|m0n0wall Firewall – Part 1
|Powerful and easy-to-configure FreeBSD firewall with Web GUI IPsec and PPTP endpoints and bandwidth shaping
|8/22/2004 m0n0wall 1.1 released. See Part 2 of the review for details.
|• Runs on both embedded PC platforms and normal PCs
• Includes bandwidth shaping and VPN endpoint features
|• Firewall configuration could be daunting for some users
We all know that the internet is a potentially a nasty place. Anyone from bored teenagers to organised criminals are trying to access your computer. Once connected to the Internet, nobody is immune.
Attacks are also becoming ever more sophisticated as they increasingly exploit social engineering methods, i.e. you. Phishing, Spyware, Trojans, Worms and email Viruses all have the attention of the computing press. Yes, there is no doubt we need a ever more layered approach – Anti-Virus software, Spam filters, Spyware detection software. The base layer however is still the most important and this is a firewall.
In his recent article about the LEAF project, Jim Hubbard summed up very well what a firewall is and its purpose. At its most basic, it is a device that allows you to control what traffic enters and leaves your network.
The main thing that differentiates these devices is the quality and balance of functions. If you were to go out and buy a hardware firewall, at the bottom of this scale are low cost products such as the venerable Linksys BEFRS41 Broadband Router that you can pick up for as little as $40. Its main purpose is to easily share a single broadband Internet connection between a small number of users.
At the top of the scale you have high cost products such as Watchguard, Cisco and Checkpoint firewalls costing many thousand of dollars. These are capable of supporting thousands of users or supporting large numbers of Internet connected services such as web servers.
And your choice is not limited to just commercial hardware devices. Alternatively, you can convert standard PC hardware into a firewall by just installing software that is available, both to buy and for free. Commercial examples are SmoothWall, Astaro and Coyote/Wolverine. However, there is plenty of free Open Source software such as Freesco, IPCop, and of course LEAF. Typically these are based on a Unix-like operating systems, the most well-known of these being Linux.
Don’t wrongly think that firewalls based on an operating system such as Linux makes them any less secure or capable than the commercial firewalls. The Watchguard Firebox-X range of firewalls is based on standard PC hardware and a customized version of Linux. Even the low-cost Linksys hardware is now using Linux.
However, Linux is not the only free Open Source UNIX-like operating system. There is also the BSD family of operating systems (FreeBSD, OpenBSD and NetBSD), their roots predating Linus Torvald’s first Linux kernel by 14 years.
The aim of this review is to introduce you to m0n0wall firewall software based on FreeBSD, and the Soekris net4501, one of the specific embedded PC platforms m0n0wall is designed to run on. In this Part 1 of a two-part series, I’ll run through installing m0n0wall on the Soekris net4501, and also show you how the same software can be installed on any standard PC that meets m0n0wall’s minimum specifications.
What is m0n0wall?
m0n0wall is free firewall software that is a little different for a few reasons. It is:
- based on FreeBSD, not Linux 1
- optimised for small embedded PC devices, but can also be installed on a very wide range of PC hardware
- licensed under a less restrictive FreeBSD type license rather than the GPL 2
m0n0wall is mostly the work of Manuel Kasper. He started to build m0n0wall as a web interface to FreeBSD being used as a packet filter on embedded PCs. This quickly turned into a complete firewall package with a clean and easy-to-use PHP-driven web interface.
Manuel then decided he didn’t like the inflexibility of using the standard shell script method of configuring the Unix systems and made the bold step of using PHP – a technology usually used for dynamic web page creation – for configuring the system at boot up. Using PHP in this way is quite unique and allows the whole system configuration to be held in a structured XML file. It also helps to keep the system image small (currently less than 6MB) as large bits of software like PERL are not required.
The first public beta of m0n0wall was released in February 2003. A further year of work and 26 further beta releases culminated in the release of m0n0wall v1.0 in February this year. m0n0wall is now a collaborative project, but its development is still managed by Manuel Kasper, who also contributes a large proportion of the development.
The main m0n0wall v1.0 functions and features are:
- Stateful packet filtering with block/pass rules on all interfaces and logging
- Flexible and optional NAT & PAT including 1:1
- DHCP client, PPPoE, PPTP support on the WAN interface
- Static routes
- Traffic shaping
- Dynamic DNS client
- DHCP server, separately configurable for all interfaces
- Caching DNS forwarder with optional static entries
- Aliasing for hosts and networks
- Wireless interface support
- IPSEC VPN endpoint, network to network and mobile clients
- PPTP VPN endpoint, with RADIUS authentication support
- SNMP agent
- Logging to remote Syslog server
- Online firmware upgrade
- Configuration Backup/Restore
1 Some Linux based firewalls such as SmoothWall are based on the Linux 2.4 Kernel (or more recent). This could make users liable for licensing fees payable to SCO Inc. if they are successful with their current Intellectual Property / Copyright / Contract claims. So far the BSD family has been free of such claims from SCO Inc.
