Slashdot Mirror

Blocking content at the router/firewall is the best place to block it inside your network. Otherwise you're dealing with keeping several machines up to date. As IT infrastructure becomes more diverse (Mac, Windows Flavors, Guests etc) keeping individual machines updated will be harder than a centralize point. Another option is to force users to utilize a specifc DNS server (ie http://www.opendns.com/business-security/). Then all you do is block DNS traffic destined for any other DNS servers.

I'd avoid the $50 walmart router and look at some stand alone firewall/routers with good filtering options: IPCop (http://ipcop.org/) + URLFILTER (http://www.urlfilter.net/) or Cop+ (http://home.earthlink.net/~copplus/) or UnTangle (https://www.untangle.com/store/lite-package.html)

Will it slow down your connection? It can if you do not use fast enough equipment, but in general the price of CPU cycles isn't an issue when using PC based solutions.

IPCOP. If you have an old computer lying about, you can set it up as a firewall, with a transparent proxy using Dan's Guardian as a web filter.

http://www.ipcop.org/ Bootable Linux ISO installed on some dinosaur PC hardware. 2 NICs, Inside & Outside. Put behind the Linksys/Netgear/router. Install the Squidguard add on. Transparent Proxy that watches ALL HTTP (TCP port 80) traffic and HTTPS (TCP 443) URL's. transparent for all outbound recording. Designed network bottleneck for all outbound Internet traffic. Configure DHCP client on the outside, and DHCP server to the inside. So all clients receive DHCP services from IPCop. All free.

I used to use DD-WRT or Tomato, but I wanted a faster router/firewall with more features. so I built a Mini ITX router with the following.....

http://www.ipcop.org/ - a great high end firewall package.

http://m0n0.ch/wall/ --BSD based and solid as a rock.

http://www.pfsense.org/ if you want gobs and gobs of plugins and features. it's a fork of Monowall with more plugin support.

NOTE: some people consider plugins to be evil for a firewall. I find having to run 3 servers for a home network to be silly. So I run pfsense with a gajillion plugins for the features I want and a fileserver/app server on the inside.

You might take a look at IPCop or Smoothwall. Both give you access to the Linux command line, so you can use IPtables to do whatever the hell you want. Smoothwall might, possibly, have some sort of add-in to limit bandwidth by bandwidth or zone, though I'm not sure.

Ahh, yes. iptables... the intuitive interface of the linux command line combined with the arcane of networking. I used to have an old P133 as a NAT box (slackware) that also did a few other server-related tasks, and I had some iptables rules configured. I think the truth of the matter is that unless you are very, very well versed in networking, you can't write your own rules and end up copying some stale rulesets from things you find on the intarweb, hoping to bend them to your needs. I never knew what the hell I was doing aside from reading (and re-reading) the multitude of TLDP docs out there and trying, trying again and again. I was lucky I was only rooted once [that I know of].

These days, I prefer the ease of most router interfaces. I know they don't typically provide the flexibility, granularity, or power that some may want, but they probably account for the needs of 99% of typical users.

You might take a look at IPCop or Smoothwall. Both give you access to the Linux command line, so you can use IPtables to do whatever the hell you want. Smoothwall might, possibly, have some sort of add-in to limit bandwidth by bandwidth or zone, though I'm not sure.

If Microsoft were showing the slightest interest in restoring balance to the marketplace,

Microsoft - hate them or like them, is a business. That's what Business do - they are not interested in 'restoring the balance' or giving their earnings away to other competitors who have not done as well...

If Microsoft were showing the slightest real interest in undoing the damage their software has done to the internet,

What damage? Without MS products, most of the average users wouldn't know *how* to use the Internet. Not everyone is technically astute like the folks here on /.

If Microsoft were showing the slightest indication of getting away from the sieve security models they've been using to enable bad software to keep running in spite of the damage it has already done (and will continue do) to the internet,

Because all the software developed OSS and all the software on Linux and Macs is rock solid? I just spent 20 minutes applying patches to my Linux router (IPCop) this morning, which patched their software, core kernel stuff, core TCP/IP services. That's because the software was written by imperfect humans, there are going to be mistakes that someone can exploit.

If the money they have hadn't been taken by fraudulently selling feature lists instead of real features, ...

I don't follow? Something specific you're referencing?

The problem is Microsoft. Where they are a burden to the infrastructure, they should foot the bill for fixing the problems they've caused.

Or none of it and the city / county / state (whoever is responsible for transportation costs in that state, it varies state to state) could just figure out how they're going to deal with the traffic troubles without any help.

I saw an earlier response to someone's "just tax them more to pay for it" that read something to the effect of "that's killing the goose that lays the golden eggs." I don't know what other industry is in Redmond outside of Microsoft. I am not saying there isn't any, I am just saying I don't know. Perhaps MS could move away from there, build somewhere else that has better infrastructure and it be no worries for the city of Redmond but I suspect that they derive a good portion of their tax revenue from both the company and from the employees that live / work / eat / spend in that city.

I know I will probably be modded down for being perceived as pro MS but I am really just trying to be pro-capitalism. Like them or hate them, they have done a lot for the PC market and probably the computer market as a whole. I won't for a second say they're perfect and probably not my favorite group of folks. All I am saying is - don't hate them because they have a successful business model.

I encountered this when I offered to set up open source web filters in each of our locations and save significant money compared to other solutions. Management agreed ipcop did everything we need, and would save a lot of money but was still hesitant. When I located local contractors in my city who could make changes if I was ever "hit by a bus" they gave me the go ahead.

If you are looking at open source consider opencms which has commercial support that your company can use when you leave or get promoted to another position.

I like IPCop as a webfilter. It can be installed and configured on an old computer in about 30mins. (not counting the time it takes you to download and burn the iso). The default install keeps a log of all web URLs visited. Add the URL Filter to block certain web sites. Of course maintaining a black list is a pain in the arse but there are plenty of free blacklists available that are designed to be used in elementary schools. As a side benefit you can use also use it to block ads, and filter malware with cop filter.

I use IPCop with Cop+ addon. This is a linux based Firewall with content filtering on top which uses blacklists etc to block site, you also have the ability to add you own blacklists and also complete control over sites with execption rules. Been using it for many years and have not seen any porn in that time. Install IPCop http://www.ipcop.org/ The install the add-ons server 2.3b2 http://firewalladdons.sourceforge.net/ Then install Copplus 2.2-b3 http://firewalladdons.sourceforge.net/ I also use other add-ons like Nettraffic to view daily internet(Red) interface traffic across my home network.

While in general, I would agree with you, MOST users should switch to linux.
However we disagree, because linux doesn't have every app solidly replicated. (Despite claims to the contrary)

It does have a LOT of replicated apps, and some apps that windows will never have.

With that said.
Cinelerra doesn't replace After Effects or Sony Vegas Pro.
Particle Illusion, DAZ, Poser, Magix, Micrografx Picture Publisher... on an on and on (before you say you can get these running, do they have plugins? And are you doing production work?)
TurboTax (no I don't use or qualify for turbotax freedom--it's unsuitable--as is doing the shit by hand.) doesn't install on linux natively. in Wine or VMware perhaps, but you still need windows licenses.
Photoshop+1000's of plugins isn't gimp. (and never will be, on the other hand gimp runs on windows.)
Wavelab (not audacity with no VST's), soundforge (not audacity with no vsti's), 1000's of VST's (cough). not solid on linux. Maybe you can get it to run under wine, but you won't be very productive
TVUPlayer - bzzzzt.

All these are simply popular, I haven't even got into weird shit.

hardware?
off the bat I can say.
Lexicon Rack effects, Pinnacle AV/DV capture cards (not reversed), etc..

There's a place for each OS, it depends on what you want to do.
You would be stupid to use win98 + some package for a firewall, when ipcop would kick it's ass.
Nor would you be wise to dump a LAMP stack on top of an XP box, when debian and modsec2 would do the job.

If your not being a complete jackass about this shit and not a troll, and actually have knowledge, and are being honest, you clearly must agree with what is said in this specific post. While I do realize I am addicted to the microsoft drug, it's for a specific reason (audio and video production), and windows xp firewalled off serves one hell of a purpose, it's extremely productive. No it's not fear, clearly I am running plenty of *nix boxen. But they have different purposes. And again I remind you some do things my windows workstations don't. Yeah some things cost money. Some things cost in the *NIX world as well. It's all what you need to do.

OTOH - vista and win7 doesn't really look like it has any useful migration path other than bla you can use the rest of your 4 gigs or bla DirectX10 (neither of which I give a crap about) Add in the waste of money and bzzzzt. we ain't going there. XP will live behind a firewall forever.

OTOH #2 - three process's--that's a straight up no starter! Sounds like winME. vapor.

PS: trying to stay on your friendly side, we both agree about outlawing electronics in elections. That's definitely an abusive use of electronics.

My biggest question is where on this blue marble do you live with insane restrictions like that. I get 60Gb a month on my home connection, 6Gb on my smart phone, and unlimited internet at my University where I take night courses.

But I agree with a previous post. Use a squid-cache. However, Squid-cache isn't the most friendly thing to setup. I'd look in to a solution like IPCop or Smoothwall which are easy to install with Squid or Squid-like plug-ins

Or even for much less you could get an old PC (I actually use a Celeron 400 w/ about 256 mb of ram - way over the top for what I need) and use something like IPCop. That's a lot less than $300 and a lot more capable than a D-link or most other "home" routers.

Actually, a Cobalt Qube with no fan because it runs cool enough to not need it. It does a fine job of powering IPCop on its old 250mhz MIPS processor, providing a firewall, SQUID, and NAT for the house, and only using a handful of watts while doing it.

...but if you want real QoS stuff, a linux firewall box is the way to go...

That's why I use IPCOP It has traffic shaping abilities, and you can run it on any first gen Pentium Box. Right now mine is routing for VoIP, my personal web surfing, and a business that I am trying to get off the ground. Works great. If the PC dies, then I just re-install IPCop on a recyled PC, and restore a backup of my configuration. I picked up a P90 and threw in 3 spare 10/100 cards I had laying around. Presto instant Firewall with LAN/WAN/DMZ, traffic shapping, and Bandwidth throttling. All for about $10. Works great, really cheap, and saves an old PC from littering the land fill. You can't go wrong.

I use ipcop http://www.ipcop.org/ for my home network - it's all of about 40 megs (well it was, I see the new update is quite a bit bigger so I may be low on that figure) and can run on any old pc lying around.

It can do the traffic shaping you're wanting, plus, I found, especially when I am doing p2p downloading or some online gaming, my old netgear (very old) couldn't keep up and would drop packets. I saw my download speeds go up significantly and I have the opportunity to do traffic shaping if needed.

It's free (donation) and very simple to set up. You don't have to be a linux guru to set it up, it has a web based interface for configuration.

It works great for me.

Make sure you have a decent Firewall / Gateway. There are lots of good ones on the 'Net. I use IPCop, which has a Squid proxy as well as lots of addon programs. URLfilter is useful to remove the totally obnoxious.

That's it, except that imho you should not tie the machines down to the point at which they become useless and painful to use.

Here is the solution to your problem as long as you have a spare PC laying around with a couple of nics.
Install IPCop http://ipcop.org/
Install 2 plugins off of http://www.advproxy.net/
Install advanced proxy and Update Accelerator

After you have this setup, setup a copy of Windows XP manually (from CD) and do all of the updates with Windows Update/Microsoft Update. Update Accelerator caches all of the updates locally and they seamlessly download from the local server when you use windows update. I use this and it has been a life saver for our office. We vary from running updates from between 10 and 500 PC's that may need some updates everyday.

Maybe I'm an old stick in the mud. But I've had far, far more trouble CAUSED by most of these applications than I've seen prevented.

IPCOP is a very secure and flexible firewall plus its open source. It runs on all kind of hardware like normal PCs , boards with CF cards , servers. A vanilla installation is full of features like VPN, QoS, IDS, web proxy and by using addons you can add stuff like detailed proxy reports, content filtering, traffic monitoring and a lot more.
You can find it at http://ipcop.org/
Their mailing list is pretty active and full of helpful people.
If you have a spare PC and some network cards give it a try.

• mOnOwall - firewalling
• IPCop - firewalling
• Metadot - CMS
• Apache - web server
• Bind - Name Server
• asterisk - telephony/voip
• Sendmail - cussed but stable MTA
• SpamAssassin - spam filtering
• MIME-Defang - email content filtering/manipulation
• ClamAV - Virus filtering
• Freebsd - the best OS since sliced bread (IMHO)
• Centos - Not to shabby an OS either
• ...

LiveCDrom Distros: All my school kids start with http://pclinuxos.com/ and it's 5500 programs. Out the Box solution. I use it. On at least a dozen of my systems, (8 of my systems are Mac OS9 and OS X). On many of my dozens of older machines, http://knopper.net/knoppix rules, also! Damn Small Linux is great for the really oldies, plus, for the absolute newest ones! Firewall/router is http://ipcop.org/ I keep a single M$ XP Pro machine around, but, rarely spin it up. Maintenance (security, 7 protector programs, it wears out harddrives, prematurely!) isn't worth my time. Maybe if I was a "PC gamer". But, I do play some games on GNU/Linux. Operating systems are tools to make the machine do work. I choose those that do the particular job best. Play, and learn, then choose! It is about absolute freedom and ownership of MY DATA!

Does anyone knowledgeable want to contrast IPCop to SmoothWall?

Advantages/Disadvantages? Pros/Cons?

which I use at home is an old computer (was a 166MHZ CPU/32MB RAM, but is now a 300MHZ CPU/64MB RAM). A linux distro called IP COP which is based on a similar distro called smoothwall.

It turns your old computer into a dedicated firewall/router that operates under broadband, dialup and apparently now has wireless support. And if you add Mike's Hosts File to it then you have a a fairly easy setup for safer web surfing.

Combined wih using Mozilla Firefox/Thunderbird on the computers that connect through my IP COP distro. I've had very little issues with spyware, pop-up adverts and other misc headaches.

What's so new about this? http://smoothwall.org/, http://ipcop.org/ and http://m0n0.ch/wall/ could easily be custimized to perform a similar function. Easy as installing a bittorrent application, and using SSH.

By the way, these 3 options happen to be free and upgradable.

I love this software, but the Linux client really is neglected. The documentation for Linux is not really there. There is no decent configuration tool for Linux. There are many bugs. For example, if you do any port forwarding, you must edit some nat.conf file. And if you reconfigure anything after that with vmware-config.pl, it completely wipes out all your changes to nat.conf without warning. I spent so much time dealing with these types of bugs while testing the beta, I should have simply purchased another solution.

I haven't noticed any significant difference in functionality on either vmware workstation on windows vs. linux or vmware server on windows vs. linux.

Also I haven't found much reason to set up a vmnet for NAT. What I typically do is set up a bridged vmnet for each physical NIC and then a couple of host only networks.

The key is to set up a vm like ipcop to do your NATing and routing between your physical networks and host only networks. Put three virtual NICs in the ipcop vm, one on a bridge for the red "WAN" interface, one on a host-only for the green "LAN" interface, and one host-only for the orange "DMZ" interface. You can easily set up all your routing rules using ipcop's web interface.
If you add cop plus to ipcop you can even do web content filtering with dansguardian and squidguard. It has a pretty small footprint and is a nice addition to a home server.

BTW, there is one application of a NAT vmnet that I could see as kind of a cool thing: Using vmware player on an autorun cd to have a vm run in NATed mode without having to install the vmware player on the host

And the sheer number of hacks around to disable this thing already leads me to believe that the only reason we aren't all on botnets right now is the mere good graces of the hacking community.

