[ previous ] [ next ] [ threads ]
 From:  Michael DeMan <michael at staff dot openaccess dot org>
 To:  "Christopher M. Iarocci" <iarocci at eastendsc dot com>, Thomas Hertz <thomas at hz dot se>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] nice, somewhat easy to implement features [IMO]
 Date:  Sun, 19 Oct 2003 10:19:08 -0700
There is one reason for SSH that hits our little business on a regular


We use our own BSD distribution with Soekris units to provide routing,
firewall, VPN and QoS services for wireless and fiber optic services to
commercial buildings.

As an ISP, we frequently get calls that 'the Internet is down'.  Often this
is a result of LAN or other problems on the customer site.

With SSH we can frequently (after asking permission from the customer on the
phone) come into the Soekris unit and do simple diagnoses of their LAN
remotely and identifying the problem.

Often these problems will be that their computer is mis-configured, a
machine on their network has a virus and is saturating the local LAN, they
have another problem, etc.

Without these tools the customer perception would be that it is our fault
that their network is down.

Using these tools to diagnose problems on wireless LANs is also very useful
as we can check wireless signals rapidly, ARP tables, etc.

We also use SSH to automate disaster recovery and patch management to our
equipment with rsync.

We have a few customers running m0n0wall and a few running a combined
distribution of m0n0wall with advanced pieces that we need merged in but
have reverted back to our own distribution again because of our needs to
automate management of having lots of units in the field and again, being
able to rapidly diagnose problems at customer sites without needing to
physically go there.

I agree that for the typical 'end user', having these features is a waste,
will cause confusion and probably end up with users screwing up their unit
somehow.  Too much power in the wrong hands usually results in
broken/mis-configured hardware.

Again, the features you want depend on the intended audience of the
hardware.  m0n0wall is oriented towards a residential or small business that
wants better (more fun) firewall than SonicWall or Symantec.

Our needs are for a very specialized kind of firewall that serves multiple
offices simultaneously and also provides advanced services like SNMP, OSPF
routing, SNMP and most imporantly, the capability for our UNIX educated
staff to perform remote diagnostics.

My guess is that most others that want SSH have similar requirements.  These
requirements don't really reflect any deficiencies in m0n0wall, but simply
represent the use of m0n0wall in a more sophisticated environment than what
Manuel is targeting.

In our ideal world, we would have a single distribution that provides the
customer with a web-ui to do the basic stuff that m0n0wall does, along with
SSH and the advanced command line tools that we need to come in remotely
when problems are beyond the understanding of what the typical small
business owner understands.

Our situation is however unique, and adding this kind of stuff to m0n0wall
would only bulk it up, make it more complex and probably provide value to
only a tiny percentage of m0n0wall users.

If Manuel does add stuff to it to meet specific needs, we risk going down
the route of Microsoft Word.  Word is a huge clunky program and most users
only utilize a tiny percentage of its features.  Microsoft however added
every feature that was requested to meet every need.  This has resulted in a
program that is both far more complicated than most users need and has an
incredibly bloated code base to go along with it.

My two cents.

On 10/19/03 7:49 AM, "Christopher M. Iarocci" <iarocci at eastendsc dot com> wrote:

>>> #4. SSH possibilities. That would be nice :D I could easily code my
>>> own scripts to do blah and stop bitching on the mailing list :P
>> I do NOT agree. :) I do not see any reason to why anyone would want to
>> get shell access to their firewall. I'd recommend you try using the
>> information under m0n0wall hacking guide to set up network booting. That
>> way it's easy to modify the m0n0wall in any way you would like, without
>> worrying about wearing out the flash card.
>>> #5 ^^ Look at #4. Thats a good suggestion. It deserves two numbers.
>> No. It does not. :P
> I disagree.  I also use IPCop, which is a similar firewall based on RH Linux
> 7.3 and IPTables.  It has SSH access, and it has come in handy on MANY
> occassions.  Sure, it's quite a big bigger image than m0n0wall (about 20MB),
> but it also has more features.  Besides, who can't afford 20MB?  :-)
> Chris
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.525 / Virus Database: 322 - Release Date: 10/9/2003
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

Michael F. DeMan
Director of Technology
OpenAccess Internet Services
1305 11th St., 3rd Floor
Bellingham, WA 98225
Tel 360-647-0785 x204
Fax 360-738-9785
michael at staff dot openaccess dot org