[ previous ] [ next ] [ threads ]
 
 From:  "Giobbi, Ryan" <rgiobbi at AGOC dot com>
 To:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Layered Monowall Network Configuration
 Date:  Tue, 6 Dec 2005 12:59:56 -0500
Dumb guess here: 

Could the first firewall be set up in bridged mode and the rest be in
the standard configuration?


-----Original Message-----
From: Chris Buechler [mailto:cbuechler at gmail dot com] 
Sent: Monday, December 05, 2005 11:26 PM
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Layered Monowall Network Configuration

On 12/5/05, Joe Rodiguez Jr. <jrodriguezjr at gmail dot com> wrote:
> Hi All,
>
> I am sure that these questions have been asked before but I searched 
> high and low and could not find anything on the subject.
>
> First a little background..... I was casually just looking at some of 
> the photos on the gallery of the Monowall homepage that showed how 
> different folks around the globe have configured Monowall.  One 
> particular one that sparked my interest was a photo by Jeroen Visser 
> off the gallery page that showed his configuration with multiple 
> firewall layers.  According to the photo this gentlemen submitted, he
has a main firewall and other "routing"
> firewalls under the main firewall using monowall.
>

I'd be curious to see how this is actually set up.  Given that they're
labeled "routing firewalls", I'd guess they're routing between VLAN's or
multiple broadcast domains physically segregated.  So they probably
control traffic between internal subnets.  If that's the case, they're
just routers that happen to have firewalling capabilities.  Most
networks don't have multiple internal subnets like that (until you get
to ~200+ hosts).


> I am very interested in this type of configuration.  Here are my 
> questions regarding this:
> 1. Does this layered firewall approach have a name for this type of 
> configuration?

not that I'm aware of.  nothing standard, at least.


> 2. Does anyone know of any monowall recourses that they could point me

> to get more information?

haven't seen any.


> 3. Is this configuration documented?

not that I'm aware of.


> 4. What type of advantages/disadvantages does this configuration have?
>

I'll take this from a different perspective than what I described above
as what he probably has configured in that picture.  If I were to
configure two firewalls back to back the way I think you're talking
about, I would setup one in front of the firewall that does the NAT as a
bridge, as documented here:
http://doc.m0n0.ch/handbook/examples-filtered-bridge.html

Ideally, you'd probably want to use two completely different firewalls
for this, in case somebody found a way to construct packets to bypass
ipfilter (m0n0wall's firewalling software).  This is incredibly,
extremely unlikely, but if you're paranoid enough to put in two
firewalls, you might as well go all the way.

Advantages:
-could potentially be more secure, especially if using two different
platforms -a configuration mistake on one typically wouldn't be an issue
unless the same mistake was made on both

Disadvantages:
-administrative headache (config changes have to be done in two places)
-twice the normal firewall administration -twice the single points of
failure

Overall, this isn't going to buy you much of anything for the effort,
and I wouldn't bother in most any circumstance.


> And lastly, on a separate note, are there any load balancing/failover 
> features planned for monowall in the future?
>

maybe for 1.3, that's still pretty up in the air though (as are all
things with 1.3 at this point).

-Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch