What firewall software?

I’m setting up a dedicated server system for hosting through www.servermatrix.com, it’ll be running (linux) redhat enterprise 3. What firewall software should I get and install on the server?

System is a p4 2.8ghz system with 1gb of ram and an 80gb hdd.

Redhat enterprise 3. Isn’t that the version of RedHat that requires you to purchase a license? Why did you go with that? I’m biased, but if I were going to pay for an OS, I would buy Microsoft stuff.

Umm, because as far as upgrades and OS patches goes, RedHat 9 is dead and is no longer supported, they are doing more work on RedHat Enterprise 3. And take note, I am not paying a cent for RedHat Enterprise 3 software, it’s a dedicated server through servermatrix.com and I require to know what kind of Firewall software I should run on the server.

IPtables, of course.

IPTables? what’s it like? I’m thinking, should I get my own firewall software and install it on the server or should I just pay an extra $99 USD per month and get a hardware firewall SnapGear 550 card installed.

The Red Hat professional line has been superseded by the Fedora project. Fedora Core 1 is basically Red Hat 9.1. Its community supported.

But anyway.

Julzk: Use what comes out of the “box”. It works well. Learn about firewalls. Learn about services. Learn about nmap. Learn about turning off services. Then, and only then, think about buying a different firewall.

Why would you get anything different? IPtables is built in to the linux kernel so it’s fast, and it is very very capable. You will need to read a bunch of HOWTOs to get it configured, but it ain’t brain surgery.

I wouldn’t get a snapgear just for hardware firewall use. It’s more useful as an accelerated VPN endpoint, which I very much doubt you need. I guess you could get a cheap linksys befrs411 and pop it in there, that would work, but if it were me I’d just setup iptables.

Fedora is not RH9.1. You say it’s community supported like that’s not a big deal. It is. It’s a dealbreaker in fact. Fedora has an upgrade cycle of 6-8 months, ES of 2-3 years. Fedora is not appropriate for mission critical use, period.

Right. Because it’s Linux.

Don’t get snapgrear, no need.

Tim, as with most Datacenters, you don’t pay for the OS directly, so it really is your choice, and I believe WIN2003 is more expensive per month than RHE, and RHE really is a nice product as is 2003 for some things.

For servers, life is still easier with Linux than windows. I have run nt,2000,2003,rh and rhe all on active production servers so i have a fairly good look across the board in real world use.

I would put something on top of ip tables. There are many nice little “firewalls” you can use to simplify iptables. I would also suggest software like sim which can monitor and restart services, as well as warn you of issues and logwatch to analyze your nightly logs and mail them to you.

We do not release information about the particulars of our servers, but I would suggest going over to forum.ev1servers.net and read one of their how-tos on what to do with a new server. Following one of those should get you setup pretty well.

If you are new to things - little tip. To save in V, it is :wq


further tip: try downloading “joe” or “pico” if you can’t handle vi.

# yum -y install joe

not sure about joe, but pico has the nasty habit of inserting lines and spaces at the end of lines which will break some config files. VI is obtuse, but at least leaves all the files alone. It is also what crontab -e will bring up, so might as well get used to it.


vi is one of those programs that’s really good, but intentionally hard to use, such that those who know how can lord it over *nix noobs.

You have to use -w if you edit config files (at least in nano, but I think it’s the same in pico). I sometimes use nano, but that’s just because it’s the default editor in gentoo. crontab, like many other unix commands, will use the editor specified by the “EDITOR” variable. If you use “export EDITOR=joe”(depending on the shell you use) you should be able to change it.

I hardly think anyone looking to pay <$200/month is going to invest in sun v880s and EMC storage, and NT is simply not a reasonable alternative for the clued-in. It just isn’t manageable.

Linux is very suitable for mission critical work, so long as you play to its strengths and avoid its weaknesses. It’s not scalable, it it has problems with largemem, and many of the fiber channel drivers are crap. I’m a DBA; I’d rather kill this cute fuzzy kitten here than run oracle on linux. I could tell you horror stories! But linux is very well suited to web hosting. Apache, mysql with a small dataset, tomcat, jrun, etc, all run great on linux. The trick is to avoid the tactical error of buying huge linux boxes; stick with small ones. If a small linux box can’t handle your load, distribute the load behind a bigip or something.

Why not? RH Linux used to have crazy fast upgrade cycles and I used it for mission critical apps. The trick is to use a slightly dated release and make sure it works with the desired hardware and apps. Toss security patches and a firewall into the mix and a stable secure platform is thus achieved.

Back when I used to do a lot more sysadmin, I’d use RH 6.2 for DNS servers, Web servers, database servers, etc and never had a serious O/S problem. I could see myself doing the same thing with a stable Fedora Core release nowadays if I was trying to save the license fees. RH Enterprise Linux is a really nice O/S, but the cost factor makes it unappealing for some apps.

And to stay on topic: Pretty much any linux distribution comes with a built in kernel-level firewall, IPTables. As several posters on this thread have already noted, this is an excellent way to go once you learn the somewhat arcane interface.

Err, have you run Oracle RAC spread across a few decent linux servers? The scalability is excellent, the performance is excellent, the stability is excellent.

I would actually like to hear your horror stories, because we both seem to have a similar background, Oracle DBAs, and are coming to diametrically opposite conclusions.

No, I’ve only run RAC on solaris, which worked great. I currently admin a bunch of 8174 servers under RHAS21 and a few 9204 under ES3. Every single oracle linux server we have has major problems. They just randomly crash. Either with the megaraid driver, or the kernel stutters with too much RAM, or the shitty linux clustering not working with standard SCSI, or maybe it’s just sunspots or leprechauns, but they all die horrible deaths, frequently. Our clients have escalated all the way up dell’s foodchain to the senior architect level and they just can’t help. We very strongly discourage our clients from running oracle on the linux platform.

Solaris is rock solid. It just works, every time. No mickey mouse games, no bullshit, just solid.

Most of the software that’s getting rapidly updated in those “short” Fedora lifecycles is workstation/desktop orientated in nature. The server side of things doesn’t get updated nearly as often.

Also, it was my understanding that while Fedora will be upgraded quite often, older versions will still be supported by the same community.

Same with BSD, in my experience. That’s why I have to laugh whenever I see someone installing Linux on a server.

Huh? Everything gets updated every fedora release. Apache, mysql, the linux kernel, ftpd, sshd, you name it they update it. Pretty much every single package is upgraded to a new version.

Previously redhat would backport fixes to older versions to maintain stability. I doubt “the community” will bother. “The community” is not contractually required to do anything. Redhat was, and still is with AS and ES releases. That’s why fedora is entirely unsuited for business use.