15.9. So what are the goals behind the SmallWall project?

In February, 2015 when Manuel ended the m0n0wall project, people were surprised. (OK, shocked!) There was a lot of discussion (and derision) about his recommended replacement, OPNsence, as well. Many people felt m0n0wall was just fine, but with the project "canceled" there would be no way to get management buy in for rolling it out. Not to mention that eventually, it would need driver and security updates. In the chaos surrounding the fall, two people active in the project grabbed some domains names, and the repositories, and set up the framework to continue m0n0wall. And that is SmallWall. (And t1n1wall) The project goals are fairly simple

15.9.1. Do one thing, and do it well.

There are now many Next Generation Firewalls available. Some are referred to as "kitchen sync applications" since they include everything but the kitchen sync. This can make setup and management easy. But it also makes hacking easy. Only one layer of security for your access control, VPN, web filtering, e-mail filtering and virus scanning... Fortinet has a wonderful example of this ecosystem with the integrated firewall, application filter, endpoint protecting, and sandbox solutions. All using the same virus filters.

Verses separate and best of breed applications, all with separate credentials. This means a failure of one, is limited to only that one part. It also means that development can focus on it's core competency, and not have to worry about learning how to transparently intercept https...

15.9.2. Small, lean and efficient code.

Have you ever noticed that every time you update your Android apps, the entire phone gets slower? Or how if you park a 2004 Mini Cooper next to one 10 years newer, how much bigger the new one is? (Or a 10 year span of the BMW 3 series will work) Bloat and feature creep is a real problem. It increases hardware requirements, and increases the potential attack vectors. So that as you keep applying security updates, your system gets slower and slower...

So, a nicer looking GUI is fine, but not if it works on less older web browsers, or takes longer to render on the older tablet. Do we really want to add a new feature that really has nothing to do with a firewall, and causes the image to double in size? There are a lot of people happily running m0n0wall on small, embedded systems. They should be able to upgrade SmallWall without panic. You should only be forced to upgrade your hardware when you need more hardware, not just because your software got fat.

15.9.3. Security, security, security...

This goes back to the "Do one thing and do it well" point above. This is a firewall, and not a file and print server. It should only include components that have to do with routing and security. And the format should encourage secure principals in the setup. This may mean an extra line or to on a configuration page telling you why setting up PTP with no encryption is not a good idea.