[geeks] Re: [SunRescue] Help!

Phil Brutsche geeks at sunhelp.org
Thu Apr 19 15:20:40 CDT 2001 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A long time ago, in a galaxy far, far way, someone said...

> Does it do anything ipfilter doesn't?

Only marginally.  Going from the last time I looked at the ipfilter docs,
netfilter can do over ipfilter is:

 1) Make ftp work worth a crap without being a contortionist (which is
    where the recent netfilter security bug came from :)

The power of netfilter is realized when used in conjunction with the "ip"
command to provide policy routing capabilities and the "tc" command to
provide QoS.

An example:

1 NAT'ing firewall, two internet connections (ISDN & DSL).  You want your
mail server to be on both for redundancy (in my experience the second
biggest cause of downtime is the internet connection, for whatever reason.
The biggest is PoS PC hardware).  Give your mail server two ip #s -
192.168.100.20 & 192.168.100.21.  Packets from 192.168.100.20 get sent to
the ISDN gateway; packets from 192.168.100.21 get sent to the DSL gateway.

Or:

1 NAT'ing firewall, one web server, one mail server, 2 internet
connections (ISDN & DSL), some client PCs.  Mail server & web server go
out DSL, everything else (ie the "unimportant stuff") out ISDN.  Oh, and
be sure to enforce bandwidth restrictions so that a single, large email
doesn't kill your DSL line and hence your web server.

The possibilities are endless; so are the examples I can come up with.

I have yet to find someone to tell me how to do that with any of the other
freely available unix-type operating systems (Solaris, FreeBSD, NetBSD,
and OpenBSD; maybe more?).  Some people tell me to go get a Cisco.  Most
just look at me weird :)

- -- 
- ----------------------------------------------------------------------
Phil Brutsche				    pbrutsch at tux.creighton.edu

GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D  7E5E FD94 D264 50DE 1CFC
GPG key id: 50DE1CFC
GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE630ib/ZTSZFDeHPwRArJBAJ4gc6PuNKdUHlyu8XgiODsiM2hzWgCg3lCA
JMSAuG+G0V8GGbFFyfFSFeY=
=OsVI
-----END PGP SIGNATURE-----

More information about the geeks mailing list