m0n0wall, an Open Source Lightweight Firewall
January 28, 2008
Manuel Kasper's embedded FreeBSD-based firewall software package is especially attractive to WISPs and small ISPs.
Manuel Kasper developed the embedded firewall software package m0n0wall back in 2002, he says, while experimenting with embedded x86-based computers. "Having just succeeded at stripping down FreeBSD enough to make it run on a Soekris net4501 board and deploying it for use as a home firewall/NAT router, I wanted to go one step further," he says. "I wanted a nice, web-based interface to configure it, just like the commercial firewall boxes."
Kasper says he chose the name m0n0wall simply because "Mono" was his nickname in school. "I'm not sure why I replaced the o's for zerosperhaps because all domain names with normal o's were already takenand when I look at it now, it seems a bit silly/'31337'but it has become a trademark anyway," he says.
And what started as a home project to make it easier to configure FreeBSD on the Soekris net4501 has grown rapidly. "At some point, I decided that it had become good enough that other people might want to have a look at it, so I posted a note about the first version on a mailing list," Kasper says. "The interest in the project turned out to be big, so I created a dedicated web page and started releasing new versions with new features every few weeks."
As the project has developed, Kasper says he's remained focused on trying to do a few things well, rather than expanding the project beyond its original mandate. "Also, I have strived quite hard to keep it relatively lean in spite of new features being added, so that even today the largest downloadable image is only about 8 MB in size," he says.
And the system requirements have remained extremely minimal. "m0n0wall will run on almost any x86-based PC with a Pentium-compatible processor, at least 64 MB of RAM, and at least two supported network controllers," Kasper says. "No hard disk is required; a USB flash drive, a CF card, or even a CD-ROM plus a floppy disk (for very old machines) suffice. While a common off-the-shelf PC will do, m0n0wall is especially designed for x86 based embedded computers, such as the new AMD LX based boards from PC Engines and Soekris."
Still, Kasper admits that m0n0wall's simplicity can also be a weakness. "If you're looking for features such as content filtering or proxying, or if you want a firewall that can double as a print/file server or PBX, then m0n0wall won't be a complete solution for you: it has long ago been decided that these things don't fit in with the m0n0wall philosophy," he says. "But that's why there are other m0n0wall-based projects, like AskoziaPBX, FreeNAS, or pfSense."
Intuitiveness, price, and security
One of the solution's key strengths, Kasper says, is the intuitiveness of the web interface. "It's designed so that the average user with a little firewall experience can use m0n0wall without looking at a user manual," he says. "Everything that isn't obvious is explained on each page."
And being open source, Kasper says, helps in terms of both price and security. "[Users] get a firewall with a web interface that can stand up to many commercial solutions in terms of features and usabilitybut for free," he says. "[And] if a bug is found, it is usually only a matter of days (sometimes hours) before a fix is releasedand since all the source code is available, anyone with some FreeBSD and PHP knowledge can add new features or fix bugs."
Kasper says m0n0wall has proven to be particularly attractive to ISPs. "The traffic shaper built into m0n0wall is used by some (usually smaller) ISPs to easily control the bandwidth usage of their clients without having to resort to command lines or expensive commercial gear," Kasper says. "Also, I've heard that the captive portal built into m0n0wall is quite popular among small WISPs and individual hotspot operators, perhaps because it is so easy to deploy and, in conjunction with the other features of m0n0wall, can provide a complete solution for a hotspot access gateway."
Updates and support
Since the initial public release of m0n0wall in February of 2003, Kasper says a number of new features have been added to the solutionincluding VPN support, the captive portal, and wireless LAN support. "The project has now matured, and a new stable release typically appears every few months," he says. "Beta releases are currently produced at the rate of about one per month."
The most recent releases, Kasper says, have updated the base system to FreeBSD 6, improved support for new WLAN cards as well as WPA, added a SIP proxy, and added support for ISPsec tunnels to dynamic endpoints.
Looking at the solution as a whole, Kasper says the best way to explain m0n0wall's strengths is to look at the stability and reliability of FreeBSD. "m0n0wall, owing to the fact that it's based on FreeBSD, inherits those qualities," he says.
This story originally appeared at ISP-Planet. It is re-printed here with permission.