[ previous ] [ next ] [ threads ]
 From:  Don Munyak <don dot munyak at gmail dot com>
 To:  "Sancho2k.net Lists" <lists at sancho2k dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Router ACL's and m0n0wall
 Date:  Sat, 26 Mar 2005 22:23:41 -0500

I have removed the ACL's and can get outbound traffic from the LAN.

I am having trouble getting inbound traffic to our webservers... check
my next post.

Thanks again,

- Don

On Sat, 26 Mar 2005 19:05:31 -0700, Sancho2k.net Lists
<lists at sancho2k dot net> wrote:
> Don Munyak wrote:
> > Got a question about the use of ACL's on a router.
> >
> > Currently our router is setup as a firewall/router (cisco 1750). I
> > have it setup using Reflexive Access Lists (IP Session Filtering)
> >
> >  I am planning on putting m0n0wall behind the router and removing the
> > Reflexive Access Lists.
> >
> > In your opinion would you...
> >
> > 1. Use minimal standard or extended ACL's to filter out port traffic
> > for a given IP..or..
> > 2. Just make the router route packets and leave the filtering up to m0n0wall
> The way I'd go is to use m0n0wall for your filtering. Your ruleset and
> filtering capabilities in the BSD kernel will give you more capabilities
> than those available in IOS. AFAIK IOS e.g. gives you no stateful
> filtering capabilities, just stateless..? You could also be limited in
> some areas due to the minimal resources available in your cisco
> (memory/cpu) although this model seems decent enough.
> As a premise, my philosophy has been that the router is intended to
> facilitate the passing of traffic, so let it do the routing, while a
> firewall is purposed to prohibit the passing of traffic, so let it do
> the filtering.
> My $0.02.
> DS