Hi all! given the current overall situation (trying to guess what will be the future of Shorewall), I take the chance to reply ObNox message, describing our current deployment.... so to (hopefully) stress the concept that "shorewall rocks!" and we should "work hard" to help it keep living.
On 24/02/19 02:56, ObNox wrote:
> [...]
> I manage quite a bunch of different servers and several of them have more
> than 5 zones. 11 zones is for now the maximum I've reached and I'm still
> amazed how, with all that, Shorewall's working absolutely smoothly while
> maintaining a very readable configuration!
In our main location we are running two shorewall boxes, each one connected
to an 802.1q trunk, firewalling traffic between related VLANs. In detail,
currently:
- mixer: 27 zones, related to 27 VLANs
- equalizer: 56 zones, related to 56 VLANs
Please note that up to... 10/12 months ago, _ALL_ above zones (83) were
managed by 'mixer', alone. We added "equalizer" simply 'cause we started
planning some network/server reorganization and took the chance to lower
the impact of a DOWN (obviously in such a scenario the shorewall box is a
SPOF and even if there are D/R plans ready... a shorewall "down" is
definitely "noted" by end-users [BTW: we have around 1.500 PC and 1.000
VoIP phones distributed in aforementioned VLANs]).
So, basically, we've succesfully used shorewall connected to a 1GEth VLAN
trunk, dealing with 85 VLANs with absolutely **NO ISSUE** :-)
Cheers,
DV
P.S.: ObNox, please, could you slightly elaborate on this:
> Each of my servers is heavily firewalled where only the strictly needed
> traffic is allowed. I use an LXC container for every single service and
> thanks to its lightness, the density per server is quite high.
It's a long time I'm investigating LXC (to better rearrange our DMZ,
specifically), but always found problems in terms of "orchestration": how
are you managing your containers? Where are they running (in physical
HOSTs, or within VMs)? As for networking, how are you handling traffic
towards such containers and the "external" side? (DNAT/bridge/other)?
Thanks in advance.
--
Damiano Verzulli
e-mail: dami...@verzulli.it
---
possible?ok:while(!possible){open_mindedness++}
---
"Technical people tend to fall into two categories: Specialists
and Generalists. The Specialist learns more and more about a
narrower and narrower field, until he eventually, in the limit,
knows everything about nothing. The Generalist learns less and
less about a wider and wider field, until eventually he knows
nothing about everything." - William Stucke - AfrISPA
http://elists.isoc.org/mailman/private/pubsoft/2007-December/001935.html
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
