I've been testing my m0n0wall for the entire weekend, and I've come up
with a few suggestions for improvements. Personally I'll try to
implement them in my own m0n0wall on my own. I will share my success if
I ever reach it. =)
1, More advanced firewall rules.
Ipfw is a quite powerful packet that allows for advanced firewall
rulesets. The advantage of having this powerful tool in a simple web
interface is huge. Examples are default allow/deny rules, ability to
have specific response rules (in particular I'd like to send a RST to
stupid IE browsers that try to start a conversation with just a SYNACK,
so they don't have to timeout). Also, malicious packets should be
stopped by default (SYNFIN, ICMP REDIR, short packets, packets with
ipopts and such). Also, some option to filter based on MAC adresses
would be sweet, such as not allowing access to MAC:s not registered
through the DHCP server or so. This could make a hell of a firewall.
2, Personally I run a name server for two domains with little traffic.
If only my m0n0wall could handle them for me. There are a few tiny DNS
servers available (tinydns is one, that will also work beautifully as a
caching name server). I know there are alot of people thinking that a
firewall is a firewall, and as such it should be kept clean. Personally,
I don't care that much.
3, Adding arp entries for the static DHCP mappings automatically (i.e.
arp -s, I have a few pieces of obscure network hardware that uses RARP
to find their IP:s), and also an extra setting "hostname" in which we
could _force_ a hostname to a particular MAC address. I'm not sure how
this would work with dnsmasq --dhcp-lease, but it might be possible to
4. Seriously, how many of us use a 4Mb flash card? The tiniest flash
be reasonable to demand. Then we could get a little more functionality
(like running tinydns...).