Argonath (a new firewall) part 2

My new firewall is in place at last : as I did not have much time last week, I used half an hour here and there to install and harden the server. I must say that I like the new Debian installer : it took some time to get used to, but the result is nice. I'm quite impressed by the partitioner in the installer : it's quite powerfull, but I'm afraid it will be a bitch for newbies, as it's not really the most user-friendly part of the installation.

The configuration of Shorewall took most time : for some reason, the box refused to masquerade large tcp packets. Browsing went fine, but initiating a ftp request or some nntp traffic would only let some packets drip in. But then I recalled a problem I encountered at work with a new Solaris8 machine and pppoe customers. Pppoe uses a MSS which is quite lower than the default 1500 MTU used on most networks, which can give problems with big packages. Luckily, the Shorewall CLAMPMSS configuration parameter takes care of that.

I noticed that Debian installs some more experimental modules with its default installed 2.4.27 kernel. For pppoe, it uses the pppoe kernel module, which moves pppoe back to kernel space. The performance is quite impressive : whereas my previous firewall CPU would hit the ceiling while downloading large files, the new box doesn't even sweat.

Wouter Verhelst Sun, 09/04/2005 - 19:05

You've probably missed the bit where it asks you whether you want to automatically set up your hard disk, and switched to manually partitioning instead. That's quite hard for newbies indeed, but then that's not the recommended way for newbies to partition their system...

Any system to allow partitioning your hard disk is going to be hard on newbies, I'm afraid.

kristof Mon, 09/05/2005 - 07:40

In reply to by Wouter Verhelst

You're quite right that the automated install is what most people will take. I'm just so used to choosing for the manual install (I never like the proposed disk layout as offered by most installers), that I indeed missed that bit.