[ previous ] [ next ] [ threads ]
 
 From:  Adam Nellemann <adam at nellemann dot nu>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] suggestion
 Date:  Wed, 02 Jun 2004 20:28:41 +0200
Uli Wachowitz wrote:

> 2004-06-02 18:45, Andrew Eglington wrote:
> 
> 
>>Network traffic logger that:
>>- given a start and end date will show the *total* amount of data
>>in/out.

As Uli says, this can easily be acomplished through SNMP using a tool 
such as MRTG or similar, providing that you have some always-on box on 
which you can have such a tool running!

That being said, I can see the use of such a feature on m0n0wall 
(albeit I'd suggest a more flexible tool be implemented, in order for 
it to be useful for a wider range of people, not that I know exactly 
what that would entail?)


> Please don't even think about adding such (doubtless nice) function. If
> you need something like that, use external tools. Same goes for the
> traffic graph (IMHO). 

Well, that is always an easy opinion to have, IF you are lucky enough 
to have access to one or more always-on box(en) and IF you happen to 
know how to setup and use such tools!

Personally I find it a bit annoying that people who DO have such boxen 
typically don't seem to recognize the fact that many people do NOT 
have this option (or at least, would have to pay good money or 
otherwise go to certain unwanted extents to do so).

This is especially true for a project like m0n0wall, which was hardly 
meant to be a tool for hardcore coorporate server admins with 100+ 
hosts on their network, but rather a monolithic firewall solution for 
use in small LAN environments (such as SOHO and private/home 
networks!) The fact that it is ALSO useful for people with larger, 
coorporate, networks, is a credo to Manuels work, not a reason to make 
m0n0wall into something it wasn't meant to be (all this IMHO of course!)


> You can do countless things with mrtg/mrtgfe and similar tools. 

Yes, IF you know how to set it up and use it, IF you have a box to run 
it on, IF you don't mind using an extreme overkill solution, and so on 
and so forth. Not quite the same as navigating to the m0n0wall webGUI 
and accessing a certain page with a little WAN usage info on it.


> My mantra was, is and will always be: "A firewall is a firewall is a
> firewall!"

Apparantly, and not only have we heard it often before, but it is also 
quite a narrowminded way to look at things (IMHO, and no offence 
intended), m0n0wall in particular, which was never meant to be JUST a 
firewall, as there would then be only one page in the webGUI, namely 
the one with the firewall rules!


> Nothing more, nothing less. 

I'd suggest that you find such a product then, because m0n0wall 
obviously isn't it, seeing as it has NAT, Traffic shaping, DNS 
forwarder, DHCP server, DynDNS client, and... and... All of which 
can't be said to be strictly firewall related.

I accept the fact that I can't expect m0n0wall to have all and every 
feature I want or need, and more to the point: That it might have some 
that I don't need or want. I don't understand why certain people have 
such a hard time accepting this "fact of life"?


> And yes, I know, things like that have been discussed countless times
> before.

Oh yes, and I'd like to apologise for being instrumental in 
perpetuating this discussion. Also, if any of the above come across as 
"flaming", I'd like to apologise for that too, it's just that, as a 
home user myself, I grow tired of seeing the "not on a firewall" 
answer so much in relation to m0n0wall, which clearly hasn't been 
"just a firewall" for quite some time.

Personally I do NOT have a 24/7 box on which I can run all the stuff 
that many people seem to think shouldn't be on the m0n0wall box, so 
I'm perfectly happy with any additional feature m0n0wall gets, as long 
as the various security, storage, and other issues are taken into account.

Even if I could easily take some old PC from my attic, set it up to 
run DHCP, DNS, MRTG and whatnot, why would I want to have yet another 
complex box, full of moving, noisy parts, running in my diningroom 
closet (aka. "my server room"), when I can have it all in a 
no-moving-parts tin-box running m0n0wall?

That, IMHO, is an option suited for admins of large cooporate 
networks, where uptime, stability and extreme and convoluted security 
measures are apropriate concerns. Not for someone wanting something 
better for their home network, than what is offered comercially (all 
of which is of appaling quality, compared to m0n0wall).

Also, I still haven't heard any really good arguments against adding 
these things? As long as they do not pose a potential security risk or 
take up extreme ammounts of CF space or RAM, and can be disabled (or 
come in the form of user installable modules), I really fail to see 
ANY reason for NOT implementing a particular "feature" (aside, of 
course, from the one relating to the developer(s) time and energy!)

I'm not saying that the suggested feature, or any other, should be 
added without due consideration, just that there are very good 
arguments for not making m0n0wall a "firewall is a firewall is a 
firewall" product.


There, I said it, it's out of my system ;)
(I just hope I didn't offend too many people in the process?)


Adam.