2009/9/21 Leandro Quibem Magnabosco <leandro.magnabo...@fcdl-sc.org.br>: > Jesús M. Navarro escreveu: > > You are aware you are comparing apples to oranges, aren't you? You asked > for > a firewall when it seems you are looking for a gateway solution. pfSense, > as > you certainly know is not a script or even a bunch of scripts but a whole > system solution. > > > Hmm... > What I said was "I am searching for something like pfsense[1] for Linux to > install in a production server.", which means I am looking for something > with functionalities much like of what PFsense has. > When I said it was supposed to be installed on a production server, I meant > that I would not like to use a box just for that purpose. > > Maybe my English is not quite helpful in discerning concepts, not allowing > me to be perfectly clear. > But yeah... that is what I want. > > Since you are asking this on a Debian list, I can point you towards the > likes > of Gibraltar (http://www.gibraltar.at/) netward (http://www.netguard.gr/) > XFwall (http://sourceforge.net/projects/xfwall/) or ips-qos > (http://www.coolsolutions.eu/ipsqos/index.php) surely there must be others. > and you can certainly taylor yourself out of packages with the needed > features and a bit of script and web-fu. > > > >From those you cited, ipsqos looks quite nice, I might give it a try in a > testing environment. > > > How your firewall on a virtual machine will protect the master host and/or > how > will it avoid any routing by bug or mistake at the master host level to pass > through? How will you deal with traffic shaping on your virtual devices > when > it will be the master host the one queueing packets. > > > > Now you are the one comparing oranges to apples, right? :) > The way I see it, host firewall and network firewall are different things. > If Pfsense is in a virtual machine, it will work for the network and not for > the host itself. > The host would have it's own firewall that, in this case, it could be much > much simplier, with just a few scripts. > > > > Since I posted that, I've been talking to some people on IRC that told > me they implemented PFSense on ESXi on medium sizes networks (~500 > nodes) with 1G of RAM and it was running under 15% of cpu and about 25% > of IO average, which sounds pretty good. > > > That it can be done, I have no doubt of. I still think and reason that it's > basically defeating a firewall's main purpouse serving it as a virtualized > resource. > > > > I tested it... > It works great, but ESXi is pretty picky about the hardware it supports... > that's the only think I did not like. > It is now working in a production environment with a CPU cost of only 6% > average with all the features I need running. > > No doubt it would be best to avoid virtualization if possible, but not at > all costs. > > > > I might try this with some "manual failover" on my hands, just in case... > > > You are aware pfSense supports CARP, don't you? (last time I tested it was > a > bit buggy, though). > > > > Yes, but CARP is not needed for a test. > The test is gone and PFSense @ ESXi is running. > > I'm happy! :) > > Thank you all for the help, really! :) > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a > subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Pfsense is the best thing I've ever seen for firewall/router appliances/servers You can use pfsense under KVM also -- Linux User #452368 http://twitter.com/vpadro "Everything that irritates us about others can lead us to an understanding of ourselves" -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
