Slashdot Mirror

So what does the Slashdot crowd use when they need to secure their Linux and Windows servers? Does it cost less than US$100?"

...Is all you need. Rock solid specialized Linux distro built from LFS http://www.ipcop.org/. It has all the advantages of commercial hardware routers, it's easy to customize and you'll be online in 30 minutes. Just get yourself an old P3 500 w 256 Mo of RAM and a decent HD (if you intend to run snort and get quite a lot of traffic). I have 4 servers on my lan and run it on a P166 w 64 Mo of RAM. The TCO of this baby in my case has been roughly 4 hours of work + electricity for the last 3 years.

Although IPCOP continues to use Smoothwall source, it is close to being its own distro. http://www.ipcop.org/modules.php?op=modload&name=p hpWiki&file=index&pagename=IPCopRoadmap I've used both before and found Smoothwall to my liking. Although IPCOP is solid, we've had issues in the past with delays in updates from the developers end. Those delays turned into months beyond their deadlines which turned us away from IPCOP and on to Smoothwall. We now run Smoothwalls throughout our facilities, PTPVPN to our satellite office in Texas and have never had any issues with them. We're happy with our Smoothy!

It is really easy and you end up with a dedicated firewall box with a DMZ

It is what we are using at work (and the boss can even use it).

If you want something simple and efective, go for IPCop.

I've used smoothwall for a while and I was very satisfied with it. But at some moment, it stopped working. The ADSL connection couldn't be established anymore.

While I think it was rather a hard disk crash and not a direct smoothwall problem, it made me feel like replacing my smoothwall with ipcop, another firewall dedicated linux distro (forked from smoothwall).

I'm very happy with ipcop at the moment, it's a bit more "customizable" than smoothwall. I know both are GPL'ed so they can both be customized to fit any purpose, but as ipcop is a 100% community-based distro, it is a bit more designed to be tweaked than smoothwall.

Check out IPCOP site

There are a few OSS firewall distros out now that give you all the firewall features w/o all the by hand set up. I've been looking at IP Cop lately although I am still using a home grown Linux firewall.
http://www.ipcop.org/
You can find more firewall distros on distrowatch's web site.
http://distrowatch.com/

LINK HERE

Sorry about that

i've been using ipcop in various locations for a while and it's been working well. it's a linux distro that runs fine on my old Pentium I. AFAIK it only supports 3 to 4 networks (internal, external, DMZ, and one other), which may be a limitation for some. I haven't upgraded to the latest version yet, but even so it's proven robust and easy to manage for me. http://www.ipcop.org

IPCop combined with some modest hardware should take care of business. The DansGuardian add-on, Cop+ should handle your filtering needs as well...

IP Cop. ;) http://www.ipcop.org/

Put IPCop on the aging machine and the set up priorities for different traffic.

I do, using a 200Mhz K6 PC I had laying around and IPCop. Overall, I'm very happy with it, though I don't use the packet shaping or most of the other higher functions (like VPN).

I can't imagine ever buying a consumer router and using it as such- I have a Linksys WRT54G that I only use as a wireless AP and wired switch. IPCop handles routing and firewall functions better than anything I could buy.

...userland security tools are utter BS. Why the hell would you buy an "internet security suite" for desktops when you can use a standalone box to secure your network?

There's really nothing on my computer worth stealing, but the thought of blowing away my entire setup and starting from scratch gives me hives. So I have an old pentium running a dedicated linux firewall with NAT to the internal network. Everything is blocked, with the exception of ssh which is forwarded to my linux box inside the network. There are no wireless connections.

I have an iptables firewall running on my personal linux machine, and I use the ssh AllowUsers directive to only allow remote logins from my username. Other than that there's nothing running that's visible from the outside. I also check for security updates every day. Naturally I also have a strong root password and never log in as root unless I'm doing something that requires it.

I could get a lot more paranoid than that, but I think having a strong dedicated firewall, not running services I don't need, etc. is enough to keep me protected from the vast majority of malware out there. That, and not running windows... ;-).

