[ previous ] [ next ] [ threads ]
 From:  "Jewell, Mike" <mjewell at law dot umaryland dot edu>
 To:  "'Sancho2k.net Lists '" <lists at sancho2k dot net>, 'Don Munyak ' <don dot munyak at gmail dot com>
 Cc:  "'m0n0wall at lists dot m0n0 dot ch '" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Router ACL's and m0n0wall
 Date:  Sun, 27 Mar 2005 11:24:34 -0500
I would agree,  I only filter ICMP's destin for my router interface on the

I have a Catalyst 6500 w/ the Firewall Service Module which doesn't have any
physical connections on it so the connections routs to the firewall through
the main switch on a vlan...


-----Original Message-----
From: Sancho2k.net Lists
To: Don Munyak
Cc: m0n0wall at lists dot m0n0 dot ch
Sent: 3/26/2005 9:05 PM
Subject: Re: [m0n0wall] Router ACL's and m0n0wall

Don Munyak wrote:
> Got a question about the use of ACL's on a router.
> Currently our router is setup as a firewall/router (cisco 1750). I
> have it setup using Reflexive Access Lists (IP Session Filtering)
>  I am planning on putting m0n0wall behind the router and removing the
> Reflexive Access Lists.
> In your opinion would you...
> 1. Use minimal standard or extended ACL's to filter out port traffic
> for a given IP..or..
> 2. Just make the router route packets and leave the filtering up to

The way I'd go is to use m0n0wall for your filtering. Your ruleset and
filtering capabilities in the BSD kernel will give you more capabilities
than those available in IOS. AFAIK IOS e.g. gives you no stateful
filtering capabilities, just stateless..? You could also be limited in
some areas due to the minimal resources available in your cisco
(memory/cpu) although this model seems decent enough.

As a premise, my philosophy has been that the router is intended to
facilitate the passing of traffic, so let it do the routing, while a
firewall is purposed to prohibit the passing of traffic, so let it do
the filtering.

My $0.02.


To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch