On Iau, 2004-01-15 at 20:18, Nick Laflamme wrote: > their web pages aren't up to date about that). A neighboring Linux S/390 > site has talked in general terms about iptables being robust enough for > their needs. I remember a SHARE talk on porting an application to Linux > on the mainframe where the application was a firewall, but I can't find > a handout from that session.
The netfilter functionality is certainly robust enough. > Related question: are there practical limits to how many point-to-point > connections a Linux image can manage? Only at the S/390 level I suspect. You also don't need seperate firewall images. Unlike checkpoint the Linux firewall code can run on the same image, and that isnt a bad idea if the box is only supposed to be offering specific services to specific people. Tools like lokkit will write you a generic "only allow ssh" ruleset, but you might want to use firestarter or do them by hand for more complex stuff like "db2 access only from box A B and C"
