Slashdot Mirror

Well, that's easy enough. http://www.m0n0.ch/wall

Well, try a firewall specific distro then, such as m0n0wall. It's excellent, basically FreeBSD with everything cut out but the firewall. Link is http://m0n0.ch/wall, and I'm sure there are plenty of other hardened distros.

There are plenty of nay-sayers. I say, try it (and get one of the providers to offer you a trial on the hardware). If it doesn't work to your satisfaction, then perhaps you could get a bunch of your boon-loving neighbors together and work out a muni-wifi internet service.

Grab a T1 on a high spot and beam everyone a m0n0wall traffic-shaped WiFi connection. If you can get a few people together, the cost could be reasonable. You might even be able to talk the "village" into a muni-wifi effort and then beam yourself a signal in return for your "free of charge" services.

• Cable Modem
• Netgear MR814 Router/Wireless AP - A dinosaur, I know, but has never failed me once.
• 2 Strictly-XP boxes.
• 1 HDD-less Dell Inspiron 8000 running m0n0Wall - Connected to WLAN via a Cisco Aironet 350 PCMCIA
• 1 Cisco ATA 186 for the Analog-to-VoIP deal. The whole house phone system is then connected to this using a Leviton M-Block.
• 1 Netgear router that creates another subnet. The m0n0 box is configured as the WAN for this router.
• 1 Fedora Core 3 machine connected to the LAN via the Netgear/m0n0 combo. Only sees use for web browsing by my mother.
• 1 FreeBSD box that serves no purpose as of yet.
• 1 Linksys WAP54G connected to the m0n0 subnet. Might eventually see use as a hotspot for my neighbors (all 5 of them). Still looking for suitable freeware Portal/Accounting software for this. Please email (or respond) with any suggestions.

Pretty well documented, too.

I repalced Astaro with m0n0wall, and have most of the features I used - minus some of the application proxies.
I have a tor installation on the box - easy to set-up with privoxy, after i added Perl to the m0n0 mix (big as the rest of the distribution!)

There are some add-ons, too.

Pretty well documented, too.

I repalced Astaro with m0n0wall, and have most of the features I used - minus some of the application proxies.
I have a tor installation on the box - easy to set-up with privoxy, after i added Perl to the m0n0 mix (big as the rest of the distribution!)

There are some add-ons, too.

Pretty well documented, too.

I repalced Astaro with m0n0wall, and have most of the features I used - minus some of the application proxies.
I have a tor installation on the box - easy to set-up with privoxy, after i added Perl to the m0n0 mix (big as the rest of the distribution!)

There are some add-ons, too.

Use whatever's convenient for you, as in whatever works. I have an XP laptop for work with customers, a FreeBSD file & print server at home, a M0n0wall firewall, a second playing-around drive for my laptop with Debian Woody, a couple of live filesystem CDs with Auditor and other similar security-relevant distros as well as a Knoppix CD for recovery, and I'm buying a Powerbook soon to get real work done (network security analysis type stuff, PITA under Windows.)

OS evangelism is stupid, and you have some good points about usability.

As for your printing woes, please do have a look at CUPS--it's the mutt's nutts for UNIX printing as far as I'm concerned.

Try m0n0wall. It's a free BSD-variant (FreeBSD I believe) with an easy web-based interface and a good manual. You can use the iso on an old machine or put it on a soekris machine or the like for a silent firewall/router solution.

I am currently consulting for a large drug company; I was asked to help evaluate and deploy a small firewall device to protect networked diagnostics equipment at customer sites. The device had to be
-small
-cheap (less than ca.$250)
-robust
and a whole slew of other qualities, including having to work in an environment where ca. 3,000 boxes could be easily managed individually, by non-technical field service staff (as there's no chance of central management access to customer nets.)

We settled on M0n0wall running on a PCEngines WRAP board, after evaluating a pretty extensive number of commercial and a few open source products or packages.

I was really impressed by the openness that this (mainly Microsoft) shop showed towards this sort of thing--I encountered none of the "but if it's proprietary it's more secure" or "if it's proprietary, we have someone to sue" garbage you often get from management. There are good reasons to pick commercial, non-open software products, but these are entirely dependent on the companies that sell them.

In addition, what I really appreciated about this client was their willingness to put the developer on retainer while he finishes his studies, and to kick him some cash for time spent making changes, 3rd level support, etc. The guy who wrote M0n0 is a really superb and bright individual, and it's great to see a large company sponsor such people (plus it's costing them absolute peanuts.)

Note that this animation does make an important point - the only *NIX system I have seen with a TOTALLY consistent set of preferences is m0n0wall, a BSD Firewall where all system preferences are stored in a single XML file.

Your looking for a captive portal. NoCatAuth is available as someone's already mentioned, but there's also a firewall project with one built in called m0n0wall http://m0n0.ch/wall/

One of the most irritating problems with using PHP for this is that the process management functions (pcntl) are usually not compiled into the distribution packages. PPTP Client includes a GUI app built on php-gtk, but have to install an alternative copy of php with the pcntl extension built on to use it.

Me? I use shell scripts and perl. You might be interested in m0n0wall, which has all the boot scripts and the web interface implemented in PHP.

Or he might want to check out m0n0wall. It not only has the aforementioned feature, but much more. Traffic shaping/prioritizing, wireless support, along with everything you'd expect a router to have, and more. Not only that, the entire operating system fits onto a 16mb compact flash card, runs off a CD using a floppy disk for settings, or simply runs off a standard hard drive. I'd highly recommend it.

One solution that I've used that works well is to setup a netscreen box at the main office, and then use a snapgear at the remote sites. Both the netscreen and the snapgear run Linux underneath, so technically they are both as capable, but the netscreen tends to be versital (and slightly more complex to set up) then the snapgear. Making it the more logical choice for the main office.

I haven't tried this, but Linksys does make a VPN router or you could build your own using a Soekris Net4511 and M0n0wall. M0n0wall is a FreeBSD based VPN configured via the web with an interface that is very similiar to a SnapGear. (The netscreen is also setup via the web, but significantly different then the other two) If you used one, you'll feel right at home with the other (I have no idea if this is intentional or not. And the screens are not layed out the same, they just are catagorized the same, with a similiar layout)

Anyway, all the above solutions will let you set up a VPN, either with IPSEC (complete with your choice of SHA, DES, 3DES etc encryption), or the older, less secure Microsoft Point-to-Point tunneling protocal (which I can't think of the proper name of right off hand, heck maybe P2PTP was it), and once set up they run pretty much error and maintence free (Except maybe the linksys, I've used the others though, and they all work as advertised.)

You really dont need to subcontract this out. Just get m0n0wall. It is a free embedded firewall package that runs beautifully, and supports all the VPN stuff you could ever want.

It is absolutely perfect for site to site VPN's. All you need is a static IP address for each endpoint. I run ours on a Soekris net4501 embedded computer. Total cost of computer + flash card + hardware encryption accelerator chip = $300. This is cheap for what you get.

I've had similar problems with the regular BitTorrent client without specifying an upload cap. I'd recommend you look into m0n0wall, it's a great firewall that you boot from a CD that can do traffic shaping. No more worries about badly designed programs spanking your network, the shaper is your friend :) You can also get traffic shaping from the Linksys WRT54G when you add a 3rd party ROM image. I haven't tried it myself, but I assume it's the same concept.

Nice post :-)

Just for yuks, you might want to consider M0n0wall. I'm evaluating it for a client right now, and it's very impressive (BSD-based with a good PHP interface.) I'm running it on a PCEngines WRAP 1C-2 board (cheaper & faster than Soekris) and it works a charm (I ditched my cantankerous PC firewall for this a while ago.)

I have an old Packard-Bell (woo, brand name!) Pentium 120 standing around, since I replaced it as my firewall with a PCEngines box running M0n0wall. Runs FreeBSD beautifully, and you get not one, but three network cards with it.

Provided someone comes and picks it up, that is. This great product comes for the low low price of...nothing!

All this, and I'll even throw in a keyboard, mouse and 15" CRT monitor. And for a limited time only, I'll include a set of FreeBSD boot floppies. One caller only, special offer expires...as soon as someone takes the f'ing thing away.

Now that's a fun way to add Wi-Fi to your local coffeehouse--slip a m0n0wall Soekris and a DSL modem inside an old portable radio and put it on the countertop.