Or, you know, the fact that some of us are on Macs. Or running Linux :)

We've had a machine here at work fail WGA, even though it's a legit licence. Fortunately, the box in question is due to be turned into an IPCop box in a week or two, so no biggie.

The part that worries me is that it sets a precedent - will all sorts of other companies feel free to plaster your machine with 'you haven't paid' banners that pop up every 15 minutes now that Microsoft's done it and not been flamed to a crisp?

People's working definition of DMZ (De-Militarized Zone) depends greatly on the hardware they use.

If the only network you admin is a Linksys box connected to a few computers and a cable modem/dsl, the DMZ (as defined by Linksys/D-Link/Belkin) is the IP address all incoming packets are forwarded to. Effectively, one of the computers on your internet is directly connected to the internet. Trafic between the 'DMZ Zone' and the rest of your network is unmonitored by the router.

If you use something more sophisticated, such as ipcop.org (runs on any ancient machine and a few network cards) or a true firewall appliance (ShoreWall, Cisco, etc), then you have the option of having the DMZ a seperate segment of the network. You can have incoming connections forwarded to different boxes in the DMZ, all of which can communicate with each other and the outside world, but cannot talk to things on the other zones without explicit permision (called DMZ Pinholes in ipcop).

Of course, you can also achieve this by cascading routers, as one of my friends does. He likes to share the internet freely with his neighbors, so anybody in range can connect to the internet via his wireless router. They cannot connect to his personal hardwired computers, as those are behind a seperate router which is itself plugged into the first router.

IPCop + Copfilter, based on Linux, check it at: www.ipcop.org and www.copfilter.org

I agree. OpenVPN is a very customizable, secure, and inexpensive solution. If you don't know how to set it up with firewalling you can check out The Endian Firewall Distro/Project http://www.efw.it/ It is based on IPCop http://ipcop.org/

I was asked by my boss to evaluate VPN between the red interfaces of two IPCop machines. Talk about simple. I don't know exactly how well it scales, but it can't be horrible. Today, one of my tasks is find out if and how well it works with m0n0wall and in roadwarrior configuration.

Heck, you don't even need a $29 router. Just get an old company PC lying around or something, doesn't have to be all that new. http://ipcop.org/ or even http://smoothwall.org/. I personally use IPCOP, but smoothwall works just as well. These won't get rid of your Windows boxes, but at least you can setup a linux box inbetween them and the internet.

all my computers hook up to it via a hub, IP-COP makes a very cool customiseable router/firewall system. I started using it for sharing a dialup connection, now I use it for broadband.

Also because my network demands are low, I've ripped out nearly all fans in the router box as it rarely uses more than 20% of CPU capacity, thus makes a reasonably silent box in the corner!

However, there is an answer if you can scare up a 486 or better with 32Mb of RAM, 400Mb of HD, etc.

IPCop will do modem dialouts (manually initiated and on-demand) and provide firewalling, caching, etc. for the same with any hardware and many software Modems out there. In fact, when Verizon fubared my DSL pending my FiOS install, I had to resort to that by popping in a hardware PCI modem (yeah, they DO make 'em) into the box instead of my Red NIC and plugged in my road warrior ISP. While it was dialup (with all the concomittant slowness...), it DID work well with all the setup in the house (incl. my firewalled and VPNed wireless leg...).

Basic configurations will work, esp. with an external modem and are largely no-brainer setups.

However, having said all the above, the original article poster's "friend" wasn't doing him any favors by making very misleading statements like he did. Most of the malware flatly doesn't care if you're not always on and high-speed. It'll zap you even on dialup (Remember Blaster?) and it may zap you in such a way that you can't even get on (Remember Blaster?). If your OS is insecure, it matters little what bandwidth you have- it's still insecure. Just because you're not as useful for a botnet doesn't mean you won't get trojaned or zoomed by a worm/virus all the same. The exploits and their use don't discriminate in a manner like dialup versus broadband- they attempt to zap EVERYONE .

The original poster should just get broadband of some kind- a goodly portion of the Internet has become painful to use because developers are assuming broadband like access and do all kinds of stupid things to their bandwidth and latency from off of their sites.

