Argonath (a new firewall) part 2
My new firewall is in place at last : as I did not have much time last week, I used half an hour here and there to install and harden the server. I must say that I like the new Debian installer : it took some time to get used to, but the result is nice. I'm quite impressed by the partitioner in the installer : it's quite powerfull, but I'm afraid it will be a bitch for newbies, as it's not really the most user-friendly part of the installation.
The configuration of Shorewall took most time : for some reason, the box refused to masquerade large tcp packets. Browsing went fine, but initiating a ftp request or some nntp traffic would only let some packets drip in. But then I recalled a problem I encountered at work with a new Solaris8 machine and pppoe customers. Pppoe uses a MSS which is quite lower than the default 1500 MTU used on most networks, which can give problems with big packages. Luckily, the Shorewall CLAMPMSS configuration parameter takes care of that.
I noticed that Debian installs some more experimental modules with its default installed 2.4.27 kernel. For pppoe, it uses the pppoe kernel module, which moves pppoe back to kernel space. The performance is quite impressive : whereas my previous firewall CPU would hit the ceiling while downloading large files, the new box doesn't even sweat.
The configuration of Shorewall took most time : for some reason, the box refused to masquerade large tcp packets. Browsing went fine, but initiating a ftp request or some nntp traffic would only let some packets drip in. But then I recalled a problem I encountered at work with a new Solaris8 machine and pppoe customers. Pppoe uses a MSS which is quite lower than the default 1500 MTU used on most networks, which can give problems with big packages. Luckily, the Shorewall CLAMPMSS configuration parameter takes care of that.
I noticed that Debian installs some more experimental modules with its default installed 2.4.27 kernel. For pppoe, it uses the pppoe kernel module, which moves pppoe back to kernel space. The performance is quite impressive : whereas my previous firewall CPU would hit the ceiling while downloading large files, the new box doesn't even sweat.