[ previous ] [ next ] [ threads ]
 
 From:  "Bruce A. Mah" <bmah at acm dot org>
 To:  "Michael A. Alderete" <lists dash 2003 at alderete dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] DMZ strategies and recommendations
 Date:  Sat, 24 Jan 2004 11:00:08 -0800
If memory serves me right, Michael A. Alderete wrote:
> I am getting ready to move my servers behind the basic DHCP/NAT m0n0wall
> configuration that I described in my Getting Started guide
> (http://www.aldosoft.com/docs/m0n0wall-getting-started.html).

I confess I haven't really read this yet, but I skimmed it and it
looked really nice.  Pictures and screenshots are a Good Thing (TM).

> The Advocates
> -------------
> Bruce Mah, who contributed the filtering bridge, seems to advance solution
> #1 in his post on 18-Nov-2003,
> <http://m0n0.ch/wall/list/?action=show_msg&actionargs[]=13&actionargs[]=25>,but
> does not actually confirm that the occasional LAN clients on his network
> can access the DMZ servers.

Not sure if I have time to follow this discussion but I'll clarify
that I don't use the m0n0wall LAN port for anything other than
accessing the LAN GUI.  (Maybe I mentioned that in my earlier post?)

Anyways...other people have indicated that they've had difficulty
making hosts attached to their LAN ports talk to hosts on their DMZ
port.  I'd tend to believe that there really is a problem here.

BTW, I don't consider myself an "advocate" for the filtering bridge
functionality.  :-)  I believe that it works well for me, and a
non-trivial set of other m0n0wall users, but I would never push it as
a universal solution, even if it didn't have this problem with NAT-ted
hosts.

> Manuel has commented once or twice that he sometimes wishes he could rip
> out the bridging, and seems to recommend approach #2 as more
> straightforward. There have also been comments about issues with the
> bridging and NAT interacting incorrectly.
> 
> I would probably prefer to go with approach #1, since that should involve
> zero changes to my servers, and seems simpler on the configuration side of
> m0n0wall, too.

A strong requirement for me is the ability to be able to have direct
access to multiple machines on my DMZ network.  So this implies either
1-to-1 NAT or bridging.

I have a severe prejudice (which I freely admit) against NAT, so
this is why I was strongly motivated to make the filtering bridge
work.  On my home network, I do (for hysterical raisins) have some
hosts behind a NAT, but that NAT is completely separate from my
m0n0wall box.

Cheers,

Bruce.