr



More information about the unisog mailing list