Notes on m0n0wall (Monowall) firewall
After many years of running a FreeBSD 4.9 box as a custom firewall, I finally
bit the bullet and replaced it with a m0n0wall firewall. This decision was
driven by:
- Aging hardware: if the firewall failed it is important to be able to
replace it quickly, an appliance just means transfering the config files; a
custom firewall requires restoring the OS with new hardware. As the firewall
was running on thoroughly obsolete hardware, the risk of failure and excessive
downtime was rising fast.
- Weird transfer problems: recently I have been noticing difficulty when
trying to transfer large BZIP2 files and do OS X software updates; this led me
to suspect that there was a hole in the ppp state machine or an interaction
with the IP stack which caused transfers to freeze. These seem to have gone
away with the new firewall. All the quick fixes such as recompiling PPP on
FreeBSD 4.9 only bought me slight relief so a full upgrade was on the cards.
The following are some issues that I had with the m0n0wall firewall and
their solutions:
- NAT, VPN and Real IPs: my setup is slightly
unusual as I have both a routed subnet and need NATed addresses. The NATed
addresses turned out to be necessary as I did not have enought spare
addresses to support the VPN without them.
- Push firewall rules to m0n0wall: One
thing I missed about running a firewall with a full operating system was
the ease of adding new rules to deal with detected events eg port scans,
password guessing etc.
Maurice Castro's Home Page