At 02:36 PM 3/28/2004, forums wrote:
>Let me know how many of you have used m0nowall in the corp
>environment...as well as how many PCs/workstations are connected behind it.
We've got a net4801 as our exterior firewall between our DMZ and the AT&T
cloud at an AT&T collocation center. It is connected to AT&T via a 100Mbps
FDX ethernet segment. We're averaging about 2Mbps through it, bursting to
100. We're not doing NAT, but just passing our class C addresses
through. There are a clustered pair of Sun E3500 servers and 3
Apache/Tomcat web servers on our production network, plus about 100 PC
workstations and an Exchange e-mail server at the office. All eventually
go through the Soekris m0n0wall.
The firewall rules are fairly simple, blocking address spoofing, RFC-1918
addresses, draft-manning-dsua and multicast addresses in and outbound.
The third interface is on a separate management network and allows only
SNMP and HTTPS in to the m0n0wall itself.
I also have a net4501 at home, doing NAT for my home network and protecting
my machines from the great unwashed out on Cox cable. It also is one
endpoint for a VPN tunnel to the office. The other end is a Checkpoint
Firewall 1 on a Sun E250, which terminates about 70 other VPNs and has
hardware acceleration for encryption. We plan to test a net4801 with the
vpn1211 to see how many tunnels it will run. It would be fun to replace a
$30k box with a $300 one.
>If you believe it's not ready for mission critical purposes please let
>me know why.
I don't know of any reason. The Soekris boxes have no moving parts and
should last years without outage. FreeBSD (and therefore m0n0wall) is
pretty much bullet proof. If you enable the hardware watchdog, even if
someone manages to DoS you to death, you'll be back up in under a
minute. And with ICMP response limiting, I've not seen a FreeBSD DoS'd out
As always, your mileage may vary, and test before deployment if at all
possible. But I'd say, go for it.
Chad R. Larson (CRL22) chad at eldocomp dot com
Eldorado Computing, Inc. 602-604-3100
5353 North 16th Street, Suite 400
Phoenix, Arizona 85016-3228
-- CONFIDENTIALITY NOTICE --
This message is intended for the sole use of the individual and entity to whom it is addressed, and
may contain information that is privileged, confidential and exempt from disclosure under applicable
law. If you are not the intended addressee, nor authorized to receive for the intended addressee,
you are hereby notified that you may not use, copy, disclose or distribute to anyone the message or
any information contained in the message. If you have received this message in error, please
immediately advise the sender by reply email, and delete the message. Thank you.