Re: [m0n0wall] Host/Network Aliases .... Pretty Please

From:	David Rodgers <david dot rodgers at kdsi dot net>
To:	webmaster at ics dash group dot de
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Host/Network Aliases .... Pretty Please
Date:	Fri, 14 May 2004 10:03:45 -0500
On Friday 14 May 2004 08:34, you wrote:
> Heavy duty enterprise ... lol ...  i think u never saw a real firewall
> ... a firewall is not a packetfilter  ... a firewall is a system with a
> lot of components and m0n0wall is far away from this ...

I'm sorry but I disagree completely. M0n0wall is not far away from this. In 
fact in it's existing state it is not very different from the checkpoint and 
netscreen boxes that I have to work with every day. 

A "real firewall" as you put it doesn't include a system with a lot of 
components a "real firewall" is a gateway device that does nothing more than 
keeping traffic that you don't want somewhere from getting there. It's all in 
how you configure it. It's true that direct from an install M0n0wall is much 
more like a tinkertoy and more closely related to a sonicwall soho device
but the power is there .... you just have to know what to do with it. This 
software is truly capable of ANYTHING and the throughput is FASTER than 
a Nokia ip440 running checkpoint by almost 20% and I benchmarked the m0n0 
doing the same job on a nokia ip120 box (less than half the ram and cpu)

Just imagine how well it would perform on a piece of hardware like the 440 
(that it will run on) 

remember checkpoints ipso platform isn't really anything more than 
a hacked up bsd in itself.

I don't think you really understand the power of what you have here.

Also .... I would tend to trust something that is completely open a lot more 
than a closed source product  that for all you know could has been designed 
purposely with backdoors to allow your government or the mothership 
(software/hardware designers) to snoop on your network. 

It is generally believed that this doesn't happen but do you know FOR SURE?
Do you really think that a large corporation is above this? If you do you are 
more green than you let on. But your email address does say webmaster not 
security officer. You just aren't paranoid enough!

>
> whatever, what u want its better to write scripts ... like the most
> pro's do here 2 create a  config .xml than upload it ... and read the
> m0n0wall homepage ... Manuel is finished with m0n0wall cause that its
> called 1.0 ! Maybee some day there is "m0n0wall 2" but i wont bet .

If it is finished why is there a new beta released 5 days ago?

>
> And Virus filtering ... omg ... u have to learn a lot ... but i dont
> think i should further comment this crap

I have a lot to learn? To know all this stuff and recognize how green I am you 
must be a l33t h4x0r.  CVP is an 
open protocol API that is actually documented. 
http://www.checkpoint.com/support/technical/sdksupport/docs/apis/specs/cvptoc.html
and there are already hundreds of 3rd party products that can do anything from 
detecting and stomping malware and viruses mid stream to content filtering 
for business and it is done outside the firewall so it doesn't slow down your 
gateway device. 

David

> >Yes, I have asked about this before as well but haven't heard it for a
> > while. I just wish I were better with php! Maybe when I have more time.
> >
> >It seems like a lot of people are requesting a lot of features to make
> > this more and more cool (and don't get me wrong it is cool) but they
> > don't have a lot to do with the core function (firewall/packetfilter) In
> > this area it is just a couple of features away from being a seriously
> > heavy duty enterprise firewall. This is just my humble opinion take it
> > for what it's worth.
> >
> >1.  better network/service definitions and grouping
> >It would be nifty, in theory, to me able to define network groups and
> > service groups to be applied to rules as well.
> >
> >Like this
> >
> >Network Group A = networkA, networkB, networkC
> >Service Group lan-outbound = http, https, smtp, pop3
> >
> >allow (Network Group A) sport any to (any host) dport lan-outbound
> >
> >so you can go from 4 seperate firewall rules in the interface to one that
> > does the same thing allowing basic web and mail outbound to the internet.
> >
> >I am a big believer in serious egress filtering to not only protect you
> >from the evils of the internet but (and perhaps more importantly) to
> > protect the internet from one of your users that might end up with a worm
> > or something.
> >
> >This really pads out the rules I have (just in my personal m0n0wall) 10
> >seperate rules just defining allowed outbound traffic from the lan to the
> >internet. with grouping it could all be one rule.
> >
> >2. Indirect Antivirus/Content filtering support (some day far far in the
> >future)
> >
> >I am no way suggesting implimenting this in the m0n0wall  but it would be
> >cool to see something like content vectoring protocol support so that
> >you could utilize 3rd party software like the software from checkpoint
> > opsec partner like symantec and  surfwatch.
> >
> >That way people that want the extended functionality like content
> >filtering/monitoring, transparent cache proxy and antivirus they just turn
> > on cvp choose their protocol and point it at a server internally without
> > impacting the actual firewall performance.
> >
> >3. Remote Management API/Multifirewall console (way way way in the future)
> >
> >So you could maintain  10-20-30 m0n0walls from one location
> >
> >David
> >
> >On Thursday 13 May 2004 18:24, Adam Nellemann wrote:
> >>David Rodgers wrote:
> >>>Since we have all this cool stuff to look forward to any chance that
> >>> some day we might see the host/network aliases that we create auto
> >>> added to the drop down boxes for packet filter and nat rules so that
> >>> there is no chance of screwing up when typing the aliases in the blue
> >>> box.
> >>>
> >>>And then (sigh please don't hurt me) maybe a service definition section
> >>>like the network aliases definitions that add to the services drop down
> >>>box so you don't have to keep typing in port numbers for each rule if
> >>> you are doing a lot of them.
> >>>
> >>>These are the only things that I personally thought this project lacked
> >>>in the first place.
> >>
> >>First of all, I think this has already been suggested by others and
> >>myself.
> >>
> >>That being said, I totally agree with you, these two features
> >>(host/network aliases in drop downs whereever applicable and a list of
> >>costum service aliases) would be the final touch to this great
> >>product, and make life a lot easier for most, if not all, users of
> >>m0n0wall.
> >>
> >>In addition, I'd like to see more "blue boxes", as there are still a
> >>few places where you have to enter IPs and networks manually. IMHO the
> >>ideal would be if one could keep ALL IPs and networks (and custom
> >>service ports) in the alias list(s), so as to ensure that these only
> >>have to be changed in one single spot (would also make it easier to
> >>use a script or program to make/modify/maintain the config.xml!)
> >>
> >>Just my two cents (added to yours)
> >>
> >>
> >>Adam.
> >>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> >>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> >For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch