At 01:45 PM 07/07/2004, vincent at bikost dot com wrote:
>Yes: if you wan to have your m0n0wall between the router and the other
>machines (typical scenario for a firewall). The other machines on your LAN
>should no longer directly use your the router as their gateway. More: the
>router shoul not be plugged on the same switch.
>The topology should be:
>Internet <-> router <-> WAN-[m0n0wall]-LAN <-> switch <-> other machines
>You should keep your router and m0n0's WAN on the current IP scheme and
>have your other machines (with private IP addresses - see RFC 1918) hidden
>behind a simple (default) NAT config on m0n0
>If you really need to reach the other machines from the Internet by their
>public IP address, you can set 1:1 NAT to bind real know IP to actual
>private IP for each machine.
>Another approch would be to turn m0n0wall into a filtering bridge
>(IP-less, sort of hidden box from the IP perspective), but I don't know if
>it's possible. I just know OpenBSD does it very well!
>I hope you see what I mean...
Yes ... I think I will look into OpenBSD if it has the IPless solution ...
I want something to block ports network wide rather than running individual
software firewalls on all the machines ... My ISP was gracious enough to
alot me with my own routable C Class, so I don't think I will be running
out of IP addresses anytime soon, and to me that seems the reason for using
non-routable IP addresses in a NAT environment, to get a C Class from one
IP address ...
I could also be wrong ... Just seems like too much work to manage two sets
of IP address ranges if I am doing a 1:1 ... Then I can't access the
machines by IP addresses within the network ... If there are benefits to
changing all the IP addresses in my network, I'm all ears, but mostly all
the machines are servers (95%) ... or serve something to the Internet
... Just doesn't make sense to me to even use non-routables ...
I have considered using one of the FreeBSD Firewall recipes that are on the
http://www.schlacter.net/public/FreeBSD-STABLE_and_IPFILTER.html but I
think when all is compiled and done, I may be exactly where I am now ...
I run my own DNS servers (including reverse), SMTP, POP3, IMAP, IRC,
Counter-Strike, HTTP, FTP .. the works, and I do web hosting ... I have
Cisco ACLs in place on the router and individual software firewalls/packet
sniffers on the Windows machines ... This slows Windows down a LOT
... The BSD machines are lightning compared on lesser hardware ...
I am hoping that a PC Powered firewall will be fast and secure enough to
get rid of the software ones on the Windows machines ...
> > If this is the case, it would be easier to change the IP address of the
> > router, yes?
>If you set up NAT for your private LAN, nothing to do here.