[ previous ] [ next ] [ threads ]
 From:  Christiaens Joachim <jchristi at oce dot be>
 To:  "'Manuel Kasper '" <mk at neon1 dot net>
 Cc:  "'list at m0n0wall dot neon1 dot net'" <list at m0n0wall dot neon1 dot net>
 Subject:  RE: LAN - DMZ - WAN Firewall rules
 Date:  Wed, 23 Apr 2003 12:46:26 +0200
Hi Manuel,

Thanks again for the very clear reply!

First of all, I would like to say YES!, please make a miniBSD CF image
available if you have the time! I love the images, because I do not have a
lot of time to build one myself. Still a newbie too ;-)

Certainly I understand m0n0wall isn't built to do the things I'm trying to
do (strange 'no route to host' replys to ping are a hint ;-).
I love the idea of being able to configure something by web, but you need to
build an environment specified at every purpose... :-(

What I WOULD like (I know, it's PHP, so I don't stand a chance :-) is a
m0n0wall "simple version". Just 3 interfaces and configurable firewall rules
(but no assumptions for WAN-DMZ-LAN, so no NAT by default) as a sort of
internal router / firewall. Just to put my wishes online :-)

The 'make a binary' website would be just great, but a standard binary would
be fine already!

Many thanks for the great products!


-----Original Message-----
From: Manuel Kasper
To: Christiaens Joachim
Cc: list at m0n0wall dot neon1 dot net
Sent: 22/04/03 18:24
Subject: Re: LAN - DMZ - WAN Firewall rules

Hi Joachim,

> Could it be possible that the different 'interfaces' are not treated
> equally
> when using the firewall?

Yes, it's not only possible but for real - NAT (Network Address
Translation) is always enabled on the WAN interface and cannot be turned

> (except there is no default gateway that can be set on DMZ),

That's intentional - it wouldn't do much good to have more than one
default gateway at a time on a single machine. A "static routes" feature
is on the To Do list for more complicated setups.

> but if I use WAN (on
> the employee side), services on the LAN interface (showroom) are not
> reachable (ping is OK!).

Yep, you'd have to add NAT rules for all the services for it to work...

> I'm a newbie at BSD stuff (not even used it once) but I guess m0n0wall
> meant for dummy's like me :-)

Seems like you're not enough of a dummy for m0n0wall. ;) Seriously, as
much as I'd like to make m0n0wall as featureful as possible, I don't
it would do much good. m0n0wall is intended as a quick, easy and free
solution for a common problem - anything more complicated, and you're
probably better off using miniBSD on your net4501. I realize that it may
have been better not to associate the available interfaces with a given
task (e.g. "LAN", "WAN", "DMZ"), but rather number them and leave it up
the user to decide what he wants to do with them. But the initial goal
to create a free clone of say, a ZyWALL or SonicWALL, and that's just
way they do it (sometimes even less flexible than m0n0wall).

BTW, what do you people think - would releasing a ready-made net45xx
miniBSD CF image make sense? If so, I'd devote some of my time to that
an alternative for people who have more complex requirements. I realize
that some people may be scared off by the amount of work associated with
working through my guide, and even if I declined requests to make such
image available earlier, by now I think it may not be such a dumb idea
after all...

I have also considered the possibility of making something like an
m0n0wall' where you have a web interface, but set up most of the things
your own (e.g. write ipf/ipnat rules). I dismissed the idea for good
because I think it's not worth the effort - if you have to write all the
stuff on your own, you might as well do it in an ssh session. Besides, I
don't feel like I've got enough time to start yet another project. ;)



Océ enables its customers to manage their documents efficiently and
effectively by offering innovative print and document management products
and services for professional environments.

This e-mail message and any attachment are intended for the sole use of the
recipient(s) named above and may contain information which is confidential
and/or protected by intellectual property rights.
Any use of the information contained herein (including, but not limited to,
total or partial reproduction, communication or distribution in any form) by
other persons than the designated recipient(s) is prohibited.

If you have received this e-mail in error, please notify the sender either
by telephone (0032-2-729.48.11) or by e-mail and delete the material from
any computer.
Oce-Belgium/Oce-Interservices is nor responsible for the correct and
complete transfer of the contents of the sent e-mail, neither for the
receipt on due time.  This e-mail message does not bring about a contractual
obligation for Oce-Belgium/Oce-Interservices.

Thank you for your cooperation.

For further information about Oce-Belgium/Oce-Interservices please see our
website at www.oce.be