[WBEL-users] Iptables Vs Cisco Pix 525
Johnny Hughes
mailing-lists@hughesjr.com
Sat, 22 May 2004 12:01:55 -0500
--=-yOFf0bd6XnbXCuB+N2b5
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
On Sat, 2004-05-22 at 11:07, Bill Davidsen wrote:
> Johnny Hughes wrote:
> > On Fri, 2004-05-21 at 08:37, Simone wrote:
> >
> >>/Hi list,
> >>my company just bought a couple cisco pix 525 firewall. Now they are
> >>opening a new office, and at the moment buying another one is not an
> >>option. So I am going to set up a firewall using iptables on a wbel box,
> >>and I was wondering if there's really a big difference in security between
> >>the two different solutions./
> >>
> > IPTABLES is a stateful firewall ... if setup properly it is good. The
> > major difference is that the Cisco firewall is much more flexible. You
> > can only port forward port 80 (web incoming if you have a web server) or
> > port 25 (a mail server), etc. to only 1 machine with iptables ... with
> > the cisco, you can allow port 80 in to many different servers.
>
> I'm not sure what you mean here, you can certainly do packet forwarding
> to more than one IP, either in a determinate way to single machines, or
> in round-robin load balancing mode. See the DNAT description for how to
> set this up.
What I meant, and didn't say very well :), is that if you are using IP
Masquerading (and 1 external IP with many internal IPs), you will have a
problem with things like ... having 2 separate web servers (say at
192.168.0.3 and 192.168.0.6) and trying to split some traffic to one and
some traffic to the other ... but with only 1 external IP.
Why would you want to do this? Maybe you have a Linux and a Microsoft
web server ... one has sites with ASP and MSSQL ... the other has Apache
and MySQL ....
I have yet to figure out a way to route all traffic (coming in for
www.msserver.com on port 80 to the MS server ... while routing all
traffic coming in for www.lxserver.com on port 80 to the Linux Server)
.... anyone have any ideas?
You would have the same problem with any port and IPMASQ ... it can only
go to one place inside ... am I crazy?
BUT ... now that I think about it, this problem is also an issue for the
cisco router as well ... so it's tied to having 1 external IP and not
iptables directly.
Thanks,
Johnny Hughes
--=-yOFf0bd6XnbXCuB+N2b5
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.0.9">
</HEAD>
<BODY>
On Sat, 2004-05-22 at 11:07, Bill Davidsen wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE><FONT COLOR="#737373"><I>Johnny Hughes wrote:
> On Fri, 2004-05-21 at 08:37, Simone wrote:
>
>>/Hi list,
>>my company just bought a couple cisco pix 525 firewall. Now they are
>>opening a new office, and at the moment buying another one is not an
>>option. So I am going to set up a firewall using iptables on a wbel box,
>>and I was wondering if there's really a big difference in security between
>>the two different solutions./
>>
> IPTABLES is a stateful firewall ... if setup properly it is good. The
> major difference is that the Cisco firewall is much more flexible. You
> can only port forward port 80 (web incoming if you have a web server) or
> port 25 (a mail server), etc. to only 1 machine with iptables ... with
> the cisco, you can allow port 80 in to many different servers.
I'm not sure what you mean here, you can certainly do packet forwarding
to more than one IP, either in a determinate way to single machines, or
in round-robin load balancing mode. See the DNAT description for how to
set this up.</I></FONT></PRE>
</BLOCKQUOTE>
<BR>
What I meant, and didn't say very well :), is that if you are using IP Masquerading (and 1 external IP with many internal IPs), you will have a problem with things like ... having 2 separate web servers (say at 192.168.0.3 and 192.168.0.6) and trying to split some traffic to one and some traffic to the other ... but with only 1 external IP.<BR>
<BR>
Why would you want to do this? Maybe you have a Linux and a Microsoft web server ... one has sites with ASP and MSSQL ... the other has Apache and MySQL ....<BR>
<BR>
I have yet to figure out a way to route all traffic (coming in for www.msserver.com on port 80 to the MS server ... while routing all traffic coming in for www.lxserver.com on port 80 to the Linux Server) .... anyone have any ideas? <BR>
<BR>
You would have the same problem with any port and IPMASQ ... it can only go to one place inside ... am I crazy?<BR>
<BR>
BUT ... now that I think about it, this problem is also an issue for the cisco router as well ... so it's tied to having 1 external IP and not iptables directly.<BR>
<BR>
Thanks,<BR>
Johnny Hughes
</BODY>
</HTML>
--=-yOFf0bd6XnbXCuB+N2b5--