Whirlpool

Hay guys iam looking to be setting one of these up as a firewall for home to do alot of testing and even see if i can be happy enough to reconmend it to some of my clients. along with www.yawarra.com.au

What i wanted to ask is which do you guys think is better, Monowall seems to have alot of good features that work well and do what you like, but IP cop comes with some extra features like snort and proxy etc.

wanted to know which you guys think is the better and more stable.

can you put addon features like snort on monowall like you can on IP cop

and which you belive has the better vpn setup for ipsec / ike

I replaced IPCOP with m0n0wall at 4 locations.

These are my reasons, which may not be valid for you...

* Unless IPCOP has changed very recently, it allowed all traffic inwards if it was in response to a request on your LAN (inc trojan activity). As far as a firewall goes, it's no better than a NAT router with lots of log space. If you like the method of block everything and then open only what you need, then you are out of luck with the IPCOP GUI.

You can do it through iptables or by an add on module called blockout. I tried blockout for a while, but everytime i ran an official IPCOP update, either blockout crapped itself or IPCOP did.

m0n0wall has a very comprehensive firewall interface that kills IPCOP for functionality.

* If you are a control freak with traffic shaping, then again the m0n0wall interface and features win.

* A big one for us was that PPTP VPN server works out of the box with MS VPN clients. IPCOP needs to be hacked to get it to work (I would then be nervous again every time I ran an official update). btw IPSEC also works flawlessly. We have three sites linked with it. IPSEC also works fine in IPCOP & in the transition IPSEC worked between IPCOP and m0n0wall.

*Lots more router & NAT control in the interface from memory.

*DNS forwarder page with overrides. Allowed you to set hostnames & IP addresses for internal servers within the GUI. I was editing the hosts file in IPCOP. (no big deal, but nicer in m0n0)

To me m0n0wall seems like a well implemented network security device in the same class as some hardware firewalls.

It also crams a huge amount of function into a tiny space. It has to be up their for anti-bloat. I think the install says that use what ever hard drive you like, the system wont touch anything past the first 8mb. I think 64mb of RAM is recommended.

It's designed more for embedded hardware and flash memory, but I'm just using standard PCs.

One of it's weaknesses is log space (like a lot of network security devices). Even if you plug in a 100gb drive, you can't allocate any of it for extra log space. The system image will still only occupy and make use of the first 8mb. If you want longer log history, you need to have another machine on the network picking up the log data.

I don't think lends itself to being customisable. I know that IPCOP has lots of unofficial addons. I'm happy with m0n0wall exactly like it is though.

Wasn't relevant to me... but I think it even has Bigpond cable support.

An alternative to M0n0wall is pfSense
which is done by the same guy who did M0n0wall
just different solutions to different problems

home
www.pfsense.org
forum
forum.pfsense.org
FAQ
faq.pfsense.org/index.php?sid=11457&lang=en&
Digest
pfsense.blogspot.com

M0n0wall is more for embedded situations
pfSense is more of an IP-Cop or smoothwall equivalent
ie loading onto a standard PC

I haven't tried it yet
but have heard some pretty good comments
from guys ditching smoothwall and IpCop for it

it also has multi-WAN support

KK

Started off with Smoothwall and migrated to IP cop.
Both are very similar but my preference is still IP cop.
Never had a security problem with either over the last few years use.
Am thinking of going to Monowall because of requirement of Bpalogin required for Telstra cable. This feature to be implemented in the other 2 is a pain in the butt.
Can never remember having a stability problem with IP cop or Smoothwall although some times the features were not fully implemented.

Tried smoothwall, then IPCOP - but I'm now using ClarkConnect.

Currently checking out Endian FW.

I'm looking at one of these WRAP boxes from www.yawarra.com.au with m0n0wall to replace the FVS318 I have been using, and giving the FVS318 to someone else so they can VPN to it.
I am also trying to solve a connection issue with my works ISP.
Looks like a great product and hope I can the the IPsec VPN on the WRAP and FVS318 to talk together.

Un-Nefer writes...

Currently checking out Endian FW.

Hello there Un-Nefer how did you go with Endian Fw have you had a chance to try it out yet , i also have it downloaded but have not had a chance to give it a whirl.

Cheers Oldlucky

monowall with the wrap is a failsafe combo.

heaps of features, i have rolled these out at multiple sites and they all work out of the box, particularly vpn server and ipsec support for site-to-site support.

the traffic shaping support in monowall is pretty handy and effective too.

Oldlucky writes...

how did you go with Endian Fw have you had a chance to try it out yet ,
It's all downloaded and I'll install it tomorrow (sunday) and let you know.

Un-Nefer writes...

It's all downloaded and I'll install it tomorrow (sunday) and let you know.

Thanks mate that will be good.