2 Quoting the FreeBSD FAQ, the license has two and only two basic conditions, “Do not claim that you wrote this.” and “Do not sue us if it breaks.” This frees the software to be used and modified for any purpose, including commercial, with very little restriction other than crediting the authors of the original work.
Embedded PC Platforms
One of the fundamental differences between m0n0wall and other similar Open Source firewall operating systems is that m0n0wall has been designed from the outset to run on embedded PC platforms. By PC platform I am referring to Intel x86 compatible hardware (AMD, VIA etc). Once booted, the software runs entirely from RAM with only configuration changes being saved in a single XML file to writeable media.
Embedded PC platforms lend themselves to making excellent routers & firewalls for a number of reasons. They are:
- compact, do not require much space
- power efficient, typically consuming < 10W of power, important for a device which is likely to be constantly powered on
- generate little heat, important for a device that might be installed in small, poorly-ventilated spaces or next to other heat-producing electrical equipment
- reliable – they have very few or no moving mechanical parts
The only significant disadvantage of embedded PC platforms is they are not readily upgradeable, as all the major components, including CPU and RAM, are soldered to the mainboard.
m0n0wall officially supports the net45xx / net48xx range from Soekris (Santa Cruz, USA) and the WRAP (Wireless Router Application Platform) from PC Engines (Switzerland). Images compiled specifically for these platforms are available for download.
The Soekris net45xx/net48xx range seems to be the most popular with m0n0wall users not using general PCs at the moment. I suspect this has largely been due to PC Engines not supplying pre-made cases for their boards, something they have recently addressed.
The table below gives a quick price/specification comparison between these embedded platforms:
|233 MHz NSC SC1100
|3 LAN / 1 miniPCI, CF, Power Over Ethernet, Case
|133 Mhz AMD ElanSC520
|3 LAN / 1 miniPCI, CF, 3.3vPCI, Serial, Case
|266 Mhz NSC SC1100
|3 LAN / 1 miniPCI, CF, 3.3v PCI, 2 Serial, USB1.1, UltraDMA-33, Case
* Prices as advertised 03 July 2004, exclusive of shipping and taxes.
We will look at the relative performance of these platforms in Part 2 of this review.
Standard PC Hardware
m0n0wall is not restricted to specialised embedded PC platforms. The generic PC images will run on most general PC hardware and other embedded PC platforms, such as the Lex Light range of PCs, as long a they meet a few basic minimum requirements:
- Intel Compatible i486-100 or faster processor
- 64MB RAM
- 2 network interfaces supported by FreeBSD 4.9
- > 8MB IDE Hard Disk or IDE Compact Flash Card
- ATAPI Floppy Disk Drive, IDE CD-ROM Drive and BIOS that supports booting from CD-ROM (El Torito standard)
- VGA adaptor
The minimum requirements cover lots of different types of hardware. For those people hoping to re-use old hardware, the 64MB RAM requirement is likely to be most problematic. This is an unfortunate side effect of the system running entirely in RAM and is to allow new versions of the software to be uploaded, decompressed and written to the boot media while the firewall is still in use.
If you have less than 64MB of RAM available, the best work-around on general PC hardware is to use the CD-ROM & floppy disk installation method. As the image upload method of upgrading the software simply doesn’t apply (CD-ROM installations are upgraded by writing the new image to CD-ROM and rebooting the firewall), 32MB should be a workable minimum amount of RAM.
Network interface is the other area where you might run into problems, but FreeBSD 4.9 supports the chipsets of most ‘common’ Ethernet network cards. Check the FreeBSD 4.9 hardware compatibility notes for more information.
The Soekris net4501
The Soekris net4501 is the base model in the Soekris line of embedded PC devices. Soekris designed the net45xx from the outset to function as routers, firewalls and wireless access points. The net4501’s AMD 133 Mhz ElanSC520 CPU gives comparable performance to an Intel Pentium P100 based PC.
