|
||||||||
Yes, I have asked about this before as well but haven't heard it for a while. I just wish I were better with php! Maybe when I have more time. It seems like a lot of people are requesting a lot of features to make this more and more cool (and don't get me wrong it is cool) but they don't have a lot to do with the core function (firewall/packetfilter) In this area it is just a couple of features away from being a seriously heavy duty enterprise firewall. This is just my humble opinion take it for what it's worth. 1. better network/service definitions and grouping It would be nifty, in theory, to me able to define network groups and service groups to be applied to rules as well. Like this Network Group A = networkA, networkB, networkC Service Group lan-outbound = http, https, smtp, pop3 allow (Network Group A) sport any to (any host) dport lan-outbound so you can go from 4 seperate firewall rules in the interface to one that does the same thing allowing basic web and mail outbound to the internet. I am a big believer in serious egress filtering to not only protect you from the evils of the internet but (and perhaps more importantly) to protect the internet from one of your users that might end up with a worm or something. This really pads out the rules I have (just in my personal m0n0wall) 10 seperate rules just defining allowed outbound traffic from the lan to the internet. with grouping it could all be one rule. 2. Indirect Antivirus/Content filtering support (some day far far in the future) I am no way suggesting implimenting this in the m0n0wall but it would be cool to see something like content vectoring protocol support so that you could utilize 3rd party software like the software from checkpoint opsec partner like symantec and surfwatch. That way people that want the extended functionality like content filtering/monitoring, transparent cache proxy and antivirus they just turn on cvp choose their protocol and point it at a server internally without impacting the actual firewall performance. 3. Remote Management API/Multifirewall console (way way way in the future) So you could maintain 10-20-30 m0n0walls from one location David On Thursday 13 May 2004 18:24, Adam Nellemann wrote: > David Rodgers wrote: > > Since we have all this cool stuff to look forward to any chance that some > > day we might see the host/network aliases that we create auto added to > > the drop down boxes for packet filter and nat rules so that there is no > > chance of screwing up when typing the aliases in the blue box. > > > > And then (sigh please don't hurt me) maybe a service definition section > > like the network aliases definitions that add to the services drop down > > box so you don't have to keep typing in port numbers for each rule if you > > are doing a lot of them. > > > > These are the only things that I personally thought this project lacked > > in the first place. > > First of all, I think this has already been suggested by others and > myself. > > That being said, I totally agree with you, these two features > (host/network aliases in drop downs whereever applicable and a list of > costum service aliases) would be the final touch to this great > product, and make life a lot easier for most, if not all, users of > m0n0wall. > > In addition, I'd like to see more "blue boxes", as there are still a > few places where you have to enter IPs and networks manually. IMHO the > ideal would be if one could keep ALL IPs and networks (and custom > service ports) in the alias list(s), so as to ensure that these only > have to be changed in one single spot (would also make it easier to > use a script or program to make/modify/maintain the config.xml!) > > Just my two cents (added to yours) > > > Adam. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch |