Cyber Resistance

Information Security Blog

Firewall distribution: Monowall

Hello everybody,

Today the first of a serie of posts about firewall distributions; first one on the list is Monowall.

Monowall is a BSD-based firewall designed to run on a 16MB flash card, and it has the smallest footprint of the firewalls we tested. Because of this, Monowall only provides the bare bones features for a firewall. Still, given it’s so small, it’s a rather impressive distribution.

Monowall boots directly into a configuration menu. First, you have to configure the network interfaces with Monowall’s ‘Auto Detect’ feature, which works out which identifier corresponds to each network connection, enables you to assign a LAN/WAN interface by detecting a cable being unplugged, then plugged back in.

monowall webgui configuration

Monowall has the advantage of being one of the few firewalls that provides quality of service (QoS) routing by default, which enables you to ‘traffic shape’ your connection so that certain requests get priority. This is useful if you want to use VoIP for your telephone connection, because you can prioritise the VoIP link.

Once you’ve assigned your network interfaces, you can set a password for the WebGUI system, which enables you to configure the rest of your firewall setup via the web-based interface.

Being a BSD-based system, some of the terminology may initially seem confusing, but after some web searches and then using it for a while, it becomes second nature.
Although Monowall is a tiny firewall distribution, security isn’t compromised. It’s particularly good for those of you who want to run a safe network without having to spend too much money on hardware, since it will run fine on a standard, off-the-shelf PC.

Installing the Monowall Open Source Firewall

 In this article we’ll run Monowall on a PC via CD-ROM because this is the easiest way for most folks to get acquainted with it. (Refer to the appropriate Quickstart guide for help with USB, Compact Flash or hard drive installation.)

Download the correct Monowall image , and burn it to CD. Plug in your USB stick (don’t forget this, or it won’t save your settings, and then nothing will work), and then boot your test computer to the CD. Bootup should take no more than a minute, and then you’ll see the Monowall console setup. This has seven options:

  1. Interfaces: assign network ports
  2. Set up LAN IP address
  3. Reset webGUI password
  4. Reset to factory defaults
  5. Reboot system
  6. Ping host
  7. Install on Hard Drive

Type the number 1 and press Enter to assign network ports. If you are used to Linux and Windows Ethernet names, like eth0 and eth1, Monowall’s are going to look odd. On my test system I have ed0 and em1. On yours they might be bge, ti, txp, dc, sis, or something else. Monowall displays the port names right in front of you on your screen, so you don’t have to guess.

First type N to bypass configuring a VLAN (virtual LAN). Then configure your LAN and WAN interfaces, press Enter to bypass Opt configuration, and then Monowall will reboot.

When Monowall comes back up, select 2 and press Enter to set up the LAN IP address. The default is Go ahead and type this in and press Enter.

Then it will ask if you want to enable the DHCP server. Yes you do. When it asks for the “subnet bit count” type 24, and then it will ask if you want to enable the DHCP server; say yes.

Next, the software will ask you for an IP address range; if you like you can do what I did and use – This means it will assign IP addresses and network configurations to up to ten client computers. (At this stage it’s not all that important to get these settings perfect, because they are easy to change later in the nice webGUI.) After this it will display a confirmation of Monowall’s IP address and webGUI URL.

Now turn your attention to the second PC; your test LAN client. It should be configured to its get network configuration from DHCP. If it is already running, reboot it. When it comes back up, open a terminal and ping Monowall’s LAN IP address. When this succeeds look up the address assigned to the LAN client and ping it from Monowall (option 6).

When you can ping both ways, your network is correctly configured. Now it’s time to enter the Monowall webGUI. Type into the URL bar of a Web browser on your LAN client. You will be asked for a username and password, which are admin and mono. Then you should see something like what you see below in the figure.

Monowall mainpage webgui
Your first task in the webGUI is to go to the System > General Setup tab and change the username and password to something the whole world does not know. Then on the “webGUI protocol and port” line change HTTP to HTTPS; this is an essential security step that encrypts your Monowall traffic on your LAN anytime you log in and fuss with Monowall’s settings.

You may wish to enter a domain name on the Domain line. For example, on my test network it is This is not a registered domain name, but an arbitrary name for LAN use only. My hostname is firewall, so I can access the webGUI with https://firewall.testingground .net instead of the IP address.


Monowall 1.31
Price: Free

Great for older boxes and embedded systems, but only has basic features.

Leave a Reply

Your email address will not be published. Required fields are marked *

Cyber Resistance © 2017 Frontier Theme