Unlike the VIA mini-ITX product line, which has also been designed for compactness, the Soekris net45xx line cannot run graphical operating systems such as MS Windows or Linux/FreeBSD with X-Windows. However, what you get is a fully-functioning device ‘out of the box’ as all the required hardware, including CPU and memory, are part of the mainboard. A complete lack of moving parts, no hard disk or cooling fans, means that they are completely silent in operation and much less susceptible to mechanical failure.
The net4501 is supplied as a system board with an optional metal case. When ordered together, the board comes pre-installed in the case. Board specs are:
- 133 Mhz AMD ElanSC520 CPU
- 64 MB SDRAM
- CF Type I/II socket
- 3 auto-sensing 10/100 Mbit Ethernet ports, RJ-45
- 1 Serial port, DB9
- Power LED, Activity LED, Error LED
- Mini-PCI type III socket.
- PCI Slot, 3.3V, right angle
- Operating temperature 0-60 °C
The required 12V external power supply can also be purchased direct from Soekris, and they have recently started to ship power supplies suitable for Europe as well as North America.
The case is of good quality powder-coated steel and it is easy to get inside once the four retaining screws have been removed. The case’s external dimensions are 216mm X 150mm X 30mm (8.5in X 5.9in X 1.2in), and with the board and a CompactFlash (CF) card installed it weighs just less than 750g (1.6LB).
Figure 1: Soekris net4501, Front view
On the front are the three LEDs for Power, Network Activity and Error. Currently m0n0wall does not use the error LED, though the LED’s use for indicating the status of the WAN network interface is on the ‘To do/Wishlist’.
Figure 2: Soekris net4501, Rear view
On the rear, from left to right, are the three RJ45 Ethernet interfaces and a DB9 Serial port and the power socket.
The Soekris net4501, Continued
Unfortunately, even though the board supports a single 3.3V PCI card, there is no opening on the rear of the case to allow a card to be accessed externally. A more minor downside is that the case is only available in an rather odd shade of green – even beige would have been better.
The case is opened by removing the four small retaining screws underneath – the top then slides away from the base.
Figure 3: Soekris net4501, top removed, view from the front
The CF card, which stores the system software, is retained in its slot by a screw-in post. While this shouldn’t be necessary under normal use, it does prevent the card slipping out of the slot if the unit is treated more roughly while in transit.
The Type III miniPCI slot is the white slot visible between the CF card and the rear of the case. miniPCI is often found on laptop PC mainboards and in both the net45xx and laptops it is typically used for wireless network cards. Currently m0n0wall supports a number of 802.11b wireless cards as a network interface. Faster 802.11a and 802.11g specification cards are not currently supported by m0n0wall. This is a limitation of the standard device drivers built into FreeBSD 4.9 rather than m0n0wall itself.
However, the steel case itself makes an effective shield for the internal antennas on any installed wireless card, which will hinder wireless range and performance. There is also no specific opening or connection on the rear of the case for a cable to an external wireless antenna.
The best way round this would be to buy a pre-made wireless adapter cable with a chassis socket at one end. The case then only needs adapting by drilling an appropriately-sized hole to accept the chassis socket. This, and an external antenna, would easily improve the range of a net45xx /m0n0wall based Wireless Access Point.
Figure 4: Soekris net4501 mainboard
Figure 4 shows the highly integrated nature of the net4501 mainboard. The 3.3V PCI slot is on the top edge of the board. The three large semiconductors centre left and the three smaller semiconductors next to the RJ45 sockets on the far left are the Interface and MAC controllers for the three National Semiconductor DP83815 Fast Ethernet network interfaces. Centre right is the AMD 133 Mhz ElanSC520 CPU. The two chips above this are the SDRAM, 32MB each, and to the right of the CPU is the BIOS/BOOT Flash memory.
Installing m0n0wall to the net4501
The only challenge to installing m0n0wall to the net4501 is getting the software image onto the CF card. The uncompressed m0n0wall image requires a minimum of 5-6MB of space.
The latest m0n0wall images for all supported platforms are always available from the ‘downloads’ section of the m0n0wall site at http://www.m0n0.ch/wall/downloads.php. The ‘downloads’ section gives you a list of all the available download mirrors, normally you will get the fastest download from the closest geographical mirror.
Once you have the software, the method of getting the images onto the CF card depends on what operating system you have access to.
Installation of the CF Image using MS Windows NT/2000/XP
Under MS Windows NT/2000/XP, it is easiest to use physdiskwrite.exe, the Windows NT/2000/XP command line tool written by Manuel Kasper specifically for the job (http://www.m0n0.ch/wall/physdiskwrite.php). Be aware that you cannot use physdiskwrite.exe on PCs running MS Windows 9x or MS Windows Millennium.