Cheers

Dragon20 writes...

www.yawarra.com.au

Cool. I will for sure be deploying some of these babies....mmmm...smallness. A 2.5" hdd in a net4801 with Ubuntu Server or Debian installed on it and the possibilities are endless. 266mhz with 128mb ram is plenty.

Are there any other companies in Australia that sell similar systems?

sydbod writes...

Am thinking of going to Monowall because of requirement of Bpalogin required for Telstra cable.

This is not too difficult to add especially if you install an addon server. Try this.

firewalladdons.sourceforge.net

Once installed you can easily add/remove packages with the web interface

Joe

hughman666 writes...

monowall with the wrap is a failsafe combo.

Fairly expensive though. I would start off with a cheap router that supports linux firmware flashing, then if you require something a bit more "industrial", wrap would be the next logical step.

Agree that m0n0wall is great.

Merc

I am running m0n0wall on a Sokeris net4501.
I miss the caching that Smoothwall has, but other than that it never misses a beat.

www.soekris.com/net4501.htm

hughman666 writes...

particularly vpn server

Do you have the hardware acceleration addon card for this? or did you find it was fast enough with out it?
Thx

Glo8al writes...

Do you have the hardware acceleration addon card for this? or did you find it was fast enough with out it?

nah this thing is fine with anything up to 15 pptp users, in my experience. and that's with a fair amount of lan traffic going out to the net at the same time.

Merc writes...

Fairly expensive though.

you can get them for around $250-$300 with the DMZ port, i think that's pretty reasonable considering what you are getting....

Un-Nefer writes...

Currently checking out Endian FW.

Just wondering how this went?

hey there

you can get them for around $250-$300 with the DMZ port, i think that's pretty reasonable considering what you are getting....

Just looking to buy one of these. Pretty cool idea i think. Just pricing a WRAP 1-2 pack

Just wondering if someone could answer me this. For the miniPCI slot 1 option i chose CM9 Wirless card. I can still use the vpn right just because i didnt choose the vpn accellerator. I mean i need peope to use the vpn, but 1 user max at a time.

And does t hat mean i really have 4 network ports i can add a unique subnet to (including the wireless)

Im just weighing up the difference between getting an old pc and getting one of these solutions.

I have tried monowall and think its pretty cool..

My other question is it pretty good against DOD attacks ? (pretty good defence ) ?

feature wise i think its great

Has anyone tried to get M0n0wall running on a Compaq T1010 thin client?
I have one which seems to be crying out for somehting like this.
It has Geode 233 CPU, USB, LAN on board and flash memory (not much) - but runs completely silent and low power consumption
I have seen links to winterm.gaast.net on google where they seem to be doing the same kind of thing, but their site appears to be down

Regards,
Peter

would you guys think it would be better going for a compact flash solution on a wrap box or a HD solution?

(m0n0wall right?) well, if you've got an old HDD anywhere, you can use the HDD option - if you want to save the money on buying wrap, CF etc. - its little messy to get the image on there (having to plug into another computer to write the image) etc. but once its in, its in. never had a chance to use it, but believe if you want to upgrade the newer image (think of it as firmware) you can do it all from the web control panel.

a recent (very sweet) addition is an option to spin the HDD down after so many minutes of inactivity. i believe it's unsupported, or at least that's what i remember mentioned somewhere on the page. the HDD only needs to write if you make a config change (so it wouldn't be too often) so most of the time the HDD sits there in a standby state - no noise if it's a fairly old one.

Dragon20 writes...

would you guys think it would be better going for a compact flash solution on a wrap box or a HD solution?

CF uses less power, don't have to worry about heat, more reliable than a HD for this type of job, it's only a small OS which easily fits onto a CF card. On ebay a CF card and a CF to IDE is very cheap.
As m0n0wall is mainly reading from the CF (only writing to it if you change a setting) I can see it lasting a lot longer than a HD.

1st used smoothwall
move to a proper distro (mandrake) running shorewall
move to FBSD running IPF
moved to FBSD running PF
moved to CC (with supposedly working bandwidth shaping)
move to FBSD running PF/ALTQ - nothing can be better

jarthel writes...

1st used smoothwall

Why didn't you like smoothwall?

I am testing out m0nowall on a PC atm, but it looks like I will replace my FVS318 with a WRAP asap.
I is very easy to use, active work being done on it, fast.

when I tried smoothwall, it was still the version before 1.0. not enough flexibility for me. I have used Linux/FreeBSD before so the geek in me won't settle for a web-based solution.

I like to use the shell often.

:)

M0n0Wall already has bpalogin built-in...Why do you need to manually add one in?

M0n0Wall is Telstra Cable ready. I was the beta testor for that component of M0n0Wall! It works perfect with Telstra Cable, "out of the box".

My M0n0Wall test box uses a VIA EPIA setup and is installed on a Disk-On-Module (DOM). The setup has no moving parts, and its been up for 3 months now. Not a single issue.