[ previous ] [ next ] [ threads ]
 
 From:  "Brandon Holland" <brandon at cookssaw dot com>
 To:  "'Jim Gifford'" <jim at giffords dot net>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Feature request which would make m0n0wall even better ;)
 Date:  Tue, 27 Jan 2004 09:59:28 -0600 
How many computers do your parents have that'd warrant the necessity of
DHCP? (on a firewall or not for that matter)

You said something about APs?  That's scary.  Case and point: a rogue
user gets access to your network (by breaking the pathetic WEP key, if
you have even have onset )  and is automatically assigned an IP, mask
and gateway.  That's nice.  I'm sure he appreciates that :)

Even a novice can have access to your internet now.

DHCP is a security risk.  You *say* that you *need* it.  I don't think
you do for a network as small as around 3 (I'm guessing) computers.  I
seriously do not think it needs to be part of a firewall either.  (I
don't use it on the firewall) Is DHCP a good thing? Yes if it's needed.
(I need it, and use it on a separate computer)

Are there free DHCP programs that could run internally on your network
and not on the firewall? Yes.

My point is, people are willing to sacrifice all for functionality.  If
you're willing to do that, please, don't download m0n0wall.  You're not
looking for a firewall.  (I don't care if your 12 or 90, at home or at
work, security is still, in my book, important)

Brandon

-----Original Message-----
From: Jim Gifford [mailto:jim at giffords dot net] 
Sent: Tuesday, January 27, 2004 9:22 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Feature request which would make m0n0wall even
better ;)

On Tue, Jan 27, 2004 at 11:33:49PM +1000, Hilton Travis wrote:
> m0n0wall is a firewall.  It isn't a file server, nor is it a BSD
distro
> designed to run as a fish tank controller.  I cannot understand why
> people want to compromise the security of a security device by running
> additional software on it that is not designed, suited, or even safe
to
> be running on a firewall.

I personally (and professionally) couldn't agree with you more.
However,
there are many people in the world that prefer to have less machines to
manage and prefer to have more things integrated into their network
services machine.  This might mean making their network services machine
potentially a little bit less secure, but many people are willing to
take
that risk.  Especially small home network users.  A home network with 1
user might not want to have 3 or 4 or 5 machines providing everything in
their network (a firewall, a client machine, and a 'server' being the
minimum).  If there is only one users on the network, they're likely the
one in charge of the network, and as such, they aren't the security risk
(or to look at it the other way, they're the primary security risk).

One of the things I liked about smoothwall was that it did have extra
things that were useful to me (dhcp server, traffic graphs, web proxy,
IDS, etc).  However, I found that I seldom looked at the traffic graphs
unless there was a problem, the web proxy caused problems for poorly
written web clients (ie, all TiVo devices) so was usually disabled, and
the IDS would stop working every time the WAN IP address changed.  I
don't blame smoothwall for these issues that made these extra features
less useful to me.

I have been following m0n0wall for quite some time now, and finally
decided that I liked the philosophy of m0n0wall (be a firewall, just a
firewall, but a damned nice firewall at that).  Since I have a nice
internal server that can run all my other services, and a few other
client machines, I don't mind having all the functions split out.  In
fact, I find that I now prefer it that way.

My parents have a small network in their home.  I'll be switching them
to
m0n0wall soon (the web proxy on their smoothwall started blocking all
connections, and I can't debug it remotely from 600 miles away because I
didn't set up any means to get in to it, and they aren't technically
savvy enough to be walked through it).  Their house isn't very big, and
they've got too much stuff squeezed in.  The last thing they need is
extraneous computers.  As such, they'll be living without a web
proxy/cache, traffic graphs, and IDS.  Truthfully, they won't really
miss
them much.  They wouldn't be able to live without DHCP though.  My
parents live in the country, in the middle of a field, and their
wireless
AP isn't very strong.  It doesn't cover the whole house, let alone
reaching the street.  They don't worry about drive-by wireless users, as
it is an impractical concern.

In the 'perfect world', there would be no DHCP server in m0n0wall, as
that isn't strictly a firewall function.  However, if that were the
case,
my parents would be unable to use it, as that would require another
server that they just don't have the room for.  And yet, for some reason
(I suspect pressure from people on the list), Manuel includes DHCP
support in m0n0wall.  If I want to run DHCP on my internal server, I can
easily disable it in m0n0wall.  In my opinion, this is a good
compromise,
as DHCP is a really essential network service.

Again, many people view their network edge device as a network services
device instead of solely as a firewall.  That doesn't make them wrong,
it
just makes them different.  They have different needs.

I believe that Manuel will give each feature request a lot of thought
and
not just cavalierly add stuff.  As such, I have confidence in the future
of m0n0wall as a firewall, and potentially as a network services device
for those that seek such a thing.  As long as each new service is only
available internally by default, and is disableable, I don't really see
the harm in having a few extra network services available.  In a home
network, external threats are the biggest threats in most cases.  I'm
confident that m0n0wall will continue to be great at blocking external
threats.

> Personally, I want a firewall that is a firewall.  I'll have another
> internal, protected, server to run these server functions.  Security
is
> paramount for a security device, and for your network.

I agree with you there.  I want my firewall to only be a firewall.  But
then, I'm a network professional, and I know why that is a good design
in
a network.  My network needs aren't simple.

People like my parents really just want something to protect them from
the viruses and script kiddies, and provide other network services.
That doesn't make them wrong, they just have different needs.

Personally, I think m0n0wall has done a great job so far of walking the
line between the two extremes of need.  Would an NTP server be useful
to some?  No doubt it would.  Would that make it less secure?  Yes,
from the inside it would be somewhat less secure.  Is that really a
problem?  I personally don't think so.

m0n0wall is a great product.  The simplicity, the UI, and the single
config
in XML are all awesome.  The tiny size is great.  Any feature that has a
small impact on size, is a network service, would benefit a significant
portion of people, and have minimal impact on CPU usage makes sense to
have in my opinion for those that need it.  As long as it can be turned
off, or perhaps even defaults to off, what harm does it do those of us
that want "just a firewall"?

Ok, I'm done with my soapbox now.

just my thoughts on things,
jim gifford

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch