General Questions

I dont know anything about hacking, but it would be nice to know if its practically impossible to get through the m0n0walls firewall, getting from one isolated network to another isolated network, crossing its firewall.
I'm relying on a AP-interface mainly for guest-laptops at home, so no fun if its piece of cake jumping across the firewall into our home-LAN for example....

So, is it only theoretically possible, or are there exploits out there for it to really happen?

Thanks

I don't think that you can ever say that it is impossible to hack anything, however I have never heard of a Monowall being hacked.  I suppose though you have to weigh up where you are using one. I wouldn't expect a bank to be using a free open source router to protect their systems. At the same time, I wouldn't expect anyone to be making a concerted effort to hack my home network as I have no data valuable to anyone but myself.

Any router is only as strong as the setup though.

I would say that it all come downs to the firewall rules!

Ok, thanks.

But firewall rules? Of course if I open every port then its open.
If I have everything closed, then its closed.
If I have only one port open, well, then only one port is open.

I'm talking about going past the rules....like sending some random stuff to a interface, making m0n0wall go crazy and let everything pass. Thats not likely at all?

As I said it is down to the firewall rules. You need to figure out what you want and when you think you have it done you need to TEST!

The sw in m0n0wall is well tested and in case of a major flaw a new release will be available for sure.

I believe you are planing to use multiple interfaces. Be careful with your fw rules!

And TEST TEST and finally TEST

Well, its not THAT hard to just open a few ports and make sure everything else is blocket.
I've tested anyway that it seems to work....my webservers DMZ for example cant ping the machines on the other interfaces, but the other machines can access the webserver, and so on and so on. Its no rocket-science, just some simple rules for my home-network.

Sometimes it just seems there are exploits for everything, so thought maybe m0n0s firewall isn't very secure either if a hacker gets its attention, but maybe its not as easy to hack a "external" firewall as it is to hack into a complete OS in some way.

I wouldn't expect a bank to be using a free open source router to protect their systems. At the same time, I wouldn't expect anyone to be making a concerted effort to hack my home network as I have no data valuable to anyone but myself.

Any router is only as strong as the setup though.

Many banks do (I've setup many with m0n0wall just for that reason). As was said, to hack m0n0wall if anyone has done it, they are not letting anyone know.

The best you can do to m0n0wall is a brute force password attack if one didn't bother to change the default m0n0wall password and username.

Other than that, m0n0wall just passes packets based on the rules you set. So it's rather "nearly impossible" to get in between for a valid attack, but I would never say impossible 100%. The only valid hack is physical access, but with physical access, no machine is safe no matter what you do.

Hacking from outside by just trying a port scan and then send random data in hopes that something gets through? No that's not going to work. If something is not allowed to pass through by the firewall rules then it's not allowed, end of story. However if by some chance one of the hosts protected by the firewall has a trojan or similar program providing a backdoor then it gets interesting because you can "punch holes" into a firewall by using an existing outgoing UDP connection. One application that does this is Skype, read this and be very scared  http://www.heise-online.co.uk/security/How-Skype-Co-get-round-firewalls--/features/82481

I'd call that more of a clever use of NAT than a hack of m0n0wall since m0n0wall is only the packet police in between. If you are sending packets to another IP on a specific port and the other firewall is doing the same back to you, then it's straight forward to get the clients behind the NAT to latch on to it for 2 way communication.  Greatly simplified of course, it's not that easy to connect a double NAT between locations, but NAT was never meant to be a firewall component. Network Address Translation came about to avoid giving all your clients a public IP to use the Internet but still allow them to connect properly to other machines across the Internet without having to build a firewall rule for every possible way they could connect to other machines.

Imagine the nightmare of having to build routing tables and firewall rules for non-routable IPs and Public IPs for every machine that needed Internet access. I remember those days long ago and when you multiply it by hundreds or even thousands of machines, NAT was a blessing. 

Of course, today, it just means worms, virus, etc. all tend to have free reign spamming the Internet as well 

Hacking from outside by just trying a port scan and then send random data in hopes that something gets through? No that's not going to work. If something is not allowed to pass through by the firewall rules then it's not allowed, end of story. However if by some chance one of the hosts protected by the firewall has a trojan or similar program providing a backdoor then it gets interesting because you can "punch holes" into a firewall by using an existing outgoing UDP connection. One application that does this is Skype, read this and be very scared  http://www.heise-online.co.uk/security/How-Skype-Co-get-round-firewalls--/features/82481

Yeah of course, I didn't mean m0n0wall would let anything random get through.
Also, if a client asks for something, of course it's gonna go through, how could you for example visit a webpage if the firewalls didn't work like that. I think its called dynamic firewall or something....wouldn't call that "punching holes".

Anyway, I was mostly asking for stuff like "send this or that combination of data to m0n0wall and it'll open up", like exists for OS's and applications. Overflow some buffer, flow loads of data crafted in some special way to it, and it just opens up or something. Maybe not possible on a firewall like this though....lets hope not