Try ipcop, it can split off your network into a wireless part and a wired part, and even add a third zone for public servers. The wireless part defaults to not giving access to either the internet or your other, wired computers, and you have to add mac addresses to a table for wireless clients to be able to connect. And it has nice graphs too, so you can see if someone's using your connection. Use this with WPA and vpn maybe. If you want more security, use wired lan instead.

Bah, you probably want to use IPCop instead. The Smoothwall community has a history of being, ummm..., moody and really pissed a lot of people off. IPCop was forked off of Smoothwall several years ago to make a more friendly product, and I have to say I like it much better.

On Topic: I haven't used the VPN functionality yet, but with my new cable modem I plan on connecting to a couple of sites I support (all with IPCop).

Simplest way I've done it is to setup IPCop on both ends. You can use throw-away hardware (Pentium or greater) with little RAM and hard drive space and two network cards. VPN's are a breeze to setup.

The only issue will then be bandwidth, the faster the better. My main site uses cable and the remote site uses ADSL, and it's fast enough to be usable, but not as fast as a thin-client (Citrix) installation is. But we're talking trade-offs of cost for speed here, but since it's so cheap to do you can set it up and try it and see if it's the right solution for you.

I am currently doing some computer volunteering at my children's school and I am trying to lead the charge with OSS. Money and support is tight, so OSS sits pretty well with everyone in charge.

My first project was putting in a firewall. They were running pretty much wide open before I got there. I slapped IPCop on a spare box they had laying around and changed the whole nature of their network (for the better :). They are now running DHCP (no more hardcoded IPs), Squid, and have a content filter (required by management). In fact, they have outgrown the hardware and I am going to be replacing it soon with a rackmount server from eBay.

Next up is a web server - I am using Metadot to build an information portal. The plan is to use it for general school stuff intially. Then, after everyone gets a little more comfortable with the idea, we are going to open it up to the teachers to add their own content. Pretty cool!

They are currently running Windows and are having a hell of a time trying to keep them running. The computer teacher is spending more time fighting fires than teaching! The next big thing I am going to pilot is putting Linux on the desktop, probably by using something like K12LTSP. All I have to do is isolate and confirm those few Windows only programs that are required (grading software, library software, etc.) After I get those running on Linux (Win4Lin or something) we will be good to go with a terminal server rollout.

BTW: You want to use ipcop (version 1.4.0 just released!) instead of Smoothwall.

I've used Smoothwall too, and it's great. I'll add another suggestion, though: IPCop, a free GPLed fork of Smoothwall which adds many features not available in the basic Smoothwall distro; great for home and small network use (though I'd highly recommend SW if you need any commercial support). The latest version - on release candidate 4 now, watch out for 1.4 stable any day now! - includes traffic shaping using Wondershaper, so will solve your P2P problems quite nicely. See the unofficial support forums for the latest news and plenty of help.

Of course, if you just want a standalone device, like others have said youe best bet is to get a LinkSys WRT54G/WAP54G plus alternative firmware, such as the Sveasoft one. See more info here:
http://www.seattlewireless.net/index.cgi/LinksysWr t54g

For home users Linux really doesn't belong YET
My household happily uses a Mandrake 9.1 laptop and a Mandrake 9.1 desktop, both connected to the outside world through an ipcop firewall.
No windows partitions on any of the three boxen.
KDE, Mozilla, OpenOffice, xmms and bibletime are the only apps we regularly use.

most business do need special software, and they are almost always created to run on Windows

Depends on the business. Many businesses have apps that are custom made for them - this could easily be done on any platform. Many are now using web based apps - any platform. Some employees have a windows workstation on their desk or counter that is mostly running some text-based terminal app - eg 3270. 3270 clients exist for linux.

Ask any local Restaurant you go to.

There are linux-based restaurant POS systems out there.