The only other requirement is a CF card adaptor that Windows recognises as a Mass Storage Device. Most USB connected CF card adaptors are recognised as such. MS Windows XP shouldn’t present any problems. If you are using MS Windows 2000 and the CF card isn’t recognised, you may need to install Service Pack 3, which improved native support in the operating system for USB attached flash media. If you cannot use USB, IDE CF card adaptors are available.
Here is the Step by step assuming your CF card adaptor is installed:
- Download the current net45xx m0n0wall image from your closest download mirror.
- Download the current version physdiskwrite.exe from the m0n0wall site, for ease of use save to the ‘c:winnt’ folder.Insert the CF card into the card adaptor.
- Open a command prompt (Start -> Run -> “cmd.exe”).Type “physdiskwrite net45xx-yy.img” where yy is the version
- The status of all physical mass storage devices detected is displayed. Find the CF card, in this instance, it is easy to spot as device 1, device 0 is a 40GB Western Digital IDE Hard Disk.
- At the prompt “Which disk do you want to write? (0..x)” type the appropriate number, in this case 1, the CF card.The image is decompressed to the card taking about 20 seconds.
Figure 5: Writing the m0n0wall image to CF using physdiskwrite
Don’t expect to be able to open the CF card under Windows Explorer, as the image format is FreeBSD UFS.
Installation of the CF Image using FreeBSD or Linux
As with MS Windows, the only requirement is a way of writing to the CF card either using a USB or IDE attached CF card adaptor. Under FreeBSD the image is decompressed using a combination of the gzcat and dd command line tools. Under Linux, gunzip is substituted for gzcat.
More detailed instructions are available on the m0n0wall website at http://www.m0n0.ch/wall/installation_embedded.php.
After the CF image is written, it’s just a simple matter of removing the top cover from the net4501 and installing the CF card into its slot on the mainboard, remembering to replace the retaining post.
Booting m0n0wall for the first time
The detailed instructions on the m0n0wall website make reference to powering the net4501 and logging onto the box using Windows HyperTerminal or some other serial console software and setting up the network interfaces. This requires a serial null modem cable.
In reality, this is unnecessary, since by default the Net0 interface of the net4501 is assigned as the m0n0wall LAN interface and given a default IP address of 192.168.1.1/24 (Subnet mask 255.255.255.0). DHCP is also enabled.
Either plug LAN0 into a Hub or Switch with a standard Ethernet straight-through cable (MDI) or into the network interface of a PC with an Ethernet cross-over cable (MDI-X). Assuming you have no other DHCP server on your LAN, you can set your PC’s TCP/IP properties to ‘Obtain IP address automatically’ and your PC will be assigned an IP address by m0n0wall’s DHCP server. If you’d rather set your IP address yourself, use an IP address between 192.168.1.2 and 192.168.1.254 with a 255.255.255.0 subnet mask.
To confirm everything is working, open a web browser and go to http://192.168.1.1 and you should be rewarded with a login prompt. The default username is admin and password mono, both lowercase and containing no numbers. Now you can update the IP address of the LAN interface to suit your own network.
Installing m0n0wall to other PC hardware
Installation to other PC hardware involves much the same method, with the exception of the CD-ROM version.
Soekris net4801/PC Engines WRAP Images
As these are also embedded devices booting from a CF card, follow the instructions for the Soekris net4501, substituting the appropriate image at the physdiskwrite/dd stage of writing the image to the CF card.
On the PC Engines WRAP, the LAN1 interface is assigned as the m0n0wall LAN interface and given a default IP address of 192.168.1.1/24 in the same manner as the Soekris net4501. LAN1 is the on the far right next to the power socket. As you would expect, the Soekris net4801 network interfaces are assigned in exactly the same way as the net4501.
Generic PC Images
As already discussed, the generic PC images can be installed on any Intel x86 compatible hardware that meets the minimum requirements. This could be an embedded PC platform where a m0n0wall image compiled for optimum performance isn’t available, or a standard desktop PC being given a new lease of life as a firewall.
The main decision to make is how to boot your hardware, Compact Flash, IDE Hard Disk or CD-ROM? My suggestion is that where possible, always go for CompactFlash. IDE CF adaptors and CF cards are relatively inexpensive and this is the storage medium that m0n0wall was designed for.
The only shortcoming of CF cards is the relatively low number of write/delete cycles that the memory will support before failing. While this is measured in figures of hundreds of thousands, a firewall permanently connected to the Internet that is configured to write an entry to the system log for every blocked IP packet is going to hit that limitation fairly quickly.
