[ previous ] [ next ] [ threads ]
 
 From:  Henning Wangerin <mailinglists dash after dash 041101 underscore reply dash not dash possible at hpc dot dk>
 To:  Matt Juszczak <matt at atopia dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] m0n0wall plan ... final comments?
 Date:  Thu, 04 Nov 2004 02:48:39 +0100 
On Thu, 2004-11-04 at 02:16, Matt Juszczak wrote:
> OK ... this is how we're going to have our m0n0wall setup.  Any 
> suggestions would be appreciated.
> 
> 
> LAN1 <--------- m0n01 -----------> WAN
>  		  |
>  		  |
>  		  |
>  		  |
> 
>            CHESTER.MYDOMAIN.EDU
> 
>  		  |
>  		  |
>  		  |
>  		  | 
> LAN2 <--------- m0n02 -----------> WAN

Well seen from a network point of vierw it's just two routers with a OPT
interface going to the central server. Are you planning on having trafic
between LAN1 and LAN2 go the same way?

> Chester.mydomain.edu will be a server that we are setting up only 
> accessible from LAN1 and LAN2 (LAN1 is a /22 and LAN2 is a /20).  We are 

Just a matter of setting up the firewall-rules to allow the traffic
requeired.

> Also, a mysql server will run on chester and we are having a PHP binary 
> with mysql support on our m0n0's.  When people login to either captive 
> portal, the portal will check on chester (via mysql) to see if there is a 
> ban on a username or mac address.  Something like:

check on username could be made be having a radius-server running on
chester. Then it would be standard setup for monowall. OpenRadius can
also speak with a mySQL backend if I remember correctly.

> This way we can allow our college administration to manage bans on the 
> m0n0wall boxes without giving them full access to the webGUI.  Comments on 
> this?

Great solution on hading out the administration - thinking of doing the
same on my semi-public mail-server to the admins of the domains
opperated.

> We had a quick question though.  I wanted to know if there was a way to 
> make it so that when m0n0 shuts down, it exports the output of ipfstat -io 
> and the ipfw equivelent (not sure what it is off the top of my head) to a 
> text file on chester, and then reloads it on boot up.  We'd like users who 
> are authenticated to not get kicked out if we reboot our box.

I don't think that would be possible, but I might be wrong.

> Other than that one little thing, does everyone feel our solution is a 
> good one?

Seems reasenable to me. I have be thinking of having my FW (prior to
monowall) boot as a thin client via the network, but monowall is so
dammed simpel to operate that it has been droped.

> Thanks in advance for anyone's assistance!

Just hope you can you my output!

-- 
Henning Wangerin <mailinglists dash after dash 041101 underscore reply dash not dash possible at hpc dot dk>