[ previous ] [ next ] [ threads ]
 
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] some newcomer-questions
 Date:  Tue, 23 May 2006 14:48:13 -0400
On 5/23/06, jochen thomas <jochenthomas at yahoo dot com> wrote:
>
> As you can see I want to create a double fire walled small environment.
>

Why use two firewalls?  One with 3 interfaces would accomplish the
same thing, and be less complex and easier to deal with.


> I am not really sure if this will work regarding these points:
> - VoIP-clients/Phones (SIP + varying UDP-Ports + NAT) / very important
> - how to route this VoIP (UDP) streams (SIP and IAX2)?

somebody else will have to answer your VoIP questions, there are a
bunch of people who work with VoIP regularly on this list.


> - exact routing of different protocols e.g smtp/pop3 only to sendmail-server, but HTTP at
> all three NIC's at monowall-1- (can I use more then 3 NICS? --> one external, two DMZ,
> one internal)

you can use as many NIC's as you can fit in your system.


> - secure access to Server2003 via Tunnel through both monowalls



> - routing to different port80 http-servers (to sendmail-server, to asterisk-server, and to
> some other (each have different domains like sendmail.domain.com,
> asterisk.domain.com, server2003.differentdomain.com)) --> what is the best way

have to have multiple public IP's


> - what about intrusion detection,

IDS should be a different system.


> what about stateful inspection,

m0n0wall is fully stateful.

> SYN flood,

there isn't any SYN flood protection, but personally even on my PIX
firewalls, I use the protection in the OS of the system anyway and
disable it on the firewall.  The OS should have adequate protection
(if not, use a different one), and it knows much better than the
firewall can what it can handle.


> port scans,

what about them?  they'll happen.  things you open will show open,
things you don't won't.

> http-filters?

Nothing higher than layer 3 and 4 in m0n0wall, so no.

I give up on answering any more questions in one email.  Use Google
site:m0n0.ch, you'll find your answers for the most part.

-Chris