Improve Network Security with Open Source Monowall

by Carla Schroder

In part one of this two-part series, we review how to set up strong network security with Monowall, an open source firewall.

A good firewall is a must for any Internet-connected network, and the open source Monowall (often written as "m0n0wall") is one of the best. Follow along as we set up strong network security using the excellent Monowall to protect our local network (LAN). Today we'll install and do basic security configurations, and in Part 2 we'll set up a good stout Internet firewall, a secure VPN, and a wireless bridge.

Why Choose Monowall?

Monowall is a complete software firewall package that includes its own operating system. All you need is some sort of computer to install it on. There are two downsides to Monowall: its goofy spelling and no commercial support. Its advantages are many. It is free of cost (though donations are welcome), and it is based on the superior FreeBSD operating system.

FreeBSD is an open source Unix that powers everything from tiny embedded devices to some of the world's most high-demand servers. Monowall comes with an excellent graphical configuration interface, and it's designed to be run entirely from its Web-based GUI.

It's a small file, weighing in at about 16 MB. It runs on the excellent Soekris and PC Engines single-board computers -- my first choices for specialized network devices, because they are robust and flexible. They will not become obsolete for many years and can be repurposed into a variety of tasks. Monowall also runs on ordinary PCs from a CD-ROM, USB stick, hard drive, Compact Flash, and even offers a VMware image.

Monowall open source firewall test lab
Monowall test lab -- from left to right: ZaReason Teo netbook, IBM Thinkpad running Monowall, tiny old cheap but still good Netgear Ethernet hub.
(Click for larger image)

Old laptops make great firewalls because they are small, self-contained and low power consumption. They're nice for wireless network bridges, because most have both a wired Ethernet and a Wi-Fi interface built-in. They're less reliable just from being old, so don't use them where you can't afford a hardware failure.

Another potential problem with old PCs and laptops is support for network interfaces. You'll need a minimum of two NICs, and they must not be cheapie Win-interfaces that run only in Windows, but "real" ones with fully-functional hardware controllers. The fastest way to find out if yours will work is to run Monowall to see if it detects them.

Let's set up a simple test lab. You will need:

  • Two PCs, one to run Monowall and one to serve as your LAN client (any Linux, Mac or Windows PC will do)
  • Ethernet hub or switch and patch cables
  • A FAT16- or FAT32-formatted USB stick for storing configuration data
  • Monowall CD

Your test lab connects like this: Internet => Monowall => switch/hub => PC/laptop as shown in Figure 1. We'll start without the Internet.

Installing the Monowall Open Source Firewall

In this article we'll run Monowall on a PC via CD-ROM because this is the easiest way for most folks to get acquainted with it. (Refer to the appropriate Quickstart guide for help with USB, Compact Flash or hard drive installation.)

Download the correct Monowall image (currently this is cdrom-1.33.iso), and burn it to CD. Plug in your USB stick (don't forget this, or it won't save your settings, and then nothing will work), and then boot your test computer to the CD. Bootup should take no more than a minute, and then you'll see the Monowall console setup. This has seven options:

  1. Interfaces: assign network ports
  2. Set up LAN IP address
  3. Reset webGUI password
  4. Reset to factory defaults
  5. Reboot system
  6. Ping host
  7. Install on Hard Drive

Type the number 1 and press Enter to assign network ports. If you are used to Linux and Windows Ethernet names, like eth0 and eth1, Monowall's are going to look odd. On my test system I have ed0 and em1. On yours they might be bge, ti, txp, dc, sis, or something else. Monowall displays the port names right in front of you on your screen, so you don't have to guess.

First type N to bypass configuring a VLAN (virtual LAN). Then configure your LAN and WAN interfaces, press Enter to bypass Opt configuration, and then Monowall will reboot.

When Monowall comes back up, select 2 and press Enter to set up the LAN IP address. The default is Go ahead and type this in and press Enter.

Then it will ask if you want to enable the DHCP server. Yes you do. When it asks for the "subnet bit count" type 24, and then it will ask if you want to enable the DHCP server; say yes.

Next, the software will ask you for an IP address range; if you like you can do what I did and use - This means it will assign IP addresses and network configurations to up to ten client computers. (At this stage it's not all that important to get these settings perfect, because they are easy to change later in the nice webGUI.) After this it will display a confirmation of Monowall's IP address and webGUI URL.

Now turn your attention to the second PC; your test LAN client. It should be configured to its get network configuration from DHCP. If it is already running, reboot it. When it comes back up, open a terminal and ping Monowall's LAN IP address. When this succeeds look up the address assigned to the LAN client and ping it from Monowall (option 6).

When you can ping both ways, your network is correctly configured. Now it's time to enter the Monowall webGUI. Type into the URL bar of a Web browser on your LAN client. You will be asked for a username and password, which are admin and mono. Then you should see something like what you see in Figure 2.

Monowall open source firewall test lab
Main page of the Monowall webGUI displaying system statistics and version information.
(Click for larger image)

Your first task in the webGUI is to go to the System > General Setup tab and change the username and password to something the whole world does not know. Then on the "webGUI protocol and port" line change HTTP to HTTPS; this is an essential security step that encrypts your Monowall traffic on your LAN anytime you log in and fuss with Monowall's settings.

You may wish to enter a domain name on the Domain line. For example, on my test network it is pupdog.net. This is not a registered domain name, but an arbitrary name for LAN use only. My hostname is firewall, so I can access the webGUI with https://firewall.pupdog.net instead of the IP address.

All righty then, that's enough for today. Be sure to read Part 2, in which we will configure Monowall to do actual network security work.

Carla Schroder is the author of The Book of Audacity, Linux Cookbook, Linux Networking Cookbook, hundreds of Linux how-tos, and the former managing editor of Linux Planet and Linux Today.

Small Business Computing is on Facebook. Join us on Facebook and interact with the site's editors, post messages, share your small business challenges and successes, discuss technology and suggest topics you'd like covered on Small Business Computing.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!

This article was originally published on Wednesday Jul 6th 2011
Mobile Site | Full Site