To overcome this, m0n0wall only accesses storage media under three circumstances:
- booting the system and reading the software image into RAM
- writing configuration changes to the XML configuration file
- writing a new software image using the ‘Firmware Upgrade’ function while the firewall is on-line.
Everything else is performed in RAM. This does mean m0n0wall’s minimum RAM requirement of 64MB is higher than some other comparable firewall systems. But those other systems rely on virtual memory in the way of a swap file on disk and can’t take advantage of the low power requirements and high mechanical reliability of booting from CompactFlash.
If CompactFlash is not possible, hard disk is the next best option. Chances are if you are giving a retired PC a new lease of life, it will already have a hard disk. This isn’t going to be quite as reliable or power efficient as CompactFlash, but running a firewall with a hard disk isn’t unusual and you can still get the convenience of the online ‘Firmware Upgrade’ functionality.
Installation of an image to hard disk is mostly the same as installation of an image to CompactFlash. You will just have the inconvenience of having to shut down and partly disassemble the PC you are using to install the m0n0wall image and attach the hard disk to a spare IDE channel. Also special pay attention at the stage of selecting which device you will be writing the m0n0wall image to since the last thing you will want to do is overwrite the HD with your operating system!
The final option is the CD-ROM ISO image. From a long-term reliability point of view this is the worst of both worlds, since it depends on both writeable CD-ROMs and 3.5″ floppy disks!! However, as method of evaluating m0n0wall on general PC hardware, it couldn’t be more convenient. You won’t have the convenience of the online ‘Firmware Upgrade’ function, but by that stage you will have reconfigured your m0n0wall to use a CF card or hard disk, or will have moved on to other solutions.
Simply write the ISO image to a CD-R using your favourite CD-ROM burning software, making sure the software is writing a Mode-1 image at 2048 Bytes/sector. Then find a 1.44MB 3.5″ floppy disk and format with the FAT16 file system. Insert the disks in the relevant drives and configure the PC BIOS to boot from the CD-ROM device.
Instructions for both writing the CD-ROM image and formatting the floppy disk under FreeBSD are on the m0n0wall website at http://www.m0n0.ch/wall/installation_cdrom.php
TIP: Just be sure that once the evaluation is over, m0n0wall and the PC are reconfigured to boot from a CF card or hard disk. The configuration can be ‘backed-up’ and applied to the new configuration as long as all the other hardware (particularly network interfaces) is the same.
Booting m0n0wall for the first time
On generic PC hardware, m0n0wall cannot assign network interfaces on its own – after all it doesn’t know in advance what combination of hardware is going to be present in the same way as the supported embedded PC platforms. Also, normally m0n0wall is more than happy to function without a screen or keyboard, but these are both required on the first boot to configure the network interfaces with basic information.
Most common network cards that have been around for awhile are supported. But you should check the FreeBSD 4.9 hardware compatibility list since unsupported cards won’t be properly detected and initialised and there is no option to manually configure the physical network interfaces. You also can’t add additional hardware device drivers to the m0n0wall image.
On the first boot-up you are presented with a screen that allows you to assign the default logical m0n0wall interfaces LAN, WAN and OPT to the physical network interfaces detected at boot-up. You’ll be presented with each detected network interface to assign and configure in turn, identified by its FreeBSD device driver name and the interface MAC address.
TIP: m0n0wall uses a concept of logical interfaces. At a minimum, you need two physical interfaces so that the LAN (Local Network) and WAN (Wide Area Network) logical interfaces can be assigned. Any additional detected interfaces are assigned as OPTx (Optional) where x is the interface number. These can be renamed in the administration GUI to more meaningful names depending on how you plan on using them. Typical examples would be DMZ (Demilitarised Zone) a separate network for Internet accessible hosts or LAN2 as a second internal network.
Note that if you have two or more interfaces of the same type, the only way you will be able to tell them apart is by the MAC address. To overcome this, there is a partially automated configuration option which prompts you to connect each network interface, one by one, to a hub or switch. m0n0wall detects which interface is active and then prompts for the configuration options you wish to assign.
TIP: In practice on standard PCs, you will probably find that PCI network interfaces will be presented in the same order as the PCI slots they are installed in. Normally PCI slots are numbered with slot 1 being nearest the CPU and/or AGP slot (if present).
Now that we’re installed, let’s take a break. I’ll be back in Part 2 to cover configuring m0n0wall, a review of some of its features, some performance testing and a look at what’s next for m0n0wall.