[SunHELP] Firewall1

Tim Conrad sunhelp at sunhelp.org
Wed Feb 28 10:34:16 CST 2001


For those of you doing firewall-1 stuff out there, www.phoneboy.com is
great, and has some great information about firewall-1

The questoin about multiple processors comes up on that firewall-1
mailing list on occasion. The last thread I remember reading stated that
there wasn't much of a performance benefit for using 2 processors, even
if you are VPN'ing. However, if you are running some sort of content
filtering software, it would be able to use the second processor. 

I've successfully installed & configured firewall-1 through a telnet
session (Yeah. let's hear it for security. Well, it was just for a test
network anyways). So there is no reason that wouldn't work with just a
console session. There are textual tools to do the same thing that the
graphical tools do. 

I have an Ultra1 that has around 15000 hosts behind it, just providing
NAT and routing, and it works  fine. Usually through most of the day
there are around 8,000 concurrent connections going through the
firewall. ( I know that drops actual client connections considerably
when you take into effect that a web access uses multiple connections,
but anyways)

There is also the 'Titan' suite of scripts which will effectivly
'harden' the firewall. The url is: http://www.fish.com/titan/index.html
A lot of what titan does is basic, but it'll help make the OS under your
firewall more secure than it is out of the box. And it'll probably
change some things that should be changed, but either get forgotten, or
people are unaware of them.

Tim

Will Mc Donald wrote:
> 
> From: "Reagen Ward" <ward at zilla.nu>
> 
> > On Tue, Feb 27, 2001 at 07:23:47PM -0500, Alan Rubin wrote:
> > > I have an Ultra2 I'm thinking about loading FW1 on.  Does anyone have
> > > experience with this?  How is the performance?  Can FW1 run on a
> headless
> > > box with the GUI being used remotely?
> >
> > FW1 runs great on an U2, but you're better off with a single CPU than
> > with two.
> 
> Can I ask why you think that? We were considering sticking another processor
> in our Ultra 2 FW-1 Enforcement station (not the management console).
> 
> At the moment it's running with its HME interface, 2 SBUS dual-attach FDDI
> interfaces and a Quad-Fast Ethernet, we're thinking of ditching the FDDIs
> and replacing them with Quad and Quad-Fast Ethernet over the next month or
> two and we were considering adding another processor as well.
> 
> Isn't Sun's party line that you should have a processor per network
> interface where possible?
> 
> Will.
> 
> _______________________________________________



More information about the SunHELP mailing list