Physical security is a must, especially with how m0n0wall works. A login
screen to prevent access to the console to me is somewhat worthless if
you are running a PC to which they can pop out the floppy, modify it and
then reboot the firewall. Most people will reply that the average user
would not go through all that trouble.. That may be true, if that's the
case and you are just worried about someone coming in and changing your
password and then loggin into the m0n0wall, perhaps a rule against port
80 or 443 that only allows 1 workstation to access the admin page is in
order, Just create the rule, then even if they change the password they
can't access the m0n0wall config, once again unless they modify the
config.xml on the floppy...
From: Hilton Travis [mailto:Hilton at QuarkAV dot com]
Sent: Friday, January 23, 2004 8:44 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] m0n0wall feature request
On Fri, 2004-01-23 at 22:06, EXT dash Mike dot Bradshaw at nokia dot com wrote:
> > There are a few things I'd like to see on m0n0wall - as Dick
> > has already
> > mentioned, a shutdown and reboot button would be nice.
> reboot is already there (diagnostics, Reboot system)
> i agree shutdown would also be nice
> > As would the ability to log out of the console and have it wait for
> > login - it doesn't appear secure when it is constantly
> > sitting there on a logged in account.
> if someone has physical access to your Firewall console you are pretty
much screwed right there.
> a simple console login is *SO* easy to defeat that it just not funny
(if you have physical access)
> Personally i think that the fact you ONLY have the m0n0 menu on the
console, no tty, no shell etc makes it MORE secure
I will never disagree that a malicious user who has physical access to
your servers and other critical machinery/data has already done the
damage. I do, still, maintain that a logged-in, non-password protected
security device looks bad, and - in reality - is not as secure as it
could otherwise be.
> > Also, some way that the user could be notified of available updates
> > would be nice.
> > This way they would know if security or functionality
> > updates are available as and when they are released. Currently, the
> > users need to be subscribed to the Accounce mailing list, or happen
> > across an update on their occasional visit to the website.
> and the problem with the Announce mailing list is?
Damned obvious for those who don't play with just a single firewall, and
don't receive anywhere near the email quantity that a lot of people do.
> I guess if you give Manuel enough money, he will email/phone you
individually whenever a patch/upgrade comes out :)
This irrelevant and out of thin air diatribe is addressed elsewhere.
Hilton Travis Email: Hilton at QuarkAV dot com
Manager, Quark AudioVisual Phone: +61-(0)7-3343-3889
Quark Computers Phone: +61-(0)419-792-394
(Brisbane, Australia) http://www.QuarkAV.com/
Open Source Projects: http://www.ares-desktop.org/
Non Linear Video Editing Solutions & Digital Audio Workstations
Network Administration, SmoothWall Firewalls, NOD32 AntiVirus
Conference and Seminar AudioVisual Production and Recording
War doesn't determine who is right. War determines who is left.
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch