[ previous ] [ next ] [ threads ]
 
 From:  Jim Gifford <jim at giffords dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Feature request which would make m0n0wall even better ;)
 Date:  Tue, 27 Jan 2004 10:21:45 -0500
On Tue, Jan 27, 2004 at 11:33:49PM +1000, Hilton Travis wrote:
> m0n0wall is a firewall.  It isn't a file server, nor is it a BSD distro
> designed to run as a fish tank controller.  I cannot understand why
> people want to compromise the security of a security device by running
> additional software on it that is not designed, suited, or even safe to
> be running on a firewall.

I personally (and professionally) couldn't agree with you more.  However,
there are many people in the world that prefer to have less machines to
manage and prefer to have more things integrated into their network
services machine.  This might mean making their network services machine
potentially a little bit less secure, but many people are willing to take
that risk.  Especially small home network users.  A home network with 1
user might not want to have 3 or 4 or 5 machines providing everything in
their network (a firewall, a client machine, and a 'server' being the
minimum).  If there is only one users on the network, they're likely the
one in charge of the network, and as such, they aren't the security risk
(or to look at it the other way, they're the primary security risk).

One of the things I liked about smoothwall was that it did have extra
things that were useful to me (dhcp server, traffic graphs, web proxy,
IDS, etc).  However, I found that I seldom looked at the traffic graphs
unless there was a problem, the web proxy caused problems for poorly
written web clients (ie, all TiVo devices) so was usually disabled, and
the IDS would stop working every time the WAN IP address changed.  I
don't blame smoothwall for these issues that made these extra features
less useful to me.

I have been following m0n0wall for quite some time now, and finally
decided that I liked the philosophy of m0n0wall (be a firewall, just a
firewall, but a damned nice firewall at that).  Since I have a nice
internal server that can run all my other services, and a few other
client machines, I don't mind having all the functions split out.  In
fact, I find that I now prefer it that way.

My parents have a small network in their home.  I'll be switching them to
m0n0wall soon (the web proxy on their smoothwall started blocking all
connections, and I can't debug it remotely from 600 miles away because I
didn't set up any means to get in to it, and they aren't technically
savvy enough to be walked through it).  Their house isn't very big, and
they've got too much stuff squeezed in.  The last thing they need is
extraneous computers.  As such, they'll be living without a web
proxy/cache, traffic graphs, and IDS.  Truthfully, they won't really miss
them much.  They wouldn't be able to live without DHCP though.  My
parents live in the country, in the middle of a field, and their wireless
AP isn't very strong.  It doesn't cover the whole house, let alone
reaching the street.  They don't worry about drive-by wireless users, as
it is an impractical concern.

In the 'perfect world', there would be no DHCP server in m0n0wall, as
that isn't strictly a firewall function.  However, if that were the case,
my parents would be unable to use it, as that would require another
server that they just don't have the room for.  And yet, for some reason
(I suspect pressure from people on the list), Manuel includes DHCP
support in m0n0wall.  If I want to run DHCP on my internal server, I can
easily disable it in m0n0wall.  In my opinion, this is a good compromise,
as DHCP is a really essential network service.

Again, many people view their network edge device as a network services
device instead of solely as a firewall.  That doesn't make them wrong, it
just makes them different.  They have different needs.

I believe that Manuel will give each feature request a lot of thought and
not just cavalierly add stuff.  As such, I have confidence in the future
of m0n0wall as a firewall, and potentially as a network services device
for those that seek such a thing.  As long as each new service is only
available internally by default, and is disableable, I don't really see
the harm in having a few extra network services available.  In a home
network, external threats are the biggest threats in most cases.  I'm
confident that m0n0wall will continue to be great at blocking external
threats.

> Personally, I want a firewall that is a firewall.  I'll have another
> internal, protected, server to run these server functions.  Security is
> paramount for a security device, and for your network.

I agree with you there.  I want my firewall to only be a firewall.  But
then, I'm a network professional, and I know why that is a good design in
a network.  My network needs aren't simple.

People like my parents really just want something to protect them from
the viruses and script kiddies, and provide other network services.
That doesn't make them wrong, they just have different needs.

Personally, I think m0n0wall has done a great job so far of walking the
line between the two extremes of need.  Would an NTP server be useful
to some?  No doubt it would.  Would that make it less secure?  Yes,
from the inside it would be somewhat less secure.  Is that really a
problem?  I personally don't think so.

m0n0wall is a great product.  The simplicity, the UI, and the single config
in XML are all awesome.  The tiny size is great.  Any feature that has a
small impact on size, is a network service, would benefit a significant
portion of people, and have minimal impact on CPU usage makes sense to
have in my opinion for those that need it.  As long as it can be turned
off, or perhaps even defaults to off, what harm does it do those of us
that want "just a firewall"?

Ok, I'm done with my soapbox now.

just my thoughts on things,
jim gifford