followup on m0n0wall
Bill McGonigle
bill at bfccomputing.com
Fri Feb 10 10:10:01 EST 2006
On Feb 10, 2006, at 07:30, Ben Scott wrote:
> Can you switch to a routed configuration by using CIDR subnets
unfortunately no, they have a few machines peppered at both ends of
their netblock.
> and/or NAT'ing the DMZ addresses (thereby eliminating the need to do
> much, if any, IP reconfiguration)? Remember, NAT != RFC-1918. You
> can NAT public IP space, too. (Granted, I dunno if FreeBSD supports
> NAT'ing overlapping subnets, either, but maybe...).
I'm guessing not simply because lots of people have asked how to do
this and the BSD networking guys haven't offered that as a solution.
Really, you can static route anything if you try hard enough, but one
of the things that makes m0n0wall so nice is the usable GUI and they
don't particularly encourage CLI modification. I could make a new
image (In theory, linux don't mount this flavor of BSD FFS and at last
try the FreeBSD FTP site wasn't successfully offering downloads of
their ISO's) but I want the user to be able to do his own software
updates just by burning a new CD image from the m0n0wall site. So if
it's not easily reflected in the config.xml file it's hard to support.
Since my last report, it seems IPCop doesn't do it either:
> optional transparent bridge
> 9 Nov 2001 Mark: Perhaps we can do unmasqueraded forwarding (i.e.
> static routing), perhaps only limited to DMZ's. But I don't want to
> include bridging.
> 09-Nov-01 esj: this is definitely a ransomware feature. It can be
> useful but only for sophisticated enterprises. On the other hand, we
> do want to do masquerading and pinholes for subnets so that you can
> have a series of red interfaces with pinholes to the DMZ. This should
> probably also be ransomware but I'm willing to be convinced otherwise.
But this wishlist is pretty far out of date and their ideas about who
would want this are a bit skewed. 'sophisticated enterprises' know how
to route. :)
The bugger is I can do all this really easily with a stock linux box
but I don't want to own the solution. I'm thinking it's time to talk
about routing this DMZ again.
-Bill
-----
Bill McGonigle, Owner Work: 603.448.4440
BFC Computing, LLC Home: 603.448.1668
bill at bfccomputing.com Cell: 603.252.2606
http://www.bfccomputing.com/ Page: 603.442.1833
Blog: http://blog.bfccomputing.com/
VCard: http://bfccomputing.com/vcard/bill.vcf
More information about the gnhlug-discuss
mailing list