I don't know what PSpice and Xilinx are. If they're windows-only apps that you need, for which no suitable linux alternative exists, then you are quite right in saying that linux is not ready for you. Just don't extend that to everyone else.

I have used dansguardian on ipcop for several different sites (schools, homes etc), and have been please by the relative ease of installing (as far as linux stuff goes) and the configuration options.

I have used IPCOP v 1.2 and 1.3 w/o any problems. Sidenote :it runs well on an older pentium 133 box.

My NAT/fw is a P166 box running IPCOP.
Easy to patch. Easy to use. Easy to set up.

I used snort on an IPCOP box. Worked ok for me.

Can't remember the brand of cigarette, but their ads always featured some long legged model with the tagline "We've come a long way baby"

Using SSH and console is ok, when I just have to pop in really quick to edit some conf file, or tail -f some log. %80 of the time i'm doing this, it's pertaining to some clients web site i'm working on.

Guess what though? Do I fire up lynx to view my changes? Hell no! I use mozilla or IE, or some other html renderer. Do I create graphics or video from the console too? Hell no, I use some graphic program, with some nice gui, and pretty little icons everywhere BECAUSE I LIKE IT!!!!

Not only do I like it for that kind of work, I like it FAST! The faster the better!

Does it look like I care about leveraging old hardware for modern content? (shameless plug)

What I do use old equipment for is an ipcop firewall. I also use it to frankenstien together stepper motor interfaces because it IS old and I don't give a crap if it catches on fire because I wired something the wrong way.

Here's the whole wrapup to my post, i.e. the point. I read slashdot everyday, I build mosix clusters using plumpOS (couldn't remember the link sorry) My garage is filled from top to bottom with old computer crap because I know i'm not average joe sixpack user, and I will find a purpose for it even if it's just for research or fun. Average joe sixpack doesn't care about these things, he just wants his little clickety click icons to open up faster, or his OS to load quicker, or his games to run better.

And I sympathize with him %100. Thanks Joe sixpack for not taking the time to learn what I do, because I'm that car that stops outside your house to load up that PC you put out with your trash.

I had the same problems until I installed an IPCop Firewall box. In my opinion it's always better to have a dedicated firewall machine. You never know what is open (by mistake) on your workstation and/or servers.

my e$0.02

I probably live in the dark ages, seeing as I don't remember reading anything about Cisco buying linksys, but still... Maybe they did it to stop linksys from making even more crappy products? Not trying to troll, but they have given me nothing but grief. The DHCP server in the Router I bought from them died, the Wireless USB adaper I bought for my wife is constantly flaking out, and the WAP11 I bought for wireless access doesn't seem to understand multicasting.

I'm still stuck with the two wireless products, but finally threw together a FreeBSD firwall that I use for my router now (200MHz pentium machine that cost me $40cdn, less than half the price of a linksys router dealy).

Check out ipcop, or smoothwall if you want alternative firewall/router solutions.

This story interested me because nearly half of our users have come to us requesting pop-up blocking within the company. We use IpCop as our proxy/firewall for over 100 users. I'm sure someone could rig Dan's Guardian or some content filter out there to do the job, but we have had very good success with Goggle's latest toolbar for IE. The users can keep using the browser of their choice, the toolbar lets them search quickly, and the toolbar blocks popups. We have also blocked the spyware sites that we are aware of by using IPCop's hosts file and have run AdAware on the workstations religiously.

I'll admit that it is a pain to install the toolbar on 100 machines, but I would like to think that it has saved us the time and agony of making our poor little firewall try to do something it wasn't designed to do in the first place.

I also realize our corporate user group is not the same as your ISP's user group. You have less control over the machines that access your services. However, you have to remember the KISS principle: Keep It Simple Stupid. If there is software that a user can install to block popups, that puts the choice in their hands. You can recommend the software and even provide an instruction set for doing it. Heck, you could even advertise that, "We will help you stay popup free."

Anyway, I highly recommend the latest google toolbar. You can download it here.

