- various IPv6 improvements (in DNS forwarder, DHCPv6, AYIYA, etc.)
- bridge “disable spoof check” option (for non-m0n0wall DHCP and multicast)
- fans/temperature monitoring on status page for supported platforms (unfortunately Soekris/PC Engines not included
- fix for OpenSSL session renegotiation vulnerability (-> HTTPS webGUI)
- patch to DHCP server daemon to reduce lease file growth
Manuel Kasper has announced m0n0wall 1.3.
“After almost three years in beta, I have decided that m0n0wall 1.3 is now good enough for production. It’s basically a re-release of 1.3b18, with two fixes thrown in. No major bugs have been reported anymore, but as always, upgrade on your own risk .
Major changes in this release (since 1.23):
- switched base operating system to FreeBSD 6.4
- consolidated net45xx, net48xx and wrap images into a single “embedded” image
- switched bridge implementation to if_bridge: bridge member interfaces will now always be filtered (the filtering bridge option has been removed)
- IPv6 support (enable on advanced setup page)
- firewall support for IPsec traffic
- IPsec NAT-T, DPD and dynamic tunnels
- countless bugfixes and other improvements
If you’re upgrading a 1.2 generic-pc installation, you need to install 1.3b7 before you install 1.3 (because the image is too big to fit in the MFS that 1.2 allocates for the firmware upgrade).
If you’re upgrading a 1.2 net45xx/net48xx/wrap installation, you need to rename the embedded image to reflect your platform before you upload it (this is a one time thing only).”
M0nowall version 1.236 was released last week in order to address a security issue in the ISC DHCP client. If you don’t use the DHCP client on WAN or if you trust the DHCP server(s), there’s no need to upgrade.
1.236 also includes a few captive portal fixes imported from the 1.3b branch, so if you use the captive portal, that would be another reason to upgrade.
Manual Kasper has released another m0n0wall beta release bringing the project closer to the release of the final m0n0wall 1.3. According to the announcement:
The move to FreeBSD 6.4 has been completed, and legacy BRIDGE has been replaced by if_bridge (thanks to Chris Buechler), so if you’re using the bridging features, you may want to test especially carefully whether everything works as desired after the upgrade.
Also, the filtering bridge is now always on (this is by design), so you may have to add firewall rules to permit traffic on your bridged interfaces if you have not already done so.
Various bugs have of course also been fixed (for the SIP inbound NAT problem, advanced outbound NAT slowness when using destination matching, DHCPv6 range check, etc.)
For more info, the changelog and downloads visit the beta page
Olivier Cochard-Labbé, an IP routing expert and founder of FreeNAS (a FreeBSD based Network-Attached-Storage system), has released the first alpha (0.1) image of his new project: BSD Router Project – http://bsdrp.net
bsdrp is an open source customised distribution of FreeBSD dedicated to offering IP routing services for small ISP’s.
The release 0.1 of BSDRP is a fully working prototype, to be used on real or virtual machines that boot from ATA device only (not usb).
This first release includes:
- Base FreeBSD 8.0-CURRENT system (NanoBSD) for i386
- Customized script (config, upgrade, help, command completion, etc…)
- Quagga ready to use (OSPFv2, OSPFv3, RIP, RIPng and BGP)
- The main goal of BSDRP is not firewalling but routing. If you need a firewall don’t use BSDRP: Use m0n0wall or pfSense.
- BSDRP is not for a home use, but for compagny use (small ISP’s for example).
- BSDRP doesn’t have a Web GUI: It’s to be configured from a CLI only (like Cisco or Juniper)
- pfSense can be used for routing, but Olivier wanted to set up a Cisco or Juniper like project just for routing.
Thanks, Olivier, for contacting me to announce this project. If you have any (new) FreeBSD related products or services that you want to announce, submit it here.
It’s been exactly 6 months since the last release (1.3b15), but m0nowall is not dead: beta 1.3b16 is now available.
The developers have been busy with a kernel security bugfix (arc4random), support for Broadcom BCM5722 NICs, and IPv6 (DHCPv6, IPv6 webGUI access).
Detailed change log and downloads can be found at m0n0.ch/wall/beta.php
Regarding future development, 1.3 is planned to be released anytime soon, but the developers are looking for some help with the following. If you can help them out, just contact them:
- replacing the legacy BRIDGE with if_bridge
- improving captive portal reliability and performance (e.g. by introducing SQLite to replace the various flat text files and corresponding lockfiles)
- adding support for address/network groups in firewall rules (via ipfilter’s ippool feature)
Matt Hartley has written an article on Intranet Journal about (in his opinion) the 5 best Linux/BSD Firewall tools:
- Linux LiveCD Router
Over the course of recent years, some people have found the quality of most out-of-the-store firewall appliances either lacking functionality or worse, set at a price that has made them generally out of reach.
Because of this issue, I thought it would be beneficial to write an article to better highlight what works and what does not with regard to turning an older PC into a standalone router/firewall appliance.
Regardless of a fantastic effort by IPCop, there is just something to be said about rocking solid BSD solutions. The first that comes to mind is that from m0n0wall. It’s small, 12 MBs small! That is the single biggest distinguishing thing to note about m0n0wall. Its size and portability, that is. Designed to be a replacement for those expensive firewall appliances used today, m0n0wall works on embedded machines, in addition to being quite useful on older x86 PCs as well.
Definitely a little more advanced from a usability standpoint than other solutions out there, but do not let this fool you, because m0n0wall is VERY powerful in all of its BSD goodness. This being said, it should be noted that even though m0n0wall is workable on a older PC, it shines best on embedded systems being used by more advanced administrators. Therefore, this is not a really good solution for new Windows converts looking to convert their old PC into something cool.
From what I have been told, the pfSense project was started by the same people as m0n0wall. Those looking to revamp an older PC might be better off going with pfSense. Plenty of features to speak of. Most notable among them include:
- Redundancy — By creating a fallover group, the network will remain secure even in the event of interfaces that go offline for some reason.
- Load Balancing — Provides both inbound and outbound balancing between WAN connections or multiple servers, depending on which way the traffic happens to be going.
- Captive Portal — Force the user to authenticate or simply find themselves redirected to wherever you wish.
Source (IntranetJournal – 16/12/2008)
m0n0wall is a specialized implementation of FreeBSD designed for routers and firewalls. It weighs in at well under 10 megabytes, but you still get a complete operating system, firewall, Web administration, traffic shaping, DNS server, DHCP server, SNMP, support for DynDNS updates and a whole lot more. m0n0wall offers a nice pointy-clicky interface for setting up a stout ipfilter firewall. For ultimate power, however, you really want to know how to write rules from scratch.
ipfilter rule syntax is not like iptables rules,…. more
Manuel Kasper has announced the release of m0n0wall 1.234, a minimalist firewall distribution based on FreeBSD.
I’ve decided to create one more release in the 1.2x stable branch to add source port randomization (for both NAT and the DNS forwarder). This is a recommended upgrade for all 1.2x users, no matter whether you’re running a DNS server behind m0n0wall with NAT or not.