For network security, build a m0n0wall

25

Author: Preston St. Pierre

M0n0wall is an open source firewall and wireless router developed by Manuel Kasper, built on a stripped-down FreeBSD operating system. M0n0wall offers many of the same features found in commercial firewalls products such as Check Point Firewall-1 and Cisco Pix, including stateful packet filtering. With it you can create a secure virtual private network (VPN) between two sites, or you can use m0n0wall as a VPN gateway, so you can access your LAN secure from the Internet. You can use RADIUS for client authentication in order to raise the security even higher.

M0n0wall has a nice Web interface for configuring firewall settings. Most of the configuration can be done via the Web interface and all the values are stored in a single XML file. The configuration can be saved on a diskette, hard disk, or external storage card. This makes it easy to deploy several firewalls with a similar hardware setup.

The firewall is stable, and looks like a commercial firewall; the only difference is its lack of a commercial price tag. I have used the m0n0 firewall on many different PC configurations for more than a year without any problems. As with all open source software, you can download a complete, non-crippled version of m0n0wall for evaluation and testing.

Installing m0n0wall

To try out m0n0wall, download an image file. You can choose between images for a normal PC or for a special embedded hardware device. Each approach has advantages and disadvantages. Old spare computers (a 100MHz 486 with 64MB RAM or better will do) are everywhere; however, they make a lot of noise and use a lot of power. Embedded systems make little or no noise and use minimal power, but you probably do not have a spare Soekris system in your basement, so would have to buy the equipment, which starts at about $200. For hardware-based configurations like Soekris, you can perform a firmware update on m0n0wall whenever updates are available from the m0n0 project.

I tested m0n0wall on an old 450MHz Compaq ProLiant with 128MB of RAM. I downloaded the proper image and burned it to a bootable CD-ROM. Hint: remember to use the image option in your CD burner software; just copying the file will not produce a bootable image. Put the CD in your future firewall; unplug all network cables and switch on the power.

If everything is correct, you should see the following screen :

*** This is m0n0wall, version 1.2b3
built on Sun Dec 5 11:22:47 CET 2004 for generic-pc-cdrom
Copyright (C) 2002-2004 by Manuel Kasper. All rights reserved.
Visit http://m0n0.ch/wall for updates.

LAN IP address: 192.168.1.1

Port configuration:

LAN -> sis0
WAN -> sis1

m0n0wall console setup
**********************
1) Interfaces: assign network ports
2) Set up LAN IP address
3) Reset webGUI password
4) Reset to factory defaults
5) Reboot system
6) Ping host

First choose option 1 to assign the LAN and WAN interfaces, and a semi-trusted DMZ if you choose to have one.

If you must change the LAN IP address to something different from the default IP (192.168.1.1), choose option 2. Here you can also assign a DHCP server if you would like to use DHCP on your LAN.

The next four options are for troubleshooting; you shouldn’t need them at this point.

Accessing the Web GUI

Now connect a crossover cable to your firewall’s LAN interface and use another computer on the network with a browser to do the rest of the configuration. Point the browser to http://192.168.1.1 (or the IP address you set with option 2 in the console). Use the username admin and password m0n0.

Under the general setup screen, you can — and should — change the default username/password. You can also change the host name of the firewall and specify whether to use DNS. You can also specify that you want to use Network Time Protocol (NTP) to synchronize the system time with an NTP server to ensure that your system log times are accurate.

You can set many different configurations for your WAN interface, including PPPoE, PPTP, BigPond Cable, and others.

The next step is to configure some firewall rules. Start with a few simple rules, such as “everything from the LAN to the WAN is allowed.” In m0n0 the * means “any,” so the rule below allows anything from your LAN to the Internet.

Proto Source Port Destination Port Description
* LAN net * * * Default LAN -> any

It very easy to change rules. If you want to allow only HTTP traffic to the Internet from the LAN, change above rule to the following:

Proto Source Port Destination Port Description
TCP LAN net

80 HTTP

* * Only HTTP from LAN -> any

You can set up network address translation (NAT) and enable traffic-shaping. Under the service tab, you can activate the DHCP server, but if you do, be sure that no other DHCP servers are active on your LAN.

After you have entered your current setup, save it. You can then connect the firewall to the WAN. If you did everything correctly, your LAN users should now be able to enjoy browsing the Internet.

More advanced features

If you would like to get access to your LAN from the Internet, you can set up a PPTP tunnel from an external client to securely access your LAN, or use a RADIUS server for authentication of the external clients. The PPTP setup depends very much on your client machine operative system and what encryption you can use. Your actual settings must be entered in the VPN menu.

You can also set up a site-to-site VPN connection, as long as you can configure the other side of the VPN tunnel. I managed to make a VPN connection to a Check Point Firewall-1 machine with a minimum of work.

Despite its good points, m0n0wall has some drawbacks compared to commercial products. Most importently, there is no 24×7 support available. There’s a very active mailing list with many helpful people, and a IRC channel, but you’re on your own if your mission-critical m0n0 firewall dies in the middle of the night.