Ok, before anytime gets the chance to tell me that I'm a moron:
M0n0wall runs ipfilter, not ipfw. Some of these suggested rules (short,
ipopts) are already in the out-of-the-box rules. And probably alot more.
But I still would like a little more control over the ipfilter rules. =)
Also, I'm just about finished adding some counters for the interfaces
(lan,wan,opt) to display a nice little html bandwidth usage graph (over
the last 60 minutes, or 24 hours ...) for each interface in the
Status->Interfaces boxes. I'll let you know how it works out.
> 1, More advanced firewall rules.
> Ipfw is a quite powerful packet that allows for advanced firewall
> rulesets. The advantage of having this powerful tool in a simple web
> interface is huge. Examples are default allow/deny rules, ability to
> have specific response rules (in particular I'd like to send a RST to
> stupid IE browsers that try to start a conversation with just a
> SYNACK, so they don't have to timeout). Also, malicious packets should
> be stopped by default (SYNFIN, ICMP REDIR, short packets, packets with
> ipopts and such). Also, some option to filter based on MAC adresses
> would be sweet, such as not allowing access to MAC:s not registered
> through the DHCP server or so. This could make a hell of a firewall.