[ previous ] [ next ] [ threads ]
 From:  "Chad R. Larson" <clarson at eldocomp dot com>
 To:  forums <forums at deleos dot com>, "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] m0n0wall as a corporate solution...how many areusing it this way?
 Date:  Mon, 29 Mar 2004 16:53:00 -0700
At 02:36 PM 3/28/2004, forums wrote:
>Let me know how many of you have used m0nowall in the corp 
>environment...as well as how many PCs/workstations are connected behind it.

We've got a net4801 as our exterior firewall between our DMZ and the AT&T 
cloud at an AT&T collocation center.  It is connected to AT&T via a 100Mbps 
FDX ethernet segment.  We're averaging about 2Mbps through it, bursting to 
100.  We're not doing NAT, but just passing our class C addresses 
through.  There are a clustered pair of Sun E3500 servers and 3 
Apache/Tomcat web servers on our production network, plus about 100 PC 
workstations and an Exchange e-mail server at the office.  All eventually 
go through the Soekris m0n0wall.

The firewall rules are fairly simple, blocking address spoofing, RFC-1918 
addresses, draft-manning-dsua and multicast addresses in and outbound.

The third interface is on a separate management network and allows only 
SNMP and HTTPS in to the m0n0wall itself.

I also have a net4501 at home, doing NAT for my home network and protecting 
my machines from the great unwashed out on Cox cable.  It also is one 
endpoint for a VPN tunnel to the office.  The other end is a Checkpoint 
Firewall 1 on a Sun E250, which terminates about 70 other VPNs and has 
hardware acceleration for encryption.  We plan to test a net4801 with the 
vpn1211 to see how many tunnels it will run.  It would be fun to replace a 
$30k box with a $300 one.

>If you believe it's not ready for mission critical purposes please let
>me know why.

I don't know of any reason.  The Soekris boxes have no moving parts and 
should last years without outage.  FreeBSD (and therefore m0n0wall) is 
pretty much bullet proof.  If you enable the hardware watchdog, even if 
someone manages to DoS you to death, you'll be back up in under a 
minute.  And with ICMP response limiting, I've not seen a FreeBSD DoS'd out 
of service.

As always, your mileage may vary, and test before deployment if at all 
possible.  But I'd say, go for it.

Chad R. Larson (CRL22)    chad at eldocomp dot com
   Eldorado Computing, Inc.   602-604-3100
      5353 North 16th Street, Suite 400
        Phoenix, Arizona   85016-3228


This message is intended for the sole use of the individual and entity to whom it is addressed, and
may contain information that is privileged, confidential and exempt from disclosure under applicable
law. If you are not the intended addressee, nor authorized to receive for the intended addressee,
you are hereby notified that you may not use, copy, disclose or distribute to anyone the message or
any information contained in the message. If you have received this message in error, please
immediately advise the sender by reply email, and delete the message. Thank you.