[ previous ] [ next ] [ threads ]
 
 From:  "Michael A. Alderete" <lists dash 2003 at alderete dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Feature request which would make m0n0wall even better ;)
 Date:  Tue, 27 Jan 2004 13:04:56 -0800
At 10:21 AM -0500 1/27/04, Jim Gifford wrote:
>On Tue, Jan 27, 2004 at 11:33:49PM +1000, Hilton Travis wrote:
>> m0n0wall is a firewall.  It isn't a file server, nor is it a BSD distro
>> designed to run as a fish tank controller.  I cannot understand why
>> people want to compromise the security of a security device by running
>> additional software on it that is not designed, suited, or even safe to
>> be running on a firewall.
>
>I personally (and professionally) couldn't agree with you more.  However,
>there are many people in the world that prefer to have less machines to
>manage and prefer to have more things integrated into their network
>services machine.  This might mean making their network services machine
>potentially a little bit less secure, but many people are willing to take
>that risk.  Especially small home network users.  A home network with 1
>user might not want to have 3 or 4 or 5 machines providing everything in
>their network (a firewall, a client machine, and a 'server' being the
>minimum).

Frankly, people who want / need the additional features should have to buy
a different (or second) box. A few folks have suggested starting from
Manuel's excellent m0n0BSD distribution, and building extra services on
that.

Before starting down that not-short road, I might suggest that people look
at the software for the Cobalt appliances, which was recently Open Sourced
by Sun. The Cobalt Qube seems to me to be about the level of features that
people seem to be requesting.

No, it's not m0n0, but when it was for sale it was a high-quality, polished
product. If there's such a need for the services that people keep asking
Manuel for, then those folks should have been buying Qubes. (Perhaps the
fact that Sun killed the line says something about actual market demand.)

m0n0wall is a great project and has a great community, and once you've
started using it (and had the great experience that it delivers), you
naturally want to "make it better" rather than go look for something else,
just to get a file server or some such.

But m0n0 won't stay great if it doesn't stay true to its vision, to
Manuel's vision. Perhaps Manuel will state it more clearly and explicitly,
but I currently understand his vision to be the following (quoted from the
m0n0wall web site):

    m0n0wall is a project aimed at creating a complete,
    embedded firewall software package that, when used
    together with an embedded PC, provides all the
    important features of commercial firewall boxes
   (including ease of use) at a fraction of the price
   (free software).

With that in mind, I would suggest that the first test to apply to evaluate
a feature request is, does any of the similar commercial products
(SonicWall, WatchGuard, etc.) do this?

If they don't, then you have to understand *why* they don't, and justify
*why* m0n0wall should, before it should be considered for addition. And
"People don't want to run a second box" or "I can't add another machine to
a proposal" isn't, IMHO, a good enough reason to change m0n0wall. (It may
very well be a good enough reason for you to look at a different solution,
however.)

I think we're mostly in agreement here, that m0n0wall should stay a compact
firewall / edge device. I love the current functionality, and would prefer
to see the existing features enhanced (e.g., NAT / bridging conflicts
fixed, the true aliases that will come with ipfilter 4, etc.) than add new
features.

Michael
-- 

_____________________________________________________________
Michael A. Alderete           <mailto:lists dash 2003 at alderete dot com>
                                     <http://www.alderete.com>