Spending money on proprietary closed-source solutions. Get IP cop! It's free, costs nothing and works.

Yup!

Replace the hard disk with a Compact Flash to IDE adapter, use passive cooler for the CPU and basically you're set. You don't need P4 to run a firewall. Something like VIA's C3 will do. Setup like that doesn't draw much power, so passive PSU cooling becomes an option.

Of course it does. The 'blue' interface is for wireless.

An argueably better and entirely free alternative to Smoothwall is IPCop. Definitely a product worth checking out as there are no "limited" versions and it supports a lot of interesting add ons such as SquidGuard, a midnight commander clone and a time based billing system.

Using DansGuardian with Squid is not a difficult to set up. The default blocks are quite comprehensive, and completely customizable. There are even gateway/firewall distros like Smoothwall and IPCop that have drop-in support for DansGuardian.

Now, if more people would just learn the need for a real firewall, and how to configure the darn thing...

http://www.ipcop.org/

Ditto me-- A group of friends and myself all migrated to IpCop (http://ipcop.org/ routers for our home networks a couple years back, because of its super-easy-to-use IpSec VPN capability. Allows us to do productive and important things, like playing network games. Hell, I've even used it for more boring, business uses, like moving word documents between a small office and telecommuter's homes.

I have 4 computers at home (2 windows, 2 linux), the one I use as my internet sharing server is a little p166 (32mb ram) chugging happily away with a linux distro http://www.ipcop.org/ with a little bit of help in filling my /etc/hosts file in sites to block Mike Skallas' Ad blocking hosts file as well as my own little shortlist of unwanted websites.

having a seperate computer as a firewall helps prevent a lot of spyware crap from raping my net connection with unneccesary data and prevent infection from easy exploits.

Combined with the fact I use firefox http://www.mozilla.org/ I get a pretty good ad-reduced experience. And if I want to kill a lot of adverts off when going for a browse onto possibly dodgy websites (be it crappy homepages, dodgy services, and porn [for those of you who still don't have girlfriends!]) depending on what I'm doing I'll kill client side scripting (Java/Javascript) to take things one step further.

As well as running "Spybot" occasionally and doing the odd "free" virus scan from a couple of antivirus websites. my net experience has been reclaimed to an acceptable level on a low budget.

If I'm feeling really paranoid I'll boot up my normal windows machine with knoppix instead of windows so I can go carefree onto any website without fucking it up with windows-targeted spyware

Oh yeah, my homepage is colinnashonline.com for those who are bored

Security is just a side benefit to the solution requested. The user asked for a way to split up an adress in order to avoid paying $60 per computer at his site. I figure they hadn't heard of NAT so I gave him my $0.02.

NAT alone does improve security. It is far better than a direct connection. NAT alone will stop a lot of port scan worms and door knob testers(the bulk of the crud that attacks simple users like myself). It's like having a cheap U-Lock on your bike, sure you can pick it with a BIC, but most people don't know that and it keeps mooks from riding off on it. THis is why most broadband routers & modems these days have NAT, it's a good first step.

Double NAT, however, is a different story. Double NAT is more difficult to breach. I am not going to say it is foolproof but it takes some serious effort to get across and for the networks that I have set up with this solution the end users have seen a dramatic drop in successful attacks. The only thing that I have seen succeed are trojans.

Still, if you want to be secure, I did suggested http://www.ipcop.org/, a linux distro that uses ipchains/tables and is a fairly sophisticated firewall and I have found to be a reliable and cost effective alternative to PIX or Checkpoint. Sites I have installed this solution in conjunction with good AV have had no breaches and they still run 98.

Security is not just one thing. Like the bike example above, security is many things: not just locking the front wheel, but locking the frame and both wheels; locking it in a well lit and visible place; bringing it indoors when possible... security is a matter of practicing many layers of secure procedures across the board -- it's using a secure OS, strong passwords, using virus/spyware protection, using firewalls, intrusion detection, logging, etc.

