[ previous ] [ next ] [ threads ]
 
 From:  David Pierron <david at wombatsweb dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] What cables/What IP address?
 Date:  Wed, 07 Jul 2004 14:18:28 -0400
At 01:45 PM 07/07/2004, vincent at bikost dot com wrote:
>Yes: if you wan to have your m0n0wall between the router and the other
>machines (typical scenario for a firewall). The other machines on your LAN
>should no longer directly use your the router as their gateway. More: the
>router shoul not be plugged on the same switch.
>
>The topology should be:
>Internet <-> router <-> WAN-[m0n0wall]-LAN <-> switch <-> other machines
>
>You should keep your router and m0n0's WAN on the current IP scheme and
>have your other machines (with private IP addresses - see RFC 1918) hidden
>behind a simple (default) NAT config on m0n0
>
>If you really need to reach the other machines from the Internet by their
>public IP address, you can set 1:1 NAT to bind real know IP to actual
>private IP for each machine.
>
>Another approch would be to turn m0n0wall into a filtering bridge
>(IP-less, sort of hidden box from the IP perspective), but I don't know if
>it's possible. I just know OpenBSD does it very well!
>
>I hope you see what I mean...

Yes ... I think I will look into OpenBSD if it has the IPless solution ... 
I want something to block ports network wide rather than running individual 
software firewalls on all the machines ...  My ISP was gracious enough to 
alot me with my own routable C Class, so I don't think I will be running 
out of IP addresses anytime soon, and to me that seems the reason for using 
non-routable IP addresses in a NAT environment, to get a C Class from one 
IP address ...

I could also be wrong ...  Just seems like too much work to manage two sets 
of IP address ranges if I am doing a 1:1 ...  Then I can't access the 
machines by IP addresses within the network ...  If there are benefits to 
changing all the IP addresses in my network, I'm all ears, but mostly all 
the machines are servers (95%) ... or serve something to the Internet 
...  Just doesn't make sense to me to even use non-routables ...

I have considered using one of the FreeBSD Firewall recipes that are on the 
Internet, specifically 
http://www.schlacter.net/public/FreeBSD-STABLE_and_IPFILTER.html but I 
think when all is compiled and done, I may be exactly where I am now ...

I run my own DNS servers (including reverse), SMTP, POP3, IMAP, IRC, 
Counter-Strike, HTTP, FTP .. the works, and I do web hosting ...  I have 
Cisco ACLs in place on the router and individual software firewalls/packet 
sniffers on the Windows machines ...  This slows Windows down a LOT 
...  The BSD machines are lightning compared on lesser hardware ...

I am hoping that a PC Powered firewall will be fast and secure enough to 
get rid of the software ones on the Windows machines ...

> > If this is the case, it would be easier to change the IP address of the
> > router, yes?
>
>If you set up NAT for your private LAN, nothing to do here.