I completely agree with you... two of my favorite specialized distributions are:

E-Smith - Small business server/gateway. Allows VERY easy setup of samba shares and a few other things through a web based control panel.

and

IPCop - Firewall distro that is only 20MB!

IPCOP forked from smoothwall because the lead developer at smoothwall was an a$$ and would not work with anyone. IPCOP is community based. They do not hold features back unless you pay like smoothwall. http://www.ipcop.org

And I highly recommended it for many moons.

Unfortunately, the developers really annoyed me. One time, they released a patch that added a splash screen to the web interface that popped up EVERY time you changed page. And set chattr+i on the file on the server, then deleted the {ls,ch}attr commands on the server.

Which was just offensive. I went into their [community] IRC channel and mentioned how to fix it, and was kickbanned.

They make a big thing about being GPL and community-friendly, but in practice I just find them offensive.

I cannot highly enough recommend that people don't use this, and use ipcop instead.

Gary (-;

I used to use smoothwall, but switched to the forked project IPCop. Some of the original developers forked away from smoothwall because of the founder's desire to mix open source with a business model that conflicted with the project. I was having problems with smoothwall and updates, which prompted me to switch to IPCop. I've been happy ever since.

Anyone else got opinions on Smoothwall vs. IPCop?

IPCOP is an alternative (fork) of the smoothwall project. they do a nice job as well. thanks to both groups. Ive been relying on IPCOP for years.

ipCop is a fork of the smoothwall source that has more of an open source community behind it. Personally, I found the whole "Buy Smoothwall Now!" experience just a little too annoying to use.

But, let me be the first to say that I love the concept behind this type of distro. A boot-cd and 20 minutes turns any old wintel machine into a damn god firewall appliance (one that has a shell!).

They have decided to disable the 'feature' that hijacks a random http request every 8 hours and redirects to a webpage advertising their parental control system.

The whole reason anyone got into this mess was because they blindly trusted non-free software. Don't make the same mistake twice. Get an inexpensive low-end PC and install a free software router on it. If you're technically savvy, help someone improve their distribution of a free software router (I'm sure there are many others) so novices can more easily use it. This is a great chance to contribute to a volunteer project and help people escape untrustworthy-by-default software.

Or better yet... use IPCop... It's a fork of Smoothwall created by members of the original development team who didn't like the (more-corporate) direction that Smoothwall was heading.

It's perfect for adding an Internet gateway box to your wireless network (or the usual ethernet net). It works great with any broadband connection but also supports a very nice dial-on-demand setup for dialup ISP users.

Installation is almost idiot-proof. In a word, it rocks.

Get it here: www.ipcop.org

I'd also add IPCOP to that Admin's list.

Try IP-Cop, This is a GPLed fork of Smoothwall, fully featured, extremely small footprint. If you install the RPM version, then you can add libs and programs onto the install. Checking out the Forums shows quite a number of addons, mods etc. that can be installed to give more flexability (edonkey/MTA/ftp servers/samba/squid/proxies/filters/additional ID) etc.)

I'd much rather take an older computer and throw ClarkConnect on it. Comparing the feature list above with CC's features:

Security
* Stateful Firewall * Intrusion detection with Snort * Secure shell via SSH * IPsec VPN (Office Edition only) * PPTP VPN (Office Edition only)
Web Server
* Apache web server * Support for CGI and PHP * Secure/SSL support
File Services
* Journalled file system with ext3 * FTP server * Windows file server * AppleShare file server
E-mail
* POP and IMAP servers * SMTP server
Filtering
* Banner ad blocking * Web proxy * Content filtering (Office Edition only)
Printing
* Print server support * Printer sharing for Samba/Windows networks
Easy Configuration
* Web-based configuration* Optional Webmin package
Network Support
* DSL (including PPPoE) * Cable Modem * 802.11b Wireless (Office Edition only) * Internal DHCP server * Caching nameserver

There's a few not listed on the quick info page, such as Gallery and SpamAssassin, but you get the picture. Not to say that you couldn't add on to the software on the Rumba, after all it is Linux based, but who says they'll make it easy for you to do so. I have no problems adding new goodies to my ClarkConnect box, such as a NWN and TeamSpeak server for my gaming friends or SliMP3 server for around the house music, and I wouldn't give that up.

