Neil Thompson <abraxis@xxxxxxxxxxxx> wrote: > If you use Shorewall (http://www.shorewall.net) there is a > webmin gui module for administration. There are lots of GUI admin tools for the packet filter. The question is what do you want around your packet filter? IDS? Proxy? Etc...? > There are a number of packages on Freshmeat that will do > this. But how "canned"? MRTG is MRTG, but what do you feed into it? How do you collect those statistics? I'm not questioning that there aren't some excellent projects on Freshmeat.NET are built for accumulating data and feeding it MRTG, but there is still a heafty number of them. I agree with your recommendations, but I just hope he knows what kind of "project" he's getting himself into -- at least after using more of an "appliance/software" solution prior. ;-> Furthermore, what about presenting all that data? You've now gotta setup all sorts of web administration. Again, how much of a "project" should this be? ;-> You and I might love doing this (and I noted below you are actively involved with providing such software), but how much for end-users who are used to "canned" appliances/software? ;-> In all honesty, just stopped dealing with that assembly. But nowdays, I find it easier (and cheaper) to just buy an appliance, or at least start with IPCop and modify it. Especially when an executive at a small client gets too much of his info from his neighbor's kid and wonders why I can't just use a $50 Linksys device. (sigh, he gets IPCop ;-) > OpenVPN will handle this no problem (Windows and Linux > clients) it also integrates well with shorewall. > (http://openvpn.net/) IPSec is also an option, as well as MPPE support. OpenVPN is clearly much easier and more reliable. But be wary that you'll be providing your own software to the clients as well. > This is where you could have a problem - if you want hot > failover, with no interruption to service, I don't think > the current state-of-the-art is capable of handling it. > The problem is synchronising the iptables state tables > between the two machines. There is a project > working on this, but I'm not sure what the present status > is - have a look on http://www.linux-ha.org/ Neil is dead-on there. There are many aspects to fail-over, such as sharing a virtual interface with a virtual MAC address (or even re-using the original systems physical one), heartbeat and take-over, etc... Linux-HA is addressing this, in conjunction with LVS. And as I pointed out, how much trouble is it worth in addressing gateway redundancy if you haven't addressed it at either your external router as well as your internal network? -- Bryan J. Smith | Sent from Yahoo Mail mailto:b.j.smith@xxxxxxxx | (please excuse any http://thebs413.blogspot.com/ | missing headers)