• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 199
  • Last Modified:

Building a Linux Router

I need to build a Linux Router at my office.  We currently have a PIX firewall so the Linux route does not need do NAT and be a router.  After going through all the different pre assembled options out there I think I will build it my self either using Fedora Core 4 or RHEL4 update 2.  One of the most compelling reasons for my doing it on my own is that I can setup some really nice monitoring tools on the machine and incorporate them into our corporate monitoring.

Anyway, my questions are this:
     1. Should I enable the firewall but leave NAT turned off?  Will this slow down the router?
     2. Should I enable SELINUX?
     3. I have found a few TCP Tuning options on the net but what options do I really need to tune?
     4. Are there and good tools out there that I can run to show me if I need to change/tweek any of the TCP Tuning options?

Thanks,
Louis
0
louisbohm
Asked:
louisbohm
1 Solution
 
leisnerCommented:
Premature optimization is the root of all evil.
If you have a firewall upstream, do you trust the people between you and the firewall?
If you turn on the firewall, there will be a cost (the incoming packets have to be matched against
the rules).  Is this noticable?  depends on a lot of things (the size of the rule set, the speed of the hardware).  
2) Its hard to answer your questions -- do you have a reason to enable SELINUX (I never have.... I work for
a Fortune 500 company).  
3)Maybe none...please see first line....I'd have to look at how to tune...
4) good questions, I suppose there are test suites -- you'd want  to look at
latency and bandwidth....


0
 
louisbohmAuthor Commented:
I have to trust the people behind the firewall at least to some extent.  My only thought for running the firewall and/or selinux is to protect the router itself.  So allow packets to be routed between the networks but use the firewall to prevent/limit access to the local machine.  Control which IP's can access the localhost and setup rules for DoS and Sync attacts.  Though I have no idea how to set up thouse rules.

On the machine I would be running NTOP and maybe a couple of other things to collect performance data and try to send it to my monitoring station.

The machine I have is a Dual Pentium 3 700 Mhz with 1 gig of ram and about a 20 gig HD.  I have not seen a huge amount of traffic going over the internet link but since I have T3 internet access (got to love wireless access) the users definitly could create a lot of traffic.  If I do run the firewall and I find that it gets in the way I could always shut it down.

Louis
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now