For the average enduser, most of this doesn't make any sense and you can't expect them to get it right even some of the time. But you put an unpatched Win98 box behind double NAT, even single NAT, and you will see a dramatic reduction in exploitation.

That qualifies as an improvement in security.

1. Start making things more reliable on the backend. For starters, put IPCop in as a firewall, place all the machines behind it. On the backend you can use the best tool for the job, and no one knows you're running Linux/FreeBSD/OS X.
2. Once that is working well, move e-mail to something web based like SquirrelMail. SquirrelMail acts like an IMAP client, so all you have to do is turn on imap on exchange and you can start using SquirrelMail with it. This help immensely with setting people up with e-mail, and users can still use any client they would like if they prefer.
3. Set up the mail server to drop anything with an executable extension and .zip extension.
4. Set up an online trouble ticket system. Do not fix anything unless it is put in the system. This helps in several ways, you automatically have a written record of everything you've done, and you can more easily prioritize what needs to be done. It also stops people from stopping you in the hall to fix "just this one quick thing". When they say they couldn't put it in the help desk because their computer wasn't working, show them that there is always another classroom/computer that is closer than the phone.
5. Lock the computers down. Do not allow anyone to install anything. Show them the SPA website and how the district is liable for $150,000 for each infringement of illegally installed software. This should help you convince the superintendent and BOE of the policy.
6. Setup file server and accounts for every person. Allow any person to use any computer and have their documents and settings follow them.
7. Learn Ghost or your favorite imaging software and Windows RIS. Tie this in with the step above, if you can't fix the problem in 15 minutes, re-image the machine. DeepFreeze might be another product to look into.
8. You must have a filtering solution put in place to be compliant with e-rate and COPA. We use SquidGuard, but there is also Dan's Guardian, which can be plugged into IPCop. Block all Active X controls with filtering. Once people get tired of IE not working, they might be more acceptable to Firefox.
9. The easiest way to get them to use Firefox is to install it on the machine, remove Internet Explorer. Put the Firefox shortcut on the desktop, but replace the icon with the one from Internet Explorer and rename the shortcut Internet Explorer. This also works to migrate people to OpenOffice.org. :-)

The fastest way to gain the respect of others is to start writing grants. Once you are bringing in new equipment and monies from grants, people will start to trust you.

No matter how stable and secure the network and computers are, staff will still believe they are unstable. It's just something you have to shrug off.

Is it? Remarkably bad performance for a linux box. I was thinking of this linux distro for linksys routers. Maybe it's the hardware. /shrug

It's still no substitute for a real firewall IMO.

IpCop
Smoothwall
m0n0wall

I've played with perhaps a dozen little firewall distros like these and I'd prefer any of them to the default linksys setup. These three are my favorites for features, power, ease of use, speed, and tinkering ability. m0n0wall isn't easy to tinker with, but runs quite well from a 6MB ISO image and strikes me as pretty unhackable. Maybe someone should hack that onto the linksys.

Six ports and wireless in one Linux box? Sounds like the perfect place to run IPCop.

The challenge is to split the six switch ports into red, green, and orange (different subnets with different firewalling, for those who don't know IPCop).

Go here to learn more about IPCop.

I've been using IPCop w/ Cop+ for content filtering. I don't suppose m0n0wall would have an add-on to do the same?

Well....

Netboz is a solution... it runs off a CD and has many of the popular options.

instead of running it off of the CD, I suggest that you use one of the pre-configured firewall options that installs off of your hard drive. These are just as easy to configure, but host a lot more options and mods.

Smoothwall Express - http://www.smoothwall.org/

or even better yet, IPCOP at http://www.ipcop.org/

Well I for one already have a similar setup (though probably not tweaked for "gaming" but does a bloody decent job of it) it is a little P-166, 32MB RAM running linux http://www.ipcop.org/ which is rigged as a firewall and router.

Plug in an ADSL modem and away you go!
(although I ripped out a few internal fans to cut down on noise to maintain sanity, no cpu fan and still tickin' good, in fact it is barely reaching 20% CPU capacity so it don't need a fan anyway)

[My Homepage]