On Thu, Jan 15, 2004 at 03:18:13PM -0500, Nick Laflamme wrote: > So, are there commonly used alternatives to iptables for firewalls on > the mainframe? Is iptables commonly used, for that matter, or are most > of you relying upon external firewalls for any firewall needs you have?
iptables is commonly used. I'd still recommend external firewalls if you have them already, in that then you're not burning relatively precious S/390 cycles doing network functions. There are gradations of CPU consumption, of course: dropping packets is easy. NATting costs a little more. NATting FTP and app-level masquerading in general, costs a little more still. If I had an n-tier application on a zSeries, I'd put the iptables filtering between the tiers on the box, rather than mess with redirecting inter-tier traffic out to the real network and back in, even if that bought me the ability to use the external firewall. > Related question: are there practical limits to how many point-to-point > connections a Linux image can manage? I *wouldn't* manage more than eight, whether or not there's performance degradation. If you have a fanout of more than six, really, you need to split your network into more layers. But that's from a "keeping-it-in-my-own-brain" perspective rather than any knowledge of performance characteristics. Adam
