[ previous ] [ next ] [ threads ]
 
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Suggestions
 Date:  Wed, 07 Apr 2004 17:59:06 +0200
Dan Goscomb <dang at cashcade dot co dot uk> (a good friend and former colleague
of Richard Morrell's from SmoothWall) sent me a list of suggestions
(attached), so if anybody needs some ideas for development on
m0n0wall, there should be plenty now. :)

- Manuel
Interface Assignment
--------------------
Not everyone has sis cards... the WAN and LAN should be automatically set to available interfaces so
there is at least some chance that they can access the system on a default IP
address by just booting up and plugging in a cable.


Config Wizard
-------------
Should be run on first boot, similar to the SonicWall method. A step-by-step initial configuration
of the system IP address, type, etc. As you connect to the admin interface, if
no configuration has been set, it should not show the standard pages until the wizard has been
completed.

Auto-apply option
-----------------
I find i keep forgetting to press the "Apply Changes" button and so keep wondering why its not
working properly. Maybe an option so that changes are automatically applied rather
than having to apply them manually.

Tools
-----
Seeing as there is no shell on the system, some other tools are very important to check if the
firewall is working properly. These are as follows:
* Traceroute
* ARP Cache
* TCP connect
* Packet Trace
* nslookup

Failover
--------
A very important feature if you ever want it to become a proper appliance... all large companies
require failover! This can be easily integrated with the use of FreeVRRPd

Attack rules
------------
Specific attacks should have individual log rules so they can be identified and reported... people
want nice things to look at, not just raw logs! I think you were also looking
for a function for another LED somewhere... welcome to your answer, this is what its used for on a
SonicWall box!

Static Routes
-------------
This is very good... but took me a while to work out that i had to add specific outbound NAT rules
to use them! The m0n0wall i use here supports traffic for a large number of subnets (a /21,
2 /22s and 2 /24s). Either the default NAT rule needs changing to any traffic entering the LAN
interface destined for the outised world passes, or a warning message needs to be
set when you add routes to the LAN interface.

Firewall Rules
--------------
The default rule for each interface should be shown... people MAY want to change it to allow, you
never know! Even if not, its reassuring to have a red cross there at the bottom
of your list! Also, all available interfaces, whether they have rules or not, should be shown in
this list... its confusing to have to add a rule for the WAN interface by click
the + button under the LAN interface area!

NAT
---
Server NAT is in the wrong place... this should be under the network configuration page on each
interface as an alias option. Ideally it wouldn't be present at all, and would
automatically which interface the new IP should be bound to upon adding an incoming NAT rule. Make
it easier for them to understand!

Instead of enabling advanced outbound NAT, just have it enabled already, but show the default rule
in the list! This makes it very obvious as to exactly what will get NATTed and
what won't.

DHCP Server
-----------
Should be able to support multiple address ranges. Some people (including me) use cisco routers on
the LAN side to proxy DHCP requests so only one server is required instead of
one on each subnet.

Password Reset
--------------
On the GUI this should need you to first enter your old password. The htaccess method has no
sessions and potentially a user stumbling accross it on someone elses machine could
reset the password without having to first log in with the old one.

Logs
----
Should have an option to email the logs after a certain size is reached. Also potentially an option
to automatically send logs to dshield.org

VPN
---
Multiple destination subnets, and of course multiple local subnets!

PHP
---
I hate to say it... but PHP in itself shouts insecurity. Every white/gray hat
i've spoken to has said they would not use m0n0wall because it has PHP on it.