Lewis Edwards wrote:
>First, let me thank you for an excellent product and all the work you put
>into maintaining it.
>I have a web server in a DMZ with only port 80 open to the world. Right
>now, someone can telnet to port 80 and poke around with my Apache
>installation. Given the right person and the wrong installation, this can
>cause a lot of problems. If m0n0wall had stateful (or dynamic) packet
>filtering then port 80 would only accept HTTP connections and the sysadmin
>could sleep (a little) easier.
I am not sure how much you can do here with stateful packet inspection
(which ipfw already does). The newer definitions of stateful firewalls
indeed mention the possibility of the firewall going up to the
application layer, but I have not seen this "in the wild" yet solely in
If someone telnets to port 80 or points a browser to your site, it looks
the same to both the firewall and the web server, a tcp connection to
port 80. The stateful firewall checks if the packets are valid based on
prior session initiation. Again, all valid, telnet or browser.
What you want is something that inspects each packet and checks if it is
a sane http request. I guess the easiest way to do that is putting a
reverse proxy in front of the web server. All outside requests to port
80 get examined, and only valid http requests are passed on to the web
In the spirit of m0n0 (afaik, I just started playing with it a couple of
weeks ago, but have it running at home with the ovpn5 image ever since),
this has no place in a firewall, so you will probably be pointed to
either pfsense, another all-in-one package, or a separate box with squid
set up as reverse proxy.