[ previous ] [ next ] [ threads ]
 
 From:  "Manuel Kasper" <mk at neon1 dot net>
 To:  "Christiaens Joachim" <jchristi at oce dot be>
 Cc:  list at m0n0wall dot neon1 dot net
 Subject:  Re: LAN - DMZ - WAN Firewall rules
 Date:  Tue, 22 Apr 2003 18:24:12 +0200 (CEST) 
Hi Joachim,

> Could it be possible that the different 'interfaces' are not treated
> equally
> when using the firewall?

Yes, it's not only possible but for real - NAT (Network Address
Translation) is always enabled on the WAN interface and cannot be turned
off.

> (except there is no default gateway that can be set on DMZ),

That's intentional - it wouldn't do much good to have more than one
default gateway at a time on a single machine. A "static routes" feature
is on the To Do list for more complicated setups.

> but if I use WAN (on
> the employee side), services on the LAN interface (showroom) are not
> reachable (ping is OK!).

Yep, you'd have to add NAT rules for all the services for it to work... Yuck.

> I'm a newbie at BSD stuff (not even used it once) but I guess m0n0wall is
> meant for dummy's like me :-)

Seems like you're not enough of a dummy for m0n0wall. ;) Seriously, as
much as I'd like to make m0n0wall as featureful as possible, I don't think
it would do much good. m0n0wall is intended as a quick, easy and free
solution for a common problem - anything more complicated, and you're
probably better off using miniBSD on your net4501. I realize that it may
have been better not to associate the available interfaces with a given
task (e.g. "LAN", "WAN", "DMZ"), but rather number them and leave it up to
the user to decide what he wants to do with them. But the initial goal was
to create a free clone of say, a ZyWALL or SonicWALL, and that's just the
way they do it (sometimes even less flexible than m0n0wall).

BTW, what do you people think - would releasing a ready-made net45xx
miniBSD CF image make sense? If so, I'd devote some of my time to that as
an alternative for people who have more complex requirements. I realize
that some people may be scared off by the amount of work associated with
working through my guide, and even if I declined requests to make such an
image available earlier, by now I think it may not be such a dumb idea
after all...

I have also considered the possibility of making something like an 'expert
m0n0wall' where you have a web interface, but set up most of the things on
your own (e.g. write ipf/ipnat rules). I dismissed the idea for good
because I think it's not worth the effort - if you have to write all the
stuff on your own, you might as well do it in an ssh session. Besides, I
don't feel like I've got enough time to start yet another project. ;)

Greets,

Manuel