I just installed monowall on an Soekris net4501 and began testing.
The current setup is a simple form of WAN/LAN/DMZ. I was thinking
of bridging the connections between WAN and DMZ. With advanced options
it should be possible to filter out unneccessary packets.
For a simple filter one option seems to miss:
By adding "flags A/A" one can filter out "established" connections.
More important, by adding "flags S/SA" one can filter out packets in
the initial state of a connection.
The simple application would be placing a server in the DMZ from which
(almost all) SYN-packages for TCP-connections. This way all outgoing
connections are blocked (or allowed for a few services) with only one
Actually, this function seems so basic to me I was wondering if I haven't
overlooked the option in some other form. I did not see it on the
TODO-list either. (I did see the very nice filtering rule layout has
only been added recently, thanks Jim.)
Another issue, since I installed the router using Linux, is the PHP-code
open source? Maybe all it takes is to mount the image as a loop device
if only I knew what filesystem is used. (I'd probably have to compile
the appropriate filesystem modules anyway.)
As I don't have a spare system right now installing FreeBSD-Release will
take weeks a few weeks. And it should be possible to test the PHP-code
on a Linux system. I would not like to take the router down for each