followup on m0n0wall

[Bill McGonigle]

This is a followup on the MonadLUG meeting a few months back on open 
source firewalls.  I was particularly impressed with m0n0wall from the 
talk and have installed it at a small office and it works great.  They 
have an XML config file, boot from CD (config on floppy/flash) and a 
very nice GUI.  It's working great at that location and the client 
loves everything about it.  Cisco should be this good.

So, I was all psyched to use it for a larger client installation and I 
hit a major snag, which is a FreeBSD limitation.  This client has their 
DMZ IP's bridged to the WAN connection, so their servers have real IP 
addresses, not NAT'ed addresses.  This is for historical reasons but 
it's so ingrained that short of their ISP and its netblocks going poof, 
it's never going to change, and would require hundreds of man-hours to 
change.  They ought to, but it won't happen.

But m0n0wall can do bridging...

So, they also have a LAN which is NAT'ed.  They have a few hundred 
devices on their 10. network there which ride a NAT'ed address out to 
the Internet.  And m0n0wall can do that.

Here's where you get the gotcha - under BSD due to the way the bridge 
device and the ipnat device work, you can't talk from a NAT'ed device 
on one interface to a bridged device on another.  Packets go out but 
don't know how to get back.  The BSD network gurus have looked at it, 
said, 'dang, that should be possible,' but have decided it would be way 
too hard to get working.

So, for this client I'll be using a linux-based firewall, probably 
IPCop, which I don't believe (but need to prove to myself in the lab) 
has this problem.

-Bill
-----
Bill McGonigle, Owner           Work: 603.448.4440
BFC Computing, LLC              Home: 603.448.1668
bill at bfccomputing.com           Cell: 603.252.2606
http://www.bfccomputing.com/    Page: 603.442.1833
Blog: http://blog.bfccomputing.com/
VCard: http://bfccomputing.com/vcard/bill.vcf