First of all, monowall is a great project. I was able to set up a /28
network with VoIP trafficshaping, static routes, and ad hoc firewall rules
in minutes. This is the reason that i would recommend monowall to anyone.
After some time special requirements and needs started to be dropped on my
desk. In some cases, monowall is not enough. For this reason, here's my
humble requirements for a perfect firewall:
1) Gui as today. Most things are handled in seconds.
2) Better support for statefull inspection/passthrough of special protocols
(e.g IPSEC, ICA)
3) A better interface (than SNMP) for realtime monitoring and configuration.
This interface (to the core) could be a set of webservices. This would
enable heavyweight GUI komponents to be hosted on an external (LAN) host.
4) Configurable event mechanism.
I have a couple of CISCO VPN clients running on LAN workstations. It was a
pretty big job to get those running.
Realtime monitoring pr. IP, Port and trafficshaper rules/queues would make
optimization so much easier.
I've spent hours with Etheral, ntop and monowall trying to debug certain
problems. If i where able to set up some eventing mechanism, it would have
saved me a lot of time. Event could be sent for congestion, use of specific
protocols, specific clients (mac addresses) becomming active etc. Eventing
could be based on e-mail notifications or using the previously mentioned