|
||||||||
Deploy Monowall in front of some public web and ftp servers. There are about 12 servers on the subnet to be protected. May be able to work with the upstream router maintainer, but it would be easier if I can use one of the IP addresses in our existing allocated subnet as the WAN port IP address. I tried doing this with WAN <-> OPT1 bridging + filtering. It is working great except for FTP. Outbound FTP is now generally working though I did needed to add rules for sites that only allow active FTP. For those, had to grant specific remote hosts access to large port ranges coming back through the monowall to accomodate. Now we're seeing remote users having trouble accessing anonymous FTP on hosts behind the monowall. Both active and passive seem problematic but I need to recheck the rules to make sure its not administrator error. Previous replies to the list said FTP won't work without NAT. Any suggestions for the best NAT to use for this circumstance? - About 12 hosts behind the Monowall; some but not all run public FTP servers or web servers - May be able to work with the upstream router owner but that will slow down implementation When I've done this before with a PIX, I ended up using a private address IP on the outside interface and the upstream router put in a static route to our networks going through that private subnet. Then did 1:1 NAT across the PIX from outside to inside interface to avoid having to renumber/reconfigure all the inside hosts. Is that the best solution for this case with Monowall or am I missing something easier? (I hope!) Thanks for any replies! |