To give fair time to two other Linux firewall distros I've used in the past and like almost as much as ClarkConnect, check out Smoothwall and IPCop.

Jonah Hex

In order to secure a SOHO, it rarely takes more than IPCop has to offer. This is probably the best solution, having a restrictive firewall with an properly configured snort IDS behind...all accessible via a simple webbrowser. DMZs, Graphical Logs, included proxy, dial on demand...hell, even patching works via browser!

I'm satisfied. Application Level Firewalls are useful when there's enough differentiated/sophisticated traffic to justify the ressources spent - and enough money to pay for them. For SOHOs it's just overkill.

There's a fork called IPCop, no RM, no ego, and for those that wonder about noise, try using a flash card, or check out this little $283 dollar box called "The Hornet" at Monarch Computer They also have quieted boxes too. I was checking it out at Linux World last week, it seemed quiet enough (although there was quite a lot of noise (People) in general at LWE) So I *COULD* be mistaken. How can ya go wrong for 283 bucks though?

Or for simplicity of installation and setup - IPCop
www.ipcop.org

Ah, I remember when 386's and 486's where top-notch stuff and hideously expensive..

If you want to quickly turn an old box into a dedicated and very secure firewall, then Smoothwall and a fork of it, IPCop are fine GPL examples. Smoothwall also sells a non-GPL version of their firewall with extra custom functions, but the basic Smoothwall is still GPL.

Both of the above support a load of network cards, and even USB-based ADSL (like the Speedtouch) right out of the box and are an absolute cinch to get running, even if you only have limited networking knowledge. They also provide a simple but powerful browser interface for administration (port forwarding, dyndns registration, squid caching web proxy, etc.).

If you want to add a firewall to an exising Linux box, then a good recommendation is ShoreWall which I've just recently set up on a Mandrake box and been very pleased with. It uses the kernel's Netfilter (iptables) support to do its thing, and is the best option if you want a multi-function firewall/router, etc., since both smoothwall/ipcop are designed to be more restrictive 'all in one' firewall distros where it can get tricky to do things like recompile the kernel without it breaking. Smoothwall and IPCop do provide regular security patches which are very easy to install via the browser admin interface (which even warns you when new ones have become available).

Smoothwall are usually a little quicker than IPCop at getting new patches out. Shorewall is a standalone firewall so it's up to you to keep the other apps updated.

I use ipcop and an jerry-riggged 2.4 kernel to accomplish this with QOS controls. You can find out all about it through ipcop and check out the "english support web" on where to find the modified kernel.

Now, with 100% less rudeness than smoothwall!

IPCop

I turned an old 486 with 24MB and a 500MB hard drive into a perfectly acceptable nat router/firewall/traffic shaper/dns cache for a cable modem in my previous house running OpenBSD. It ran really well and after recompiling the kernel it never used more than 14MB at most.

I am currently staying with friends who also use a 486 to share and firewall their cable modem using the Linux based IPCop. Setting up old 486s to do this is more flexible and much cheaper than buying a dedicated hardware router (although they also tend to be a bit noiser).

for a mindless linux-router/firewall setup, try ipcop. it takes about 15 minutes to configure, and lets you do everything from dyndns updater, DMZ pinholes, detailed logging, traffic graphs, and other goodies.

Little dedicated routers are cool, but if you need to do it on the cheap, Linux is the way to go.

It's not necessarily hard, either: Try IPCop. It's a specialized distro that doesn't do anything but be a firewall/router. Web-based administration, similar to what you'd find in a Linksys or Netgear router. Average setup time is about 15 minutes. Runs great on older hardware.