[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Layered Monowall Network Configuration
 Date:  Mon, 5 Dec 2005 23:25:30 -0500
On 12/5/05, Joe Rodiguez Jr. <jrodriguezjr at gmail dot com> wrote:
> Hi All,
> I am sure that these questions have been asked before but I searched high
> and low and could not find anything on the subject.
> First a little background..... I was casually just looking at some of the
> photos on the gallery of the Monowall homepage that showed how different
> folks around the globe have configured Monowall.  One particular one that
> sparked my interest was a photo by Jeroen Visser off the gallery page that
> showed his configuration with multiple firewall layers.  According to the
> photo this gentlemen submitted, he has a main firewall and other "routing"
> firewalls under the main firewall using monowall.

I'd be curious to see how this is actually set up.  Given that they're
labeled "routing firewalls", I'd guess they're routing between VLAN's
or multiple broadcast domains physically segregated.  So they probably
control traffic between internal subnets.  If that's the case, they're
just routers that happen to have firewalling capabilities.  Most
networks don't have multiple internal subnets like that (until you get
to ~200+ hosts).

> I am very interested in this type of configuration.  Here are my questions
> regarding this:
> 1. Does this layered firewall approach have a name for this type of
> configuration?

not that I'm aware of.  nothing standard, at least.

> 2. Does anyone know of any monowall recourses that they could point me to
> get more information?

haven't seen any.

> 3. Is this configuration documented?

not that I'm aware of.

> 4. What type of advantages/disadvantages does this configuration have?

I'll take this from a different perspective than what I described
above as what he probably has configured in that picture.  If I were
to configure two firewalls back to back the way I think you're talking
about, I would setup one in front of the firewall that does the NAT as
a bridge, as documented here:

Ideally, you'd probably want to use two completely different firewalls
for this, in case somebody found a way to construct packets to bypass
ipfilter (m0n0wall's firewalling software).  This is incredibly,
extremely unlikely, but if you're paranoid enough to put in two
firewalls, you might as well go all the way.

-could potentially be more secure, especially if using two different platforms
-a configuration mistake on one typically wouldn't be an issue unless
the same mistake was made on both

-administrative headache (config changes have to be done in two places)
-twice the normal firewall administration
-twice the single points of failure

Overall, this isn't going to buy you much of anything for the effort,
and I wouldn't bother in most any circumstance.

> And lastly, on a separate note, are there any load balancing/failover
> features planned for monowall in the future?

maybe for 1.3, that's still pretty up in the air though (as are all
things with 1.3 at this point).