[ previous ] [ next ] [ threads ]
 From:  Sascha Heller <ripperfox at gmx dot de>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: Manuel's stance on OpenVPN
 Date:  Fri, 20 Aug 2004 21:19:38 +0200
Mitch (WebCob) wrote:

> A module can become "official" once the developer is finished getting it to
> work, and provides a path for people to start testing, without burdening
> Manuel with the task... I've heard of people working on scripts and other
> systems to build new images from various modules, and once people are able
> to flash form their own sources, they will be able to build a firewall with
> exactly what they need and deploy with ease.
> Most systems that fail, fail because of bounded rationality - no one
> programmer can keep track of all the pieces, and bugs creap in. Keeping a
> lean system has always been a goal, and unless something is universally
> needed or incredibly small and TOTALLY secure, there are many who would
> object.
 > The easier it is for people to customize, the more I agree with these
 > people.

Without a real guideline for addons and modules its quite sure that some 
addons will interfere with others.

The m0n0wall hacking guide is quite old, there are no specs a addon must 
  fullfill, etc. - so what do you expect?

At the moment some nice addons are in development (openvpn, snort eg.) 
but there is no easy/secure way to install them in the base image of 
m0n0wall - the mentioned patch-scripts are a hack and for FreeBSD 4.x as 
vnconfig is obsolete :).

It's nice that some people make their customized images of m0n0wall 
available for other - but thats not the best way i can think of 
(prebuild images may be manipulated, etc.).

Many other firewall/router systems have a addon system for custom 
modules (fli4l, ipcop) and some guidelines that have to be followed to 
make a addon "official".

> It does not, in my humble opinion have to be an
> off-the-shelf-packaged-product that someone with NO real knowlege of
> networks or systems can push a button and install - that's what a $50 USD
> linksys or other is for.

Right. But: The work to implement nice features as mesh-routing or IPv6 
for example is way too painfull at the moment. It's about 100 times 
easier to set up a LinkSys WRT54G with a modefied OS for this use than 
to use m0n0wall.

m0n0wall's approach to use PHP for almost everything makes it small and 
healthy. But why has adding customisations to be such a pain?

I think people who HAVE the knowledge would enjoy more complex modules 
which are easy to administer, too.

Sure thing - I'm one of the "'cause we can"-fraction too. BUT I DO 
prefer "MozillaMail" over "mail" :)

And if you're reading the list you see that there are many ppl with real 
beginner questions. Shall we send em to hell?

So - what about some rules how to implement/manage addons?
(Btw: I like the way Fli4L team handles this..)