[ previous ] [ next ] [ threads ]
 
 From:  "shoto" <shoto at nixsolve dot com>
 To:  "Lee Sharp" <leesharp at hal dash pc dot org>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Some feature requests
 Date:  Sun, 21 May 2006 13:07:04 -0400
Some good feature requests would be to have IP ranges to use. ie: 
192.168.10.x - 192.168.10.x. Also object/host groups would be handy...I 
beleive you can get this in PF or latest version of IPF


----- Original Message ----- 
From: "Lee Sharp" <leesharp at hal dash pc dot org>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Sunday, May 21, 2006 12:59 PM
Subject: Re: [m0n0wall] Some feature requests


> From: "Shish" <shish at shish dot is dash a dash geek dot net>
>
>>I just started usin m0n0wall yesterday, everything works just as well
>> as the custom debian firewall it took me a week to set up, with the
>> exception of a couple of things I can't see any way to do:
>
> This is common.  What is unusual, is that you provided the information you 
> needed for us to help you!  I will do what I can to give you suggestions 
> and work-arounds.
>
>> o) Automatic wake-on-lan messages
>
>> Because my server needs internet access for a couple of things in the
>> boot phase, the router / firewall needs to be completely online and
>> running before it starts, so setting both to wake-on-power doesn't
>> work. A setup which works great is having the router wake on power, and
>> once it's ready, sending wake-on-lan packets to all the other boxes. A
>> checkbox next to each of my WOL bookmarks for "send a packet here when
>> m0n0wall boots" would be most appreciated
>
> Look at the system/shellcmd at 
> http://doc.m0n0.ch/handbook/faq-hiddenopts.html  You may have to do some 
> decoding to see how m0n0 sends WOL packets, but here is where to do it on 
> boot.
>
>> o) OpenVPN
>
>> It was there, and now it isn't? What was wrong with it? Is there any
>> way to get it back?
>
> It was in 1.2b4 to 1.2b7 when a lot of things were dropped for stability. 
> This is something coming back.  It should be in the mythical 1.3 release. 
> :-)
>
>> o) Firewall rule for connections / sec
>
>> Running a shell server for some friends, they want to make outgoing
>> connections; however I don't want to be part of a DDoS attack if an
>> account gets broken into. Currently I have rules like HTTP gets 60
>> connections / min with burst of 200, and IRC gets 1 connection / min
>> with burst of 10 (to allow just-started clients to connect to all
>> networks, and periodic reconnction when a connection dies for whatever
>> reason). It's worked well for normal use (the users don't notice it),
>> and under attack (only about 100 packets were sent before I noticed,
>> compared to the several thousand that would've been were it not for
>> the filtering)
>
> Play with the traffic shaper.  You may be able to set up pipes that work 
> similarly.  The best part is an attacker would still seem to "succeed" but 
> would be so slow you could catch him before he does damage.
>
>> o) Swap space
>
>> I still have a partition marked "Linux Swap" for the debian firewall --
>> can m0n0wall be made to use it? (It can be reformatted if necessary).
>> My firewall box has 32MB RAM, and is too old for upgrades (I don't
>> even know what type of RAM it uses, the sticks aren't a type I
>> recognise...). m0n0wall does work fine on 32MB, so long as I only open
>> one page at a time...
>
> Ain't gonna happen.  The entire concept of m0n0wall is a tight, lean 
> firewall that runs totally in memory.  What you may want to look at is 
> pfsense at http://www.pfsense.com/  It is a friendly fork of m0n0wall.  It 
> uses swap.  It also is designed for more powerful hardware.  It might be 
> easier to find the ram on eBay.
>
>> o) "Move selected rules before this rule" for the traffic shaper
>
>> It's *so* much faster than "move rule up / down one position". I got so
>> fed up I ended up writing a small shell script to automate the upping
>> and downing for me :P
>
> You can always edit the config file directly.  I do this often to "paste 
> in" specific configs I use a lot.
>
>> o) Bootable floppies
>
>> Old hardware again -- the CD drive is a bit dodgy, and the box
>> sometimes gives up too soon and moves on to booting from the hard
>> drive. Putting GRUB / the BSD equivalent on the floppy and setting it
>> to boot the CD would be more reliable. I know it's not a m0n0wall thing
>> per-se, but a note in the docs about how to do it would be nice.
>
> Hmmm...  Interesting.  This would also help a lot of this finicky systems 
> (Like HP servers) that don't want to boot from a hard drive!  It would to 
> be FAT so the config could be saved, and that is about it.
>
>> And finally, a tiny bug report -- when adding NAT rules, and ticking
>> the "Auto-add a firewall rule..." box, if there's an error in the user's
>> input, the box is un-ticked on the "please correct your errors" page.
>
> I hate that one.  Another one is if you forward several inbound ports to 
> one port, and check it each time from habit, you gate several copies of 
> the same rule. :-)  Just a quirk.
>
>                            Lee
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>