spacer
spacer search

Miller Family Site
For family and friends

Search
spacer
Newsflash
header
Main Menu
Home
News
Family
The Web Links
Newsfeeds
Computing
Picture Gallery
Neighborhood
Site Map
Administrator
Old Content
Login Form
Username

Password

Remember me
Password Reminder
No account yet? Create one
 
Home

m0n0wall first impressions PDF Print E-mail
User Rating: / 6
PoorBest 
Written by terry miller   
Sunday, 01 August 2004

Monowall first impressions

After much reading many suggestions for using m0n0wall  for a lan firewall I decided to look into it. m0n0wall comes in 3 configurations CD/Rom and Floppy for PC, Hard disk/Compact Flash for PC, or for an embedded device. It's open source software so it is freely downloaded. Please read the license for details.

Download and Installation

I chose the CD/floppy version since I already have a firewall and just wanted to learn about it. The download was about 5 megabytes. I downloaded the ISO image and burnt a CD using Roxio with no problems, stuck the CD in the test computer and was up after a reboot.

The test computer configuration was a Pentium II - 333 with 128 megabytes of ram, a fairly new Linksys card, an older D-link PCI network card, a Yamaha CD-Burner and a Hitachi DVD-Rom drive.


Initial configuration

m0n0wall boots into a menu. The OS is unreachable, which I consider a good thing. The older d-link card was not recognized by m0n0wall so I could not actually use the PC as a firewall. m0n0wall's site has a list of supported hardware. I saw no provision for using the same interface with different IP's to pass the traffic, which was probably a conscious decision on the developer's part for security reasons.

I assigned the working nic to the lan subnet in the menu using the menu, and set the lan IP to be on my subnet. m0n0wall supports classless subnets, but not IP ranges as part of the subnet, so you must understand subnetting to some degree. It's easy enough to understand and the more common subnet masks are displayed for you. I use a /28 (255.255.255.240) mask at home, so I had to enter 192.168.0.12 as the lan IP and 28 as the subnet bit count. Then the menu asks you whether you want m0n0wall to act as a DHCP server.


The other console options are Reset webGUI password, Reset to factory defaults and Reboot System.


Subsequent Configuration

The remaining configuration is done via gui using the web interface. There are several screen shots of the web configuration options on the m0n0wall site so I won't repeat them here. It's a very secure SPI firewall out of the box as long as you go into the web interface and change the admin password.  There is also an option to disable the console menu, which is a good idea if you can remember the password. If you forget it I think you'd be in trouble.

m0n0wall supports static IP addresses, DHCP, PPOE and PPTP on the wan interface. It can spoof MAC addresses if necessary. Wan configuration is as simple as any router. There is also a check box in the lan configuration to block private ip addresses from the wan side. I thought this was a very nice feature since it automatically creates the anti-spoofing rules when turned on. Some ISP's run on private IP address space and use NAT at their borders so unchecking the box allows you to work with them.

If you are moderately knowledgeable about networking you can create a very secure lan, blocking all but the necessary protocols. Firewall rules are easy to configure and are split automatically into separate access lists for the lan and wan ports. Port forwarding is easily configured to run servers behind the lan. I didn't see an option for port triggering and I'm not sure whether m0n0wall supports a third network interface to support a true DMZ.

From the user that was persistent enough to make me try this out. He may post more on traffic shaping on his site

It will support as many interfaces you can throw at it. It has two by default, but expands to a dedicated WiFi AP...by adding the appropriate wireless card. Any other type of NIC is seen as an "Opt" interface that can be renamed and configured as you wish. I have mine set up as a DMZ with rules:

DMZ -> WAN : Pass
DMZ -> LAN : Block

The optional interfaces can be configured to bridge to any interface as well. Useful if you have many public IP addresses, but want a subnet behind NAT. What is nice, you can allow those bridged interfaces to follow the same rules you have set for the LAN...shaping, blocking, logging.

On the new betas, the firewall includes a Capture Portal. That allows you to force any "guests" to login to use the Inet service though a webpage. You can set DHCP leases and block/pass based upon MAC addresses.

Hope this helps!

Advanced Feature set

m0n0wall supports 1 to 1 address mapping as well as many to 1 (aka PAT, Dynamic NAT, SUA etc.). Another nice feature here is that while setting up a server to run on the inside interface you can choose to have a firewall rule automatically created. This will eliminate a lot of troubleshooting for the novice. Ports can be translated as well as IP addresses.

Several Dynamic DNS services are supported, but only one at a time. Configuration is again about the same as any Dynamic DNS client.

Since I didn't have a wan interface I couldn't configure static routes. I would think if your network is complex enough to need static routes, you could easily add them here. The GUI is easier to use than "route add".

monowall functions as an IPSEC vpn end point. It can also forward PPTP vpn's to a server inside the lan, or terminate them at it's wan interface.

m0n0wall's real advantage is its ability to do bandwidth shaping. If someone on your lan is going to run peer to peer applications you can limit their bandwidth. You can also use this to prioritize (or at least dedicate bandwidth for) IP telephony. With no wan I was unable to thoroughly test this and I'm not really familiar with it, but I may get an additional network card or two to test this and some of the other features.


Overall impressions

I liked it. The compact flash or CD versions are very attractive because the configurations can be stored on either a write protected floppy or on another computer. The only real hardware limitation is 64 meg of ram, video and sound cards that are often problems with linux don't matter with monowall since they're not used. It seems easy enough that a relative novice could set it up and get it working in a home environment and then grow into the advanced feature set. If you configure your computer's bios to boot from CD first you don't even have to remove the old OS to give it a try, if you don't like it just pull the CD out of the tray and your old configuration is intact. My first impression of m0n0wall is it's a  feature rich, cost effective choice if you have an old computer that can be made to work with it.

If you're still interested please see my more detailed second article

 
Last Updated ( Sunday, 29 August 2004 )
< Previous   Next >
[ Back ]
spacer
Search

 

Mambo is Free Software released under the GNU/GPL License.
spacer