[ previous ] [ next ] [ threads ]
 From:  Adam Nellemann <adam at nellemann dot nu>
 To:  Uli Wachowitz <uli at wach dash o dash witz dot de>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] suggestion
 Date:  Wed, 02 Jun 2004 22:29:49 +0200
Uli Wachowitz wrote:

> 2004-06-02 20:28, Adam Nellemann wrote:
>>such as MRTG or similar, providing that you have some always-on box on
> Agreed
>>That being said, I can see the use of such a feature on m0n0wall 
> Me too
>>Well, that is always an easy opinion to have, IF you are lucky enough 
>>to have access to one or more always-on box(en) and 
> Again, I agree. The fact that not everyone has the possibility to own
> those 'always-on-boxes' has to be considered. I don't know right now
> what to answer in that case
>>IF you happen to know how to setup and use such tools!
> If you don't know, you can always learn it. I mean, if you are
> responsible for a firewall or your amount of traffic, you should have
> enough ambition to learn that.

The point I was making was this:

Even though someone (such as me, or the original poster perhaps) 
choose to use m0n0wall, it does not necessarily mean that a large 
amount of traffic, nor a large number of hosts, are involved. Today, 
even us home users (and I understand you are one too) feel the need to 
secure our LAN from the "baddies" on the WAN.

Thus a number of m0n0wall users will have the need for m0n0wall (and 
some also the need for monitoring their WAN usage), but perhaps not to 
the extent that they can justify taking the time to learn all sorts of 
(more or less) difficult-to-use tools. I guess this might even be 
their reason for choosing a "compount product" like m0n0wall, where 
they only have to learn a single interface, and can get help from a 
single mailinglist etc.

>>typically don't seem to recognize the fact that many people do NOT 
>>have this option
> Believe me, I recognize this fact. As I said above, I don't know what to
> answer in this case. Maybe I'm a bit arrogant, but I'm just phrasing my
> opinion.

Ok, fair enough. And no, I wouldn't say you come across as arrogant, 
at least not after reading your response to my post ;)

>>This is especially true for a project like m0n0wall, which was hardly 
>>meant to be a tool for hardcore coorporate server admins
> OK, point for you
>>Yes, IF you know how to set it up and use it
> Learn it

See my point above!

>>IF you have a box to run
> Built one

Well, personally I'm one of those who like to do so (I'm even lucky 
enough to have the money for it), but many do not.

>>Apparantly, and not only have we heard it often before, but it is also
>>quite a narrowminded way to look at things (IMHO, and no offence 
>>intended), m0n0wall in particular, which was never meant to be JUST a 
>>firewall, as there would then be only one page in the webGUI, namely 
>>the one with the firewall rules!
> Mhh, if so, I might have misunderstood the intention of this project

This, I guess, depends on what exactly your definition of the term 
"firewall" is, something which seem to differ a lot from person to 
person (and from firewall to firewall!)

>>I'd suggest that you find such a product then, because m0n0wall 
>>obviously isn't it, seeing as it has NAT, Traffic shaping, DNS 
>>forwarder, DHCP server, DynDNS client, and... and... All of which 
>>can't be said to be strictly firewall related.
> This depends on how you define 'firewall'. One could (and should) also
> say, that a firewall is a concept, not only a box full of functions.

That might be the right way to look at it.

>>I accept the fact that I can't expect m0n0wall to have all and every 
>>feature I want or need, and more to the point: That it might have some
>>that I don't need or want. I don't understand why certain people have 
>>such a hard time accepting this "fact of life"?
> *sig*
>>Oh yes, and I'd like to apologise for being instrumental in 
>>perpetuating this discussion. Also, if any of the above come across as
>>"flaming", I'd like to apologise for that too, 
> No, believe me, I'll never see answers like yours as flaming. We are all
> different individuals with different points of view. As long as we
> discuss thing in a fair and respectful way every opinion should be
> listened to.

I'm glad you feel this way (which is how I feel too).

>>I'm perfectly happy with any additional feature m0n0wall gets, as long
>>as the various security, storage, and other issues are taken into
> The more features, the more points of failures. But i see your point.

Only if said features are enabled. If implemented properly, a disabled 
feature shouldn't impact the functioning of the firewall, just like it 
shouldn't pose a security risk (potential or otherwise).

>>why would I want to have yet another 
>>complex box, full of moving, noisy parts, 
> ecause it makes fun to assemble something like this?

In my case that is a really good argument, but as I said earlier, this 
might not be the case for everybody ;)

>>running in my diningroom 
> You need a seperate serveroom ;-)

Hehe! I guess I do, but alas, all my rooms are already in use :(

>>That, IMHO, is an option suited for admins of large cooporate 
>>networks, where uptime, stability and extreme and convoluted security 
>>measures are apropriate concerns.
> Well, you've just described my Home-LAN

Ah well, my LAN setup could perhaps also be said to be slightly 
overkill, considering my needs, since I too like to fiddle with these 
things. Again this might not be how everyone feels.

>>Also, I still haven't heard any really good arguments against adding 
>>these things? As long as they do not pose a potential security risk or
>>take up extreme ammounts of CF space or RAM, and can be disabled (or 
>>come in the form of user installable modules), 
> Avoiding security risks will become more and more difficult the more
> features you add. Making features as modules would give the users the
> freedom to decide what risk to take.

I basically agree that any feature that isn't used by a majority of 
users should be implemented as a module (although, in that case, it 
would be nice if the m0n0wall modules were a bit easier to 
"plug'n'play" for the novice user)

However, my point about a properly implemented "feature" not impacting 
security when disabled still applies.

>>I'm not saying that the suggested feature, or any other, should be 
>>added without due consideration, just that there are very good 
>>arguments for not making m0n0wall a "firewall is a firewall is a 
>>firewall" product.
> This depends on everyones personal point of view. Mine is, it is a tool
> to secure my net, with VPN if I like, etc. If I want some colorfull,
> noisy gizmos and fancy reports and bells'n wizzles, well, ok, I'll now
> my way to get all this, but I simply don't like those fancy things on a
> device which is 'merely' responsible for my protection.

But I LIKE colorful gizmos, I'll even pay extra for them... ;)

No, seriously: I completely agree with you on this (in relation to a 
firewall box at least). But I guess it will always be a tradeoff 
between what some would consider a suitably "clean, no-frills" 
firewall, and what others feel is a nice "all-in-one" solution.

>>(I just hope I didn't offend too many people in the process?)
> Same passes for me

Hehe, I guess if anyone took offence, it will be their problem then, 
as we are both fine with this ;)

To conclude: I think we basically agree on most things, with perhaps a 
few minor variations in how we like to see things done.