A firewall is taken as a basic given for any network. But many small businesses stay away from implementing one, for a number of reasons. While costs keep them away from dedicated firewalls, complexities of configuration and update mechanisms keep them away from DIY solutions. In such a scenario, software such as m0n0wall is an excellent place to start off.
m0n0wall is actually an embedded firewall, designed to run on embedded x86 hardware. It is its ability to run off a CD-ROM + floppy combination that we are going to use here. You can also run it off an old hard disk and do away with the floppy drive and the CD drive.
Setting up the PC
A basic m0n0wall setup can run on a standard PC 486 with 64 MB RAM, CD-ROM drive and 1.44 inch floppy drive. The BIOS should have the ability to boot from the CD. You will need two network cards on this PC for connecting the LAN (internal) and WAN (external) interfaces. You can add a third network card to create a DMZ (Demilitarized Zone), if required. We assume that the network cards are connected to the network as required before you start.
Caution: You'll need to ensure that the network card you use for the setup is compatible with the FreeBSD. A list of compatible cards is available at http://tinyurl.com/ 6jw6l.
Creating a m0n0wall CD and floppy
We have given the ISO image of m0n0wall firewall on this month's PCQ Xtreme DVD. Burn this image on a CD, using software such as Nero, at a burning speed of 4x. Now take a blank 1.44 inch floppy and format it for DOS (Format A:).
Note: If you want to install m0n0wall on a hard disk, then download the generic-PC image available at http://www.m0n0.ch/ wall/downloads.php. You will also need to download physdiskwrite 0.5 available there.
Configuring the internal network
Insert the m0n0wall CD and floppy in the firewall PC. Go to the PC BIOS and change the boot sequence to boot from the CD drive. After booting from CD, you will get five options on the firewall console-Interface: Assign Network Ports, Setup LAN IP Address, Reset web GUI Password, Reset to Factory Defaults and Reboot.
Since this is the first time you are running the firewall, select the fourth option 'Reset to Factory Defaults'. This will create a default configuration file on the floppy drive. The CD version of m0n0wall stores all configurations on floppy since you can't save anything on the CD.
Reboot, and now select the first option 'Interfaces: Assign Network Ports'. This will give you the information about the active network card, which includes its interface name and MAC address. This will be something like this:
fxp0 00:a0:c9:25:16:45 (up)
vr0 00:0d:87:91:64:66 (up)
Here, fxp0 and vr0 are the names assigned to the network cards and the numbers following them are the respective Mac addresses. You can assign the cards to the internal and external links later.
Now you will be asked to set up a VLAN. Press 'n' to skip the VLAN setup for the time being. You will then be asked to set 0the name of the interface that you want to use for LAN, like this, "Enter the LAN Interface Name or 'a' to auto-detection:". Here give the interface name that is connected to your LAN segment, for example 'fxp0' from above. Now, you will be asked to set the name of your WAN interface. Follow the same procedure as above, after which the firewall will ask you to set up a DMZ if you have installed a third network card.
Now your network interfaces are mapped as shown below.
m0n0wall will now ask you to reboot the firewall to save the settings on the floppy. Press 'y' to reboot the firewall PC.
Now choose the second option from console 'Setup LAN IP Address'. This option will ask you to set the IP address for your firewall's LAN card. You have to give it a fixed IP address. Give any free IP from your LAN IP pool (we're assuming that you have a DHCP service running) and also its subnet. In our case, we assigned the IP as 192.168.3.55 and subnet as 255.255.255.0.
Next you will be asked to enable its built-in DHCP server. If you want to use its DHCP server press 'y' otherwise (if you have a separate DHCP server, and wish to continue to run it) press 'n'.
Configuring the external connection
You can manage m0n0wall from its Web interface. From any PC on the LAN, open a Web browser and point it to http://192.168.3.55 (the internal IP address of the firewall). An authentication window will appear, give username as 'admin' and password as 'mono'. You should change this by going to the "General Setup" screen under "System".
Open the web page. On the left side of the main page there will be seven menu items to manage the firewall (System, Interface, Firewall, Services, VPN, Status and Diagnostic).
Now click on WAN under interfaces. In type select DHCP, if your Internet connect is of dial up DSL or cable type and provides you a new IP address every time you connect. Select Static and enter the IP address provided by your Internet service provider in the subsection "Static IP configuration" if you have a permanent IP address from your ISP. Finally click on the save button at the bottom of the page.
With this your firewall PC is ready to use. Let's now go to the firewall configuration itself.
The firewall is not effective until you put in the rules for it to follow. m0n0wall makes it easy to put in the rules by offering you a series of drop down combinations to choose from. For example, the action to be taken for each rule is one amongst "pass", "block" or "reject".
To create rules, select the 'Rule' hyperlink under the 'Firewall' option from the Web page. Here you have to click on the 'Plus' sign to create a new rule for your network. It will open a new page, where you can define an action for either the LAN or WAN interfaces. You need to set the criteria based on which the firewall will process the packets. For example, if you want to block FTP downloads on your LAN, set the Action to 'block' and select the interface as 'LAN'. Then from the Protocol option, select 'TCP', and keep the source and destination options to 'any' and set 'destination port range' to FTP. Finally click on the 'save' button to create a new rule on the new page and to activate this new rule, click on 'Apply changes'.
m0n0wall can also be used to regulate network bandwidth. From its Web interface, select the 'Traffic shaper' hyperlink under the 'Firewall' option. Here you can create bandwidth pipes and queues for your LAN segment. A quick tool for LAN bandwidth is 'Magic Shaper Wizard'. Here you can set the lowest traffic priority to P2P applications such as Kazaa, and you can limit the downstream and upstream speed of a WAN link, if needed.
m0n0wall also shows you a real-time status graph of your LAN and WAN traffic in kbps from the Web page itself. To see the status graph on your Web browser, you will need to install the Adobe SVG viewer from www.adobe.com/svg/viewer/ install/ in your browser.