m0n0wall (firewalls on a stick) - particularly for DMZ and internal only.

Without meaning to start a war, it's my understanding that m0n0wall is regarded as the best firewall on a stick. If memory serves, it's also argued that IPcop is, but it may be that my memory is faulty and the 'top' two are something else. Regardless, the presentation can affirm or correct this.

Preferably within/under VMware ...

  • baseline: m0n0wall as firewall between internal and external machines.
  • demonstrate DMZ, i.e. rules between external and DMZ, and DMZ and internal.
  • demonstrate internal-only control.

i.e. Assume firewall with 5 network cards.

1. External
2. Internal ws 2 with Internet access
3. DMZ server (e.g. web server)
4. Internal ws 1, no internet access.
5. Internal server, no internet access.


A. 1. can talk to 3. in certain specified ways. e.g. http.
B. 2. can talk to 1. and 5., e.g. browse internet, and 3. in certain specified ways, e.g. http (intranet)
C: 3. can talk to 1.
D: 4. can talk to nobody but 5.
E: 5. can talk to nobody but 4.



I. - A. is typical server, e.g. web
II. - B. is typical internal workstation
III - C. is A. but from the server side
IV - D., E is typical internal service. e.g. Intranet

- and all with a single point of maintenance, rather than having to maintain iptables, or some such, on each machine.


Conceptually this is not hard to understand. Actually doing the inter-interface configuration is, well ...


Home Use:

I. = outside world.
II. = inside world.
III. = insider server serving outside world, personal web site.
IV. = child with computer playing kiddie games who shouldn't be allowed to browse the Internet (yet).



Monowall is an excellent BSD based firewall. Without meaning to war, it could also be argued that pfsense (a fork of monowall) is regarded as one of the top BSD based firewalls for recycled desktops. Mac OS X which uses ipfw and is based on bsd makes securing and opening it's firewall services transparent - although that would be comparing apples to oranges. There is several excellent firewall distros that use the linux kernel in addition to the ones already mentioned.

Just to clarify the IPcop comment, the ipcop presentation was simply a demonstration of the IPcop software in response to a request on the kwlug mailing list and requested topics list. There was no claim made that ipcop is the best firewall distro for running on a memory stick. The purpose of the presentation was to demonstrate to the LUG a simply way the linux kernel can be used to recycle old hardware that's been replaced due to forced obsolescence of mainstream operating systems. The ipcop presentation did not address the issue of hard disk power consumption and reliability. There is however a number of adapters available on the market to connect a PATA or SATA controller to a SD Card/Compact Flash/SDHC, etc storage device to reduce power consumption and avoid the use of a device that uses moving parts such as a hard disk or CDROM.


~Joe D