Andres Petralli wrote:
> On 25.10.2005, at 00:38, Chad R. Larson wrote:
>> We are a multi-national company with about 7000 employees. The very
>> first firewall an outsider sees (or, rather, doesn't see) is a
>> m0n0wall/Soekris box. Perhaps that is why I value security so highly.
> I highly doubt that all your 7000 employees run over that box. Maybe
> you use those boxes to connect subsidiaries of your company which may
> be connected together over conventional ADSL or other cheap internet
> lines. Whatever... there are always exceptions.
You can doubt whatever you want. The m0n0wall is the outer firewall for
a DMZ. It's currently eating an average of 3 Mbps (peaks to 100). All
our traffic (email, web, ftp, etc.) with the outside world goes through
it. Also, several hundred interactive ssh sessions for our ASP customers.
We have other connectivity between our offices for internal
communications, mostly DS3's.
> The fact that enterprise routing protocols like bgp4+, ISIS and ospf
> are missing and that there is no way to cluster m0n0walls for
> redundancy are clear indications, that it is not meant for this high
> profile kind of enterprise use. If all your 7000 employees depend on
> that single box, well then I really wouldn't like to have your job!
We have a hot spare, and a (non-statefull) switchover to it. The
m0n0wall on each is configured to do MAC spoofing on the LAN and WAN
interfaces, so the switchover doesn't affect either the machines on the
DMZ or our ISP (AT&T).
The Soekris net4801 we are using has no moving parts and very
conservatively rated components. Would you rather have a machine with a
spinning disk and fans?
> In m0n0wall everything, or at least most of it is built around NAT and
> using the box as a router for internet lines where only one ore a few
> IP addresses are available. This already does disqualify it as a
> solution for medium and bigger sized companies.
Nah. NATing is just another thing it can do, not it's reason to exist.
Ours just passes our Class C traffic (205.159.99.x) on through.
Besides, it's not limited to just a few addresses. It can NAT huge
blocks of addresses if you like.
> Other things like PPPoE also indicate, that m0n0walls target user
> group is rather the adsl and cable ISP user than companies that
> connect their network to carriers with fibre lines.
Again, just another feature we don't use. Like captive portal. Those
things came late to the party, after Manual started accepting
enhancements from his user base. I don't think their existence defines
the audience for the system. Which is why all the discussion of m0n0
2.0 being more modular. I've got no use for the captive portal code,
but might like more statistics collection.
> But hey, maybe this is the whole point about this discussion. Maybe the
> developers here should define what m0n0wall is about and who the target
> audience is, wheter it should be a cheap but powerfull firewall/router
> for everyone or a true substitute to checkpoint firewalls and cisco
We have a Sun E250 with hardware encryption acceleration running
Checkpoint Firewall1 for the inner firewall on the DMZ. It is also our
The outer firewall has a different function. It has to terminate the
line from AT&T. It has to block RFC-1918 traffic. It has to keep out
source addresses from our Class C block (spoofed). It protects from
some forms of denial-of-service. It blocks multicast inbound. I see no
reason at all why I should by a $10,000 box for that job, when a $300
one will do. That would be irresponsible.
> Personally I think that it is futile to try to replace the
> later ones and that you can't build a box for home and soho use while
> also building the same system towards enterprise usage.
> But I'm fine with a box that is geared towards enthusiast rather than
> towards enterprises.
If you just want a NATing firewall/router for home, buy a $50 Linksys.
If you want to play with the innards, visit http://openwrt.org/ or the like.
> This is where m0n0wall really could find a solid user base.
I think it already =does= have a solid base.
I guess what's torquing my tool is the implication that a
m0n0wall/Soekris is somehow "not a =real= firewall". For what we're
doing with it, I would never deploy something from Cisco. Too much
money. Too hard to administer. Semi-flaky operating system (IOS vs
Chad R. Larson (CRL22) chad at eldocomp dot com
Eldorado Computing, Inc. 602-604-3100
5353 North 16th Street, Suite 400
Phoenix, Arizona 85016-3228
-- CONFIDENTIALITY NOTICE --
Information transmitted by this e-mail is proprietary to MphasiS and/or its Customers and is
intended for use only by the individual or entity to which it is addressed, and may contain
information that is privileged, confidential or exempt from disclosure under applicable law. If you
are not the intended recipient or it appears that this mail has been forwarded to you without proper
authority, you are notified that any use or dissemination of this information in any manner is
strictly prohibited. In such cases, please notify us immediately at mailmaster at mphasis dot com and
delete this mail from your records.