A few days ago here at work, a remote T1 site was having some performance issues. I offered up some
troubleshooting suggestions and while I was doing that, I threw out the idea of switching to
m0n0wall. A little desktop setup with Windows 2000 Server running Routing and Remote Access with no
other firewall applications is currently being used. This box performs simple nating and routing out
to the T1 line and nothing more.
However, a co-worker replied to my suggestion of m0n0wall after looking at m0n0wall's website. He
stated that "[he'd] be leery of firewall software who's entire security page is this:"
Although I have tried my best to make m0n0wall as secure as possible, there is still the possibility
of security holes (hell, no software programmer can say for sure that his product is absolutely
bug-free!). The rule generator currently has to generate rules that open up the filter a bit more
than I'd like, mainly because ipfilter 3.x.x lacks the ability of specifying placeholders for a
given interface's IP address. We'll have to wait until ipfilter 4.0 is released to get that
You can have a look at the ipfilter ruleset that is currently active by going to
If you're familiar with ipfilter, please take the time to read through the ruleset and inform me of
any possible improvements or holes (along with a description of which settings you changed in the
webGUI). Thank you!
I have to admit, that does sound a little scary. I personally think that Manuel just isn't giving
enough credit to his work and ipFilter (that's me though). Hell, it's probably more secure than
Windows 2000 Routing and Remote Access, especially without any additional firewall application.
Through out my time on the mailing lists, I've gotten the impression that numerous people run this
at the work. This is why I'd like to take a poll.
If everyone could reply and answer the following questions, I'd appreciate it!
1. What is the name of your company? (Not needed, just curious)
2. How many servers do you have behind m0n0wall?
3. How many workstations do you have behind m0n0wall?
4. If you have a DMZ, how many servers are in it?
5. If you have a Wireless interface, how many clients do you have connecting and do they have to VPN
in or are they directly connected?
6. Do you support VPN? If so, Do you have a local user db, radius, or pass thru to another server?
7. Do you redirect any external ports to internal devices?
8. Any additional information that will just make m0n0wall look sweet!
Again, any and all replys would be greatly appreciated!
Brad Gibson, CCNA, MCP, Net+, A+
City of Baltimore