This is an interesting discussion. I also have HIPPA requirements as well as data privacy requirements as well as "I do not want other departments/agencies etc to see my information". This means I need to isolate one guest lan from another so rather than point-2-point mine is more a pool-2-pool environment. I have been providing this using an SLES8 iptables server that receives packets from VM TCP/IP and distributes to the application server guest lans. This environment is also front-ended with an external firewall providing most port and ip address filtering. Within the iptables server I maintain a pretty small ruleset so I do not see this firewall server as very active but also, at this time, our VM Linux environment is not very active either. I did need to make this firewall guest larger because of the storage used for each qdio eth interface. I am curious why 6 point-2-point is a recommended maximum? Would this statement also apply to guest lan? Is this also taken to the previous layer of VM TCP/IP so an additional stack should be defined when more that 6? I saw the picture in a previous posting using VLAN and switching to forward requests from guestlan back to the external firewall but I did not see how this was simpler. Less resource maybe but it looked pretty complex to me. And does each separate guestlan require a separate VLAN and external OSA port? Please let me know your thoughts. Thanks, Al Schilla State of Minnesota
-----Original Message----- From: Post, Mark K [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 2:43 PM To: [EMAIL PROTECTED] Subject: Re: Firewalls? Nick, As Chris pointed out, the product was Stonegate. I want to add to Adam's reply a little. If you anticipate a _lot_ of network traffic, and perhaps a complex iptables ruleset, then running the firewall on the mainframe would likely be a bad idea. Firewalls get very CPU intensive under high traffic, much to my own disappointment. I would also echo Adam's sentiment about keeping the number of point-to-point links per guest small. It becomes a management nightmare more than anything. From your question, I'm assuming you're not up to z/VM 4.3 then? Mark Post -----Original Message----- From: Nick Laflamme [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 3:18 PM To: [EMAIL PROTECTED] Subject: Firewalls? As we lurch forward with our pilot project, our network security people would like to install a firewall as a Linux image on the mainframe to keep the various Linux guests from beating on each other, because in the real world, there are firewalls in place (more or less) to keep "real" Linux images from beating on each other. Our "real" firewalls run one of the offerings from Checkpoint, but they don't seem to have ported anything to Linux on the mainframe (or else their web pages aren't up to date about that). A neighboring Linux S/390 site has talked in general terms about iptables being robust enough for their needs. I remember a SHARE talk on porting an application to Linux on the mainframe where the application was a firewall, but I can't find a handout from that session. So, are there commonly used alternatives to iptables for firewalls on the mainframe? Is iptables commonly used, for that matter, or are most of you relying upon external firewalls for any firewall needs you have? Related question: are there practical limits to how many point-to-point connections a Linux image can manage? Thanks, Nick
