General Questions

With all the other linux firewall distro's I can click through the pages of logs and choose the dates and years to look at. I have so far not figured out how to do this on m0n0wall and it seems I cannot even access the shell to try and use vi to manually open any log files.

What is the correct way to go back through time and see the logs? I don't think the only way would be setting the number of log entries displayed to 9999999999999 and waiting 6 years for the page to load?

So far m0n0wall seems very nice, light and secure. I must, however, be able to check through any of the log entries though or I will have to move back to another distro.

The log files are stored in a RAM disk and thus they can neither be infinite in scope, nor are they retained after a reboot.

If you really need log history beyond this, then have the logs written out to a remote syslog server.

[another]

So you are telling me I have to dedicate more resources by having another machine set up just to receive the logs? Why is it in memory? I don't have more machines laying around to go setting up another server to receive logs. I cannot guarantee any workstation will even be powered on to use one of those.

So basically you are saying that the server its self does not keep logs stored and accessible for the future and if the server crashes or has its power interrupted I cannot trace any intrusion or behaviour unless I set up another server that can just receive logs? Does that not sound a little insane to anyone? I chose to install the firewall to my hard drive, I have a 1TB drive in here to be actually used so I have logs for a very extended period of time. That is what I have been doing with IPcop and IPfire previously, I assumed that log tracking was in every single linux firewall since linux is all about security.

I believe you are not aware of the differences between firewall systems designed to run on very modest hardware, particularly embedded systems, and other types designed to run on and require much more substantial hardware. m0n0wall is of the former type.

Yes there are differences, but the ISO I downloaded is made for a system and there is no reason why there shouldn't be controls like setting log size, overwriting older logs for new ones. Hardware is not that much of an issue surely. I would be happy to set a log size to what my hardware can accommodate while someone else could choose what fits them, including "memory only logging"

Yes there are differences, but the ISO I downloaded is made for a system and there is no reason why there shouldn't be controls like setting log size, overwriting older logs for new ones. Hardware is not that much of an issue surely. I would be happy to set a log size to what my hardware can accommodate while someone else could choose what fits them, including "memory only logging"

I think the limiting hardware being discussed is the suitability of m0n0wall for near-line storage, like USB drives, CompactFlash cards, etc. that can wear out quickly with constant writes, which log files like this can do.  With the option for running off a CDRom and holding the config on a floppy, there really is no good provisioning for storing a log file.

I think the lack of option of storing one locally is to keep someone from accidentally turning it on or forgetting to turn it off and wearing out their storage.

m0n0wall isn't meant to be a large enterprise class routing solution, there are other BSD and Linux based router offerings that might fit better for such a solution.  (Not to say that m0n0wall isn't as stable and secure as many enterprise class routing solutions, just possibly not as featured.)

.......................... there is no reason why there shouldn't be controls like setting log size, overwriting older logs for new ones......

Yes, there are reasons. One being that what you are looking for is beyond the defined scope of what m0n0wall's is meant to be for its target audience, and therefore what is just not in the product.

Now if you are interested in what is possible, feel free to download the freely available source code and modify it to suit your needs. Others have done this and have spawned firewall projects with large followings. pfsense is an example of this.

I may try fpsense again since I gave it next to no time or even mess with it due to circumstances. I really like the lite nature of m0n0wall just that its lacking in log keeping will probably keep me from using it after today.

As for the comment:

I think the lack of option of storing one locally is to keep someone from accidentally turning it on or forgetting to turn it off and wearing out their storage.

Accidentally forwarding the wrong ports or accidentally doing almost anything on a firewall  is always bad and will have repercussions. It would be nice to have one version for devices and one for computer based systems. I hate using spin-off's of spin-off's etc. I tried IPfire but some how I broke it to where statically assigning the red IP would just error every time and I despise DHCP using an ISP's custom firmware modem router.

Regarding pfsense or other spinoffs. Can you tell me what is different about pfsense compared to m0n0 ? I really liked the idea of having an extremely light linux firewall and however much I love IPcop and IPfire, I would like my external firewall to be as light on resources as possible.

I am trying pfsense right now and do like it. However its log system is identical to yours. Everything is in ram it appears and I have to set a count just like m0n0wall of how many entries to show. All it does on either distro is choose the number of rules to show on screen, it does not even save them to disk, just a ram drive... For scrutinizing activity retrospectively or proving to law enforcement who did what and when is impossible with distro's like this. I don't "need" good logging but I "want" logging I know I can count on to allow me to retrospectively analyse down the line and potentially learn how something took place.

This logging issue effects both m0n0 and pf. They say on the pf site:

pfSense uses a Circular Log format to maintain a constant log size. There are multiple benefits to this method, mainly that the log files cannot grow and fill up your filesystems.

Same technology as you are using. However you can just as easily have a "Size in kb" limit to prevent filling hard disks up. This fascination with memory based log storage just boggles my mind. I can understand your point about embedded systems, but the point is its available for pc usage too. Even pfsense makes different versions available and still I come up against logging issues. I assumed after reading about their site talking about the downsides of m0n0wall on a computer that it would have the standard style logging as the other distro's I have tested.

I am about out of options it seems. Are there any fork distro's from m0n0wall that DO actually keep a log?

pfsense came about because some m0n0wall users wanted more capabilities that were well beyond the philosophy of m0n0wall.

pfsense, IMHO, can not be considered extremely lightweight. Even in the smallest embedded versions, the hardware requirements are considerably higher than those of m0n0wall. And the embedded version behaves the same way as m0n0wall regarding logging - they sit in RAM. So there is no point in looking at those.

A "full version" install of pfsense does store the logs on disk, IIRC. So this is where you might look first.

pfsense has a lot more features compared to m0n0wall. Some you may find interesting and useful, others you might have no need for and find they clutter the menus. Like m0n0wall, I am pretty sure you can restrict access to unneeded features, but I do not think that the menus can be configured to hide unused features, at least not in the current design. And used, unused, needed or unneeded, they take resources all the same.

A minor technical point is that neither m0n0wall nor pfsense are Linux based. They are built on highly cut down versions of FreeBSD. And they use different codes for their filters.

Well I do like both of them, but I just wish the logging system was organised so I could go back a page at a time instead of having to just set the number of log entries on screen.

I like the m0n0wall for its simplicity and low resource usage. I like pfsense because its a bit more feature rich, something I do like. My gripe is all about logging so far.

You might ask over in the pfsense forum, but I thought that recent full versions (2.1) do log to disk or can be made to log to disk.

Another thing you might consider if you have enough hardware is the following.

Install some version of Linux or BSD or whatever that has a syslog facility. Even Windows (gasp) would qualify with a third party syslog program like the Kiwi Syslog Server.

Then add in VM capability with something like VMWare, Virtualbox, ZEN, etc.

Then run m0n0wall or pfsense in the VM with it set to remote syslog to the parent OS that has the syslog server running..

IMHO a huge kludge, but it would do what you want, limited only by the size of the hard drive you store the logs on.

Well after trying pfsense I prefer m0n0 just due to its lower resource usage. I am already using a VM on my personal system. I just hate the idea of having to set something up just to get the logs. I tried finding windows clients for the serverlog system already but could not find anything free I liked.

Have you determined whether or not pfsense 2.1 full version will log to disk or is it still RAM only?

I saw a tick box preventing it from writing to "RAM drive" but nothing mentioned whether it writes to disk or not. No info on the help file on it either really. But I have decided to stick with m0n0wall because I do like its small size and low memory usage. I will just have to deal with the fact that I cannot bank on having access to logs unless I can find a really good feature rich free syslog program for windows.

I still am using ipcop also, but m0n0 is directly connected to the modem/router and then ipcop is between my host machine and m0n0 via my vmware config