|
||||||||||
Dumb guess here: Could the first firewall be set up in bridged mode and the rest be in the standard configuration? -----Original Message----- From: Chris Buechler [mailto:cbuechler at gmail dot com] Sent: Monday, December 05, 2005 11:26 PM Cc: m0n0wall at lists dot m0n0 dot ch Subject: Re: [m0n0wall] Layered Monowall Network Configuration On 12/5/05, Joe Rodiguez Jr. <jrodriguezjr at gmail dot com> wrote: > Hi All, > > I am sure that these questions have been asked before but I searched > high and low and could not find anything on the subject. > > First a little background..... I was casually just looking at some of > the photos on the gallery of the Monowall homepage that showed how > different folks around the globe have configured Monowall. One > particular one that sparked my interest was a photo by Jeroen Visser > off the gallery page that showed his configuration with multiple > firewall layers. According to the photo this gentlemen submitted, he has a main firewall and other "routing" > firewalls under the main firewall using monowall. > I'd be curious to see how this is actually set up. Given that they're labeled "routing firewalls", I'd guess they're routing between VLAN's or multiple broadcast domains physically segregated. So they probably control traffic between internal subnets. If that's the case, they're just routers that happen to have firewalling capabilities. Most networks don't have multiple internal subnets like that (until you get to ~200+ hosts). > I am very interested in this type of configuration. Here are my > questions regarding this: > 1. Does this layered firewall approach have a name for this type of > configuration? not that I'm aware of. nothing standard, at least. > 2. Does anyone know of any monowall recourses that they could point me > to get more information? haven't seen any. > 3. Is this configuration documented? not that I'm aware of. > 4. What type of advantages/disadvantages does this configuration have? > I'll take this from a different perspective than what I described above as what he probably has configured in that picture. If I were to configure two firewalls back to back the way I think you're talking about, I would setup one in front of the firewall that does the NAT as a bridge, as documented here: http://doc.m0n0.ch/handbook/examples-filtered-bridge.html Ideally, you'd probably want to use two completely different firewalls for this, in case somebody found a way to construct packets to bypass ipfilter (m0n0wall's firewalling software). This is incredibly, extremely unlikely, but if you're paranoid enough to put in two firewalls, you might as well go all the way. Advantages: -could potentially be more secure, especially if using two different platforms -a configuration mistake on one typically wouldn't be an issue unless the same mistake was made on both Disadvantages: -administrative headache (config changes have to be done in two places) -twice the normal firewall administration -twice the single points of failure Overall, this isn't going to buy you much of anything for the effort, and I wouldn't bother in most any circumstance. > And lastly, on a separate note, are there any load balancing/failover > features planned for monowall in the future? > maybe for 1.3, that's still pretty up in the air though (as are all things with 1.3 at this point). -Chris --------------------------------------------------------------------- To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch |