Linux Firewalling

[Paul M]

get yourself a .1q & VLAN capable switch*, install the vlan package on
the machine, encapsulate in .1q. put the unfirewalled wan on (say)
vlan666, make the lan vlan2 (don't use default vlan, 1), dmz on say
vlan3, etc. ensure you disable auto-negotiation of switch port
encapsulation otherwise DMZ hosts could in theory break your security
and tap into every vlan.

unless you really are pumping gigabits through your firewall, a single
good quality giga nic will pretty much handle it all.


* cisco 35xx switch has excellent management functions, you can point
cacti at it and monitor switch port usage. procurve switches also good,
probably cheaper and use less power. some linksys switches might achieve
this. avoid dlink or netgear, their so-called managed switches are
awful. the Dell-branded Huawei are loved by a few, hated by many.