[ previous ] [ next ] [ threads ]
 
 From:  "Sancho2k.net Lists" <lists at sancho2k dot net>
 To:  Don Munyak <don dot munyak at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Router ACL's and m0n0wall
 Date:  Sat, 26 Mar 2005 19:05:31 -0700
Don Munyak wrote:
> Got a question about the use of ACL's on a router.
> 
> Currently our router is setup as a firewall/router (cisco 1750). I
> have it setup using Reflexive Access Lists (IP Session Filtering)
> 
>  I am planning on putting m0n0wall behind the router and removing the
> Reflexive Access Lists.
> 
> In your opinion would you...
> 
> 1. Use minimal standard or extended ACL's to filter out port traffic
> for a given IP..or..
> 2. Just make the router route packets and leave the filtering up to m0n0wall

The way I'd go is to use m0n0wall for your filtering. Your ruleset and
filtering capabilities in the BSD kernel will give you more capabilities
than those available in IOS. AFAIK IOS e.g. gives you no stateful
filtering capabilities, just stateless..? You could also be limited in
some areas due to the minimal resources available in your cisco
(memory/cpu) although this model seems decent enough.

As a premise, my philosophy has been that the router is intended to
facilitate the passing of traffic, so let it do the routing, while a
firewall is purposed to prohibit the passing of traffic, so let it do
the filtering.

My $0.02.

DS