In last post we talked about the open-source firewall m0n0wall. In this post we will go into more details about how to setup monowall so that is will function as your firewall between WAN and LAN.
The Internet is a big bad scary place full of malware, and also full of much automated spew that we don’t need pouring into our own private networks. The simplest firewall blocks all incoming traffic, except for allowing only responses to traffic that originates from inside your LAN, such as email and Web surfing. If you are not running any Internet-facing services then this is the firewall for you. The Number1 rule of firewalls is “Deny all, allow only as needed.”
You will need the configuration settings for your account from your Internet service provider. If you have your own static IP address then most likely it’s your IP address, gateway, and the addresses of your ISP’s nameservers. If it’s a dynamic account then you’ll need just the nameserver addresses.
Enter Monowall’s webGUI and set up your WAN interface. Do this on the Interfaces > WAN screen. Start at the very top with the Type dropdown menu. Select Static or DHCP, whichever is appropriate for your Internet account. Skip MAC address.
If you have a static address, then enter it and your gateway address in Static IP configuration. Skip everything else until you get to the bottom where it has a checkbox for Block private networks. Make sure this is checked, and then click Save.
Now go to the System > General Setup tab and enter your ISP’s DNS servers in the DNS Servers section. Do this even if you have a DHCP account, and leave the Allow DNS server list to be overridden by DHCP/PPP box checked.
Do one more bit of housekeeping while you’re here — at the bottom, change the NTP time server to pool.ntp.org. This is always the best default since it links to the global NTP server pool. When you configure which NTP server your LAN clients should use, point them to your Monowall server.
That’s it. Plug Monowall into your Internet interface and you should be able to Web surf from your test LAN PC. You can run a quick test from GRC ShieldsUP! to test your firewall.
Note how it detects and reports your public IP address. Then click the Proceed button to go to the next page. In the ShieldsUP!! Services box click the All service ports button. A progress graph appears as each port is tested. You should not see any red.
When it’s finished, it will mark the test as a failure because of the Ping Reply test. Do not disable ping, or more precisely ICMP echo. Some admins mistakenly believe that blocking pings is good security. It isn’t, and it’s an essential network function, so ignore this “failure.”
Secure IPsec VPN
A VPN (virtual private network) is a secure tunnel over untrusted networks, so you can safely log into to your work network from home, or connect branch offices. If you’ve been doing any Windows networking, you’re probably familiar with PPTP (Point-to-point protocol). It is popular because it is easy to set up. However it is not very secure, so it is better to invest a little time learning how to run a more secure VPN. Monowall supports IPsec (Internet protocol security), which provides good strong security.
If you’re going to enable remote access to your network, you really need an Internet account with a static IP address. It is possible, but painful, to use a low-budget dynamic Internet account. It’s not worth the hassle — spend the few more bucks to get a static address.