[WBEL-users] Iptables Vs Cisco Pix 525

kbohling@birddog.com kbohling@birddog.com
Sat, 22 May 2004 16:31:51 -0500 

Quoting Johnny Hughes <mailing-lists@hughesjr.com>:

> On Sat, 2004-05-22 at 11:07, Bill Davidsen wrote:
> 
> > Johnny Hughes wrote:
> > > On Fri, 2004-05-21 at 08:37, Simone wrote:
> > > 
> > >>/Hi list,
> > >>my company just bought a couple cisco pix 525 firewall. Now they
> are 
> > >>opening a new office, and at the moment buying another one is not
> an 
> > >>option. So I am going to set up a firewall using iptables on a wbel
> box, 
> > >>and I was wondering if there's really a big difference in security
> between 
> > >>the two different solutions./
> > >>
> > > IPTABLES is a stateful firewall ... if setup properly it is good. 
> The 
> > > major difference is that the Cisco firewall is much more flexible.
> You 
> > > can only port forward port 80 (web incoming if you have a web
> server) or 
> > > port 25 (a mail server), etc. to only 1 machine with iptables ...
> with 
> > > the cisco, you can allow port 80 in to many different servers.
> > 
> > I'm not sure what you mean here, you can certainly do packet
> forwarding 
> > to more than one IP, either in a determinate way to single machines,
> or 
> > in round-robin load balancing mode. See the DNAT description for how
> to 
> > set this up.
> 
> 
> What I meant, and didn't say very well :), is that if you are using IP
> Masquerading (and 1 external IP with many internal IPs), you will have
> a
> problem with things like ... having 2 separate web servers (say at
> 192.168.0.3 and 192.168.0.6) and trying to split some traffic to one
> and
> some traffic to the other ... but with only 1 external IP.
> 
> Why would you want to do this?  Maybe you have a Linux and a Microsoft
> web server ... one has sites with ASP and MSSQL ... the other has
> Apache
> and MySQL ....
> 
> I have yet to figure out a way to route all traffic (coming in for
> www.msserver.com on port 80 to the MS server ... while routing all
> traffic coming in for www.lxserver.com on port 80 to the Linux Server)
> .... anyone have any ideas?  
> 

I believe you are correct, that will be a problem.  However, I am
guessing, that you can setup a "reverse proxy".  I believe that's the
configuration you'd use in apache.  You setup a web server that merely
parses the HTTP request, figures out that it can't respond, forwards the
request on, takes the answer and feeds it back over the initial connection
to the original requester.

I believe I've heard of such setups before, but can't say that I've ever
done it before.  This gives a rough description of what I think you could
make work if you wanted to.

http://www.apacheweek.com/features/reverseproxies

Thanks,
   Kirby