[ previous ] [ next ] [ threads ]
 
 From:  David Rodgers <david dot rodgers at kdsi dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Host/Network Aliases .... Pretty Please
 Date:  Thu, 13 May 2004 20:07:09 -0500
Yes, I have asked about this before as well but haven't heard it for a while. 
I just wish I were better with php! Maybe when I have more time. 

It seems like a lot of people are requesting a lot of features to make this 
more and more cool (and don't get me wrong it is cool) but they don't have a 
lot to do with the core function (firewall/packetfilter) In this area it is 
just a couple of features away from being a seriously heavy duty enterprise 
firewall. This is just my humble opinion take it for what it's worth.

1.  better network/service definitions and grouping
It would be nifty, in theory, to me able to define network groups and service 
groups to be applied to rules as well.

Like this

Network Group A = networkA, networkB, networkC
Service Group lan-outbound = http, https, smtp, pop3

allow (Network Group A) sport any to (any host) dport lan-outbound

so you can go from 4 seperate firewall rules in the interface to one that does 
the same thing allowing basic web and mail outbound to the internet.

I am a big believer in serious egress filtering to not only protect you 
from the evils of the internet but (and perhaps more importantly) to protect 
the internet from one of your users that might end up with a worm or 
something. 

This really pads out the rules I have (just in my personal m0n0wall) 10 
seperate rules just defining allowed outbound traffic from the lan to the 
internet. with grouping it could all be one rule.  

2. Indirect Antivirus/Content filtering support (some day far far in the 
future)

I am no way suggesting implimenting this in the m0n0wall  but it would be 
cool to see something like content vectoring protocol support so that
you could utilize 3rd party software like the software from checkpoint opsec 
partner like symantec and  surfwatch. 

That way people that want the extended functionality like content 
filtering/monitoring, transparent cache proxy and antivirus they just turn on 
cvp choose their protocol and point it at a server internally without 
impacting the actual firewall performance.

3. Remote Management API/Multifirewall console (way way way in the future)

So you could maintain  10-20-30 m0n0walls from one location

David

On Thursday 13 May 2004 18:24, Adam Nellemann wrote:
> David Rodgers wrote:
> > Since we have all this cool stuff to look forward to any chance that some
> > day we might see the host/network aliases that we create auto added to
> > the drop down boxes for packet filter and nat rules so that there is no
> > chance of screwing up when typing the aliases in the blue box.
> >
> > And then (sigh please don't hurt me) maybe a service definition section
> > like the network aliases definitions that add to the services drop down
> > box so you don't have to keep typing in port numbers for each rule if you
> > are doing a lot of them.
> >
> > These are the only things that I personally thought this project lacked
> > in the first place.
>
> First of all, I think this has already been suggested by others and
> myself.
>
> That being said, I totally agree with you, these two features
> (host/network aliases in drop downs whereever applicable and a list of
> costum service aliases) would be the final touch to this great
> product, and make life a lot easier for most, if not all, users of
> m0n0wall.
>
> In addition, I'd like to see more "blue boxes", as there are still a
> few places where you have to enter IPs and networks manually. IMHO the
> ideal would be if one could keep ALL IPs and networks (and custom
> service ports) in the alias list(s), so as to ensure that these only
> have to be changed in one single spot (would also make it easier to
> use a script or program to make/modify/maintain the config.xml!)
>
> Just my two cents (added to yours)
>
>
> Adam.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch