Jesús M. Navarro escreveu:
Hmm...You are aware you are comparing apples to oranges, aren't you? You asked for a firewall when it seems you are looking for a gateway solution. pfSense, as you certainly know is not a script or even a bunch of scripts but a whole system solution. What I said was "I am searching for something like pfsense[1] for Linux to install in a production server.", which means I am looking for something with functionalities much like of what PFsense has. When I said it was supposed to be installed on a production server, I meant that I would not like to use a box just for that purpose. Maybe my English is not quite helpful in discerning concepts, not allowing me to be perfectly clear. But yeah... that is what I want. >From those you cited, ipsqos looks quite nice, I might give it a try in a testing environment.Since you are asking this on a Debian list, I can point you towards the likes of Gibraltar (http://www.gibraltar.at/) netward (http://www.netguard.gr/) XFwall (http://sourceforge.net/projects/xfwall/) or ips-qos (http://www.coolsolutions.eu/ipsqos/index.php) surely there must be others. and you can certainly taylor yourself out of packages with the needed features and a bit of script and web-fu. Now you are the one comparing oranges to apples, right? :)How your firewall on a virtual machine will protect the master host and/or how will it avoid any routing by bug or mistake at the master host level to pass through? How will you deal with traffic shaping on your virtual devices when it will be the master host the one queueing packets. The way I see it, host firewall and network firewall are different things. If Pfsense is in a virtual machine, it will work for the network and not for the host itself. The host would have it's own firewall that, in this case, it could be much much simplier, with just a few scripts. Since I posted that, I've been talking to some people on IRC that told me they implemented PFSense on ESXi on medium sizes networks (~500 nodes) with 1G of RAM and it was running under 15% of cpu and about 25% of IO average, which sounds pretty good.That it can be done, I have no doubt of. I still think and reason that it's basically defeating a firewall's main purpouse serving it as a virtualized resource. I tested it... It works great, but ESXi is pretty picky about the hardware it supports... that's the only think I did not like. It is now working in a production environment with a CPU cost of only 6% average with all the features I need running. No doubt it would be best to avoid virtualization if possible, but not at all costs. Yes, but CARP is not needed for a test.I might try this with some "manual failover" on my hands, just in case...You are aware pfSense supports CARP, don't you? (last time I tested it was a bit buggy, though). The test is gone and PFSense @ ESXi is running. I'm happy! :) Thank you all for the help, really! :) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org |
- Firewall solution. Leandro Quibem Magnabosco
- Re: Firewall solution. Dale
- RE: Firewall solution. David Christensen
- Re: Firewall solution. Charles Kroeger
- Re: Firewall solution. Leandro Quibem Magnabosco
- Re: Firewall solution. Paul E Condon
- Re: Firewall solution. Jesús M. Navarro
- Re: Firewall solution. Leandro Quibem Magnabosco
- Re: Firewall solution. Jesús M. Navarro
- Re: Firewall solution. Leandro Quibem Magnabosco
- Re: Firewall solut... Victor Padro
- Re: Firewall solution. Paul Johnson
- Re: Firewall solution. Andrei Popescu
- Re: Firewall solution. Paul Johnson