Re: followup on m0n0wall
On Feb 10, 2006, at 12:30 PM, Ben Scott wrote: Why not? I thought you were a consultant? Remember the consultant motto: If you're not part of the solution, there's good money to be made in prolonging the problem. ;-) Grr. You know, it's that 90% of consultants that give the rest of us a bad name. (12 years of consulting, and counting...) Ted Roche Ted Roche & Associates, LLC http://www.tedroche.com ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: followup on m0n0wall
On 2/10/06, Bill McGonigle <[EMAIL PROTECTED]> wrote: > ... I don't want to own the solution. Why not? I thought you were a consultant? Remember the consultant motto: If you're not part of the solution, there's good money to be made in prolonging the problem. ;-) -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: followup on m0n0wall
On Feb 10, 2006, at 07:30, Ben Scott wrote: Can you switch to a routed configuration by using CIDR subnets unfortunately no, they have a few machines peppered at both ends of their netblock. and/or NAT'ing the DMZ addresses (thereby eliminating the need to do much, if any, IP reconfiguration)? Remember, NAT != RFC-1918. You can NAT public IP space, too. (Granted, I dunno if FreeBSD supports NAT'ing overlapping subnets, either, but maybe...). I'm guessing not simply because lots of people have asked how to do this and the BSD networking guys haven't offered that as a solution. Really, you can static route anything if you try hard enough, but one of the things that makes m0n0wall so nice is the usable GUI and they don't particularly encourage CLI modification. I could make a new image (In theory, linux don't mount this flavor of BSD FFS and at last try the FreeBSD FTP site wasn't successfully offering downloads of their ISO's) but I want the user to be able to do his own software updates just by burning a new CD image from the m0n0wall site. So if it's not easily reflected in the config.xml file it's hard to support. Since my last report, it seems IPCop doesn't do it either: optional transparent bridge 9 Nov 2001 Mark: Perhaps we can do unmasqueraded forwarding (i.e. static routing), perhaps only limited to DMZ's. But I don't want to include bridging. 09-Nov-01 esj: this is definitely a ransomware feature. It can be useful but only for sophisticated enterprises. On the other hand, we do want to do masquerading and pinholes for subnets so that you can have a series of red interfaces with pinholes to the DMZ. This should probably also be ransomware but I'm willing to be convinced otherwise. But this wishlist is pretty far out of date and their ideas about who would want this are a bit skewed. 'sophisticated enterprises' know how to route. :) The bugger is I can do all this really easily with a stock linux box but I don't want to own the solution. I'm thinking it's time to talk about routing this DMZ again. -Bill - Bill McGonigle, Owner Work: 603.448.4440 BFC Computing, LLC Home: 603.448.1668 [EMAIL PROTECTED] Cell: 603.252.2606 http://www.bfccomputing.com/Page: 603.442.1833 Blog: http://blog.bfccomputing.com/ VCard: http://bfccomputing.com/vcard/bill.vcf ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: followup on m0n0wall
On 2/9/06, Bill McGonigle <[EMAIL PROTECTED]> wrote: > This client has their DMZ IP's bridged to the WAN connection, so > their servers have real IP addresses, not NAT'ed addresses. This > is for historical reasons but it's so ingrained that short of their ISP > and its netblocks going poof, it's never going to change ... Can you switch to a routed configuration by using CIDR subnets and/or NAT'ing the DMZ addresses (thereby eliminating the need to do much, if any, IP reconfiguration)? Remember, NAT != RFC-1918. You can NAT public IP space, too. (Granted, I dunno if FreeBSD supports NAT'ing overlapping subnets, either, but maybe...). -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
followup on m0n0wall
This is a followup on the MonadLUG meeting a few months back on open source firewalls. I was particularly impressed with m0n0wall from the talk and have installed it at a small office and it works great. They have an XML config file, boot from CD (config on floppy/flash) and a very nice GUI. It's working great at that location and the client loves everything about it. Cisco should be this good. So, I was all psyched to use it for a larger client installation and I hit a major snag, which is a FreeBSD limitation. This client has their DMZ IP's bridged to the WAN connection, so their servers have real IP addresses, not NAT'ed addresses. This is for historical reasons but it's so ingrained that short of their ISP and its netblocks going poof, it's never going to change, and would require hundreds of man-hours to change. They ought to, but it won't happen. But m0n0wall can do bridging... So, they also have a LAN which is NAT'ed. They have a few hundred devices on their 10. network there which ride a NAT'ed address out to the Internet. And m0n0wall can do that. Here's where you get the gotcha - under BSD due to the way the bridge device and the ipnat device work, you can't talk from a NAT'ed device on one interface to a bridged device on another. Packets go out but don't know how to get back. The BSD network gurus have looked at it, said, 'dang, that should be possible,' but have decided it would be way too hard to get working. So, for this client I'll be using a linux-based firewall, probably IPCop, which I don't believe (but need to prove to myself in the lab) has this problem. -Bill - Bill McGonigle, Owner Work: 603.448.4440 BFC Computing, LLC Home: 603.448.1668 [EMAIL PROTECTED] Cell: 603.252.2606 http://www.bfccomputing.com/Page: 603.442.1833 Blog: http://blog.bfccomputing.com/ VCard: http://bfccomputing.com/vcard/bill.vcf ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss