On 5/4/22 05:30, Tom Browder wrote:
From what I've seen of HAProxy's configuration, it seems it may be
able to be used as an easy-to-configure firewall immediately
downstream from my ISP's router and inside a small Debian computer
feeding another router.
Does that sound feasible? Or is there a physical router available that
incorporates HAProxy?
While this could theoretically be a possible use case for haproxy, it is
not something I would try. Haproxy is designed to be a proxy server and
load balancer. In those capacities, it is good enough for
mission-critical deployment.
But haproxy is not designed to fill the role of a firewall. I mean no
disrespect to Willy or the other people that spend their valuable time
working on haproxy when I say this. I love haproxy .... it is one of
the best pieces of software in my problem-solving toolkit. But for a
software firewall, I will look elsewhere, for something that is designed
for that role.
Some things that I can think of that I don't think haproxy can do that
you'd expect from a firewall:
* Permit or deny any traffic other than TCP or UDP.
** Examples: ICMP, IGMP, GRE, ESP.
* Examine certain application protocols to track and automatically allow
related connections.
** FTP and RPC are the examples that come to mind.
TL;DR: While I am not part of the development team for this project, I
am part of the development team for Apache Solr. Something that we are
very often telling people on the Solr users list: Solr is a search
engine. It is not a database. It's a discussion similar to your
question. The response is: When you have a software need, find
software that is designed for the role.
Thanks,
Shawn
