[ previous ] [ next ] [ threads ]
 
 From:  Thomas Hertz <thomas at hz dot se>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Suggestions for next version.
 Date:  Sun, 28 Sep 2003 21:30:06 +0200
Ok, before anytime gets the chance to tell me that I'm a moron:
M0n0wall runs ipfilter, not ipfw. Some of these suggested rules (short, 
ipopts) are already in the out-of-the-box rules. And probably alot more. 
But I still would like a little more control over the ipfilter rules. =)
Also, I'm just about finished adding some counters for the interfaces 
(lan,wan,opt) to display a nice little html bandwidth usage graph (over 
the last 60 minutes, or 24 hours ...) for each interface in the 
Status->Interfaces boxes. I'll let you know how it works out.

--
Thomas Hertz

> 1, More advanced firewall rules.
> Ipfw is a quite powerful packet that allows for advanced firewall 
> rulesets. The advantage of having this powerful tool in a simple web 
> interface is huge. Examples are default allow/deny rules, ability to 
> have specific response rules (in particular I'd like to send a RST to 
> stupid IE browsers that try to start a conversation with just a 
> SYNACK, so they don't have to timeout). Also, malicious packets should 
> be stopped by default (SYNFIN, ICMP REDIR, short packets, packets with 
> ipopts and such). Also, some option to filter based on MAC adresses 
> would be sweet, such as not allowing access to MAC:s not registered 
> through the DHCP server or so. This could make a hell of a firewall.