m0n0wall v1.21 - Embedded ''All-In-One'' Firewall Package
Date: Tuesday, January 03, 2006 @ 12:12:04 AST
Topic: security

January 1, 2006 - m0n0wall 1.21 released!

m0n0wall 1.21 greatly improves the captive portal (better and more RADIUS options, file manager, stability), updates all components to the latest version and fixes several bugs.



Most important changes in this release:
  • All captive portal login forms MUST contain the "redirurl" hidden field now, otherwise they won't work anymore!
     
  • Countless captive portal RADIUS improvements
     
  • Captive portal file manager
     
  • Mini_httpd stability improvements
     
  • Several bug fixes
     
  • All components updated to the latest version
m0n0wall is a project aimed at creating a complete, embedded firewall software package that, when used together with an embedded PC, provides all the important features of commercial firewall boxes (including ease of use) at a fraction of the price (free software).

m0n0wall is based on a bare-bones version of FreeBSD, along with a web server, PHP and a few other utilities. The entire system configuration is stored in one single XML text file to keep things transparent.

m0n0wall is probably the first UNIX system that has its boot-time configuration done with PHP, rather than the usual shell scripts, and that has the entire system configuration stored in XML format.

Background

Ever since I started playing with packet filters on embedded PCs, I wanted to have a nice web-based GUI to control all aspects of my firewall without having to type a single shell command. There are numerous efforts to create nice firewall packages with web interfaces on the Internet (most of them Linux based), but none met all my requirements (free, fast, simple, clean and with all the features I need). So, I eventually started writing my own web GUI. But soon I figured out that I didn't want to create another incarnation of webmin – I wanted to create a complete, new embedded firewall software package. It all evolved to the point where one could plug in the box, set the LAN IP address via the serial console, log into the web interface and set it up. Then I decided that I didn't like the usual bootup system configuration with shell scripts (I already had to write a C program to generate the filter rules since that's almost impossible in a shell script), and since my web interface was based on PHP, it didn't take me long to figure out that I might use PHP for the system configuration as well. That way, the configuration data would no longer have to be stored in text files that can be parsed in a shell script – it could now be stored in an XML file. So I completely rewrote the whole system again, not changing much in the look-and-feel, but quite a lot "under the hood".

- Manuel Kasper

Facts
  • The m0n0wall system currently takes up less than 6 MB on the Compact Flash card (or CD-ROM), and contains:

       
    • All the required FreeBSD components (kernel, user programs)
       
    • ipfilter
       
    • PHP (CGI version)
       
    • mini_httpd
       
    • MPD
       
    • ISC DHCP server
       
    • ez-ipupdate (for DynDNS updates)
       
    • Dnsmasq (for the caching DNS forwarder)
       
    • racoon (for IPsec IKE)
       
    • UCD-SNMP
       
    • choparp
       
    • BPALogin

     
  • On a net4501, m0n0wall provides a WAN <-> LAN TCP throughput of about 17 Mbps, including NAT, when run with the default configuration. On faster platforms (like net4801 or WRAP), throughput in excess of 50 Mbps is possible (and > 100 Mbps with newer standard PCs).

     
  • On a net4501, m0n0wall boots to a fully working state in less than 40 seconds after power-up, including POST (with a properly configured BIOS).
Hardware
  • m0n0wall is targeted at embedded x86-based PCs. The net45xx/net48xx range from Soekris Engineering (www.soekris.com) and the WRAP platform from PC Engines (www.pcengines.ch) are officially supported. All it takes to get m0n0wall up and running on one of these systems is to download the relevant image and write it to a CF card (8 MB or larger). See Installation for more information.

     
  • It is also possible to run m0n0wall on most standard PCs, either by writing the generic-pc image to a small IDE hard disk or CF card, or by using the CD-ROM + floppy disk version. Since m0n0wall is based on FreeBSD 4, most hardware that works with FreeBSD also works with m0n0wall. See the FreeBSD/i386 Hardware Notes for a detailed listing of supported hardware.

     
  • The recommended amount of RAM for m0n0wall is 64 MB. It might work with less, especially if you don't use a lot of features/services, but there are no guarantees about that - watch out for failing firmware uploads (m0n0wall does not use swap space, so it can't do anything about running out of memory).
VLAN tagging

The following drivers/NICs either support VLAN tagging in hardware or handle long frames properly. All other drivers/NICs use software emulation that causes a reduced MTU (which may lead to problems):
    Hardware support: bge, em, gx, nge, ti, txp
    Long frame support: dc, fxp, sis, ste, tl, tx, xl (most)
Features

At this time, m0n0wall can be used as-is with the Wireless Router Application Platform from PC Engines (www.pcengines.ch), the net45xx/net48xx embedded PCs from Soekris Engineering (www.soekris.com) or most standard PCs (with a BIOS that supports booting from CD-ROM (El Torito standard) for the CD-ROM version).

m0n0wall already provides many of the features of expensive commercial firewalls, including:
  • Web interface (supports SSL)

     
  • Serial console interface for recovery

       
    • Set LAN IP address
       
    • Reset password
       
    • Restore factory defaults
       
    • Reboot system

     
  • Wireless support (access point with PRISM-II/2.5/3 cards, BSS/IBSS with other cards including Cisco)

     
  • Captive portal

     
  • 802.1Q VLAN support

     
  • Stateful packet filtering

       
    • Block/pass rules
       
    • Logging

     
  • NAT/PAT (including 1:1)

     
  • DHCP client, PPPoE, PPTP and Telstra BigPond Cable support on the WAN interface

     
  • IPsec VPN tunnels (IKE; with support for hardware crypto cards and mobile clients)

     
  • PPTP VPN (with RADIUS server support)

     
  • Static routes

     
  • DHCP server

     
  • Caching DNS forwarder

     
  • DynDNS client

     
  • SNMP agent

     
  • Traffic shaper

     
  • SVG-based traffic grapher

     
  • Firmware upgrade through the web browser

     
  • Wake on LAN client

     
  • Configuration backup/restore

     
  • Host/network aliases
Homepage and more info here:

http://m0n0.ch/wall/

View some screenshots here:
 

http://m0n0.ch/wall/screenshots.php

View Changelog here:
 

http://m0n0.ch/wall/changelog.php

Use FlashGet and download raw CF/HD image for generic PCs from here (4.68MB):


http://m0n0wall.cac.net/download/m0n0wall/generic-pc-1.21.img

Use FlashGet and download 2048 byte/sector Mode-1 ISO image from here(5.66MB):
 

http://m0n0wall.cac.net/download/m0n0wall/cdrom-1.21.iso

or

http://m0n0wall.absinet.net/m0n0wall/cdrom-1.21.iso

or

http://m0n0wall.enchilada.net/cdrom-1.21.iso 

Other downloads here:
 

http://m0n0.ch/wall/downloads.php







This article comes from Kuwait Linux User Group - OpenSource free stuff
http://www.q8linux.net

The URL for this story is:
http://www.q8linux.net/modules.php?name=News&file=article&sid=254