[ previous ] [ next ] [ threads ]
 From:  "Lee Sharp" <leesharp at hal dash pc dot org>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Some feature requests
 Date:  Sun, 21 May 2006 11:59:25 -0500
From: "Shish" <shish at shish dot is dash a dash geek dot net>

>I just started usin m0n0wall yesterday, everything works just as well
> as the custom debian firewall it took me a week to set up, with the
> exception of a couple of things I can't see any way to do:

This is common.  What is unusual, is that you provided the information you 
needed for us to help you!  I will do what I can to give you suggestions and 

> o) Automatic wake-on-lan messages

> Because my server needs internet access for a couple of things in the
> boot phase, the router / firewall needs to be completely online and
> running before it starts, so setting both to wake-on-power doesn't
> work. A setup which works great is having the router wake on power, and
> once it's ready, sending wake-on-lan packets to all the other boxes. A
> checkbox next to each of my WOL bookmarks for "send a packet here when
> m0n0wall boots" would be most appreciated

Look at the system/shellcmd at 
http://doc.m0n0.ch/handbook/faq-hiddenopts.html  You may have to do some 
decoding to see how m0n0 sends WOL packets, but here is where to do it on 

> o) OpenVPN

> It was there, and now it isn't? What was wrong with it? Is there any
> way to get it back?

It was in 1.2b4 to 1.2b7 when a lot of things were dropped for stability. 
This is something coming back.  It should be in the mythical 1.3 release. 

> o) Firewall rule for connections / sec

> Running a shell server for some friends, they want to make outgoing
> connections; however I don't want to be part of a DDoS attack if an
> account gets broken into. Currently I have rules like HTTP gets 60
> connections / min with burst of 200, and IRC gets 1 connection / min
> with burst of 10 (to allow just-started clients to connect to all
> networks, and periodic reconnction when a connection dies for whatever
> reason). It's worked well for normal use (the users don't notice it),
> and under attack (only about 100 packets were sent before I noticed,
> compared to the several thousand that would've been were it not for
> the filtering)

Play with the traffic shaper.  You may be able to set up pipes that work 
similarly.  The best part is an attacker would still seem to "succeed" but 
would be so slow you could catch him before he does damage.

> o) Swap space

> I still have a partition marked "Linux Swap" for the debian firewall --
> can m0n0wall be made to use it? (It can be reformatted if necessary).
> My firewall box has 32MB RAM, and is too old for upgrades (I don't
> even know what type of RAM it uses, the sticks aren't a type I
> recognise...). m0n0wall does work fine on 32MB, so long as I only open
> one page at a time...

Ain't gonna happen.  The entire concept of m0n0wall is a tight, lean 
firewall that runs totally in memory.  What you may want to look at is 
pfsense at http://www.pfsense.com/  It is a friendly fork of m0n0wall.  It 
uses swap.  It also is designed for more powerful hardware.  It might be 
easier to find the ram on eBay.

> o) "Move selected rules before this rule" for the traffic shaper

> It's *so* much faster than "move rule up / down one position". I got so
> fed up I ended up writing a small shell script to automate the upping
> and downing for me :P

You can always edit the config file directly.  I do this often to "paste in" 
specific configs I use a lot.

> o) Bootable floppies

> Old hardware again -- the CD drive is a bit dodgy, and the box
> sometimes gives up too soon and moves on to booting from the hard
> drive. Putting GRUB / the BSD equivalent on the floppy and setting it
> to boot the CD would be more reliable. I know it's not a m0n0wall thing
> per-se, but a note in the docs about how to do it would be nice.

Hmmm...  Interesting.  This would also help a lot of this finicky systems 
(Like HP servers) that don't want to boot from a hard drive!  It would to be 
FAT so the config could be saved, and that is about it.

> And finally, a tiny bug report -- when adding NAT rules, and ticking
> the "Auto-add a firewall rule..." box, if there's an error in the user's
> input, the box is un-ticked on the "please correct your errors" page.

I hate that one.  Another one is if you forward several inbound ports to one 
port, and check it each time from habit, you gate several copies of the same 
rule. :-)  Just a quirk.