[ previous ] [ next ] [ threads ]
 
 From:  Thomas Hertz <thomas at hz dot se>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Suggestions for next version.
 Date:  Sun, 28 Sep 2003 19:45:38 +0200
Hello,
I've been testing my m0n0wall for the entire weekend, and I've come up 
with a few suggestions for improvements. Personally I'll try to 
implement them in my own m0n0wall on my own. I will share my success if 
I ever reach it. =)

1, More advanced firewall rules.
Ipfw is a quite powerful packet that allows for advanced firewall 
rulesets. The advantage of having this powerful tool in a simple web 
interface is huge. Examples are default allow/deny rules, ability to 
have specific response rules (in particular I'd like to send a RST to 
stupid IE browsers that try to start a conversation with just a SYNACK, 
so they don't have to timeout). Also, malicious packets should be 
stopped by default (SYNFIN, ICMP REDIR, short packets, packets with 
ipopts and such). Also, some option to filter based on MAC adresses 
would be sweet, such as not allowing access to MAC:s not registered 
through the DHCP server or so. This could make a hell of a firewall.

2, Personally I run a name server for two domains with little traffic. 
If only my m0n0wall could handle them for me. There are a few tiny DNS 
servers available (tinydns is one, that will also work beautifully as a 
caching name server). I know there are alot of people thinking that a 
firewall is a firewall, and as such it should be kept clean. Personally, 
I don't care that much.

3, Adding arp entries for the static DHCP mappings automatically (i.e. 
arp -s, I have a few pieces of obscure network hardware that uses RARP 
to find their IP:s), and also an extra setting "hostname" in which we 
could _force_ a hostname to a particular MAC address. I'm not sure how 
this would work with dnsmasq --dhcp-lease, but it might be possible to 
work out.

4. Seriously, how many of us use a 4Mb flash card? The tiniest flash 

be reasonable to demand. Then we could get a little more functionality 
(like running tinydns...).



--
Thomas Hertz