I think we'd want to have some weighted rules for judging a good "sympathetic" installation (highest first):

1. If the radio works, it should continue to work (do no harm)
2. As minimal damage to the original casing as possible
3. The wi-fi unit is easily removed to return item to an old style radio
4. Operation simple for the user (plug/unplug)
5. Network indicator lights visible (through the mesh?)

Rob

P.S. For do-it-yourselfers, check out ebay's 1930's radios and NYCwireless's primer on setting up community nodes

Nugget's comment is right on. I have bought about 10 soekris boxes and they are perfect for this purpose. You can stick m0n0wall on them (see http://www.m0n0.ch/) or its cousin m0n0bsd. or just roll your own. I've done all three and can't fault it.

Put together some old parts...P1, P2 kinda things....around 200Mhz or so. Add a hard disk (doesn't need any real large size), couple network cards, 64MB RAM or so....and a FreeBSD firewall with WebGUI. I'm running a firewall/router with a P3 500 one a 150W power supply, and it probably needs even less than that. Also using the wonderful m0n0wall http://m0n0.ch/wall distro with an awesome webgui!

You might also find it interesting to read about other efforts for making small systems on other OS, amongst others flashboot, flashdist, MeshBox, Pebble Linux. You'll probably also learn a lot about this by examining how 'live-cd' software is prepared (e.g. livecd.sf.net, knoppix).

A lot of these techniques are aiming at small single-task embedded systems (often on minimal hardware, e.g. net4501/net4801), but the techniques are generally applicable, and can be used to make all types of system on various OS.

*thumbs up* I haven't played with OpenBSD in about a year, but back then I found it unfriendly to install and encountered some hardware incompatibilities. I've always found FreeBSD to be thoroughly stable and reliable as a server OS.

As a firewall may I recommend MonoWall. It is a single CD (around 6Mb) BSD-based firewall/NAT solution with web-based administration, and is absolutely brilliant.

For the soekris box, also check out m0n0wall, which is a FreeBSD-based firewall (wired or wireless). The latest beta version supports traffic shaping, captive portal, VPNs, etc.. The mailing list is very active, too.

Would it be that much of a intellectual hurdle to switch to Perl, where you can leverage CPAN?

To accompany the addition of the CLI interface to PHP in 4.3.x, the PEAR repository was created. It is very much CPAN-like with a couple hundred maturing PHP OOP modules. Noteworthy among them is a DB module that provides database abstraction. Installing modules is as easy as

pear install MODULE

Currently you aren't seeing PEAR used much because of its late addition to the 4.x series, but as soon as web hosts move to and embrace PHP 5 there should be a pretty good growth period. The same is true with the CLI interface, but it is taking hold. The m0n0wall FreeBSD router/firewall/packet shaper project uses PHP for system configuration instead of traditional bash shell scripts and C programs.

Ah, yes, the lovely irony of a security company outsourcing their own product's security.

Nothing like trusting your future to some shady fly-by-night low-bidder who's not an employee. Whoever at Netgear argued this process saves money, I almost pity you. Almost.

Although in this case, you can't argue that specs called FOR a backdoor... but maybe there were no specs at all.

I don't blame them for this "quick fix".. as a longtime Software QA engineer I can tell you it takes more than 1 day to test something, unless you're willing to accept the risk that the fix could be worse. I'm willing to bet the OEM developer is probably just a one or two man shop, has no QA and might not even have source code control.

off-topic:
I run m0n0wall, a BSD distribution just for firewalls & routers. It doesn't need a hard drive so it's quiet.

I even yanked the CPU fan off the AMD K6/450 it is running on. CAUTION: passive cooling a CPU risks burning out the processor. To prevent this I fitted a stock AMD CPU sink from an Athlon 1800, and made a small duct for the power supply to draw air over the CPU (this was an OLD old ATX case with the PS directly above the CPU so it was easy).

Works great!

Too bad you can't upload monowall into consumer routers. I think this is the next step. Some vendor will start making it very easy to do such a thing (discoveries like the Linksys WRT54G hacking do not count).

There's a mailing list:

http://cinematic.forko.com/pipermail/soekris-tech/

There's also, "m0n0wall", a FreeBSD-based firewall originally designed for the soekris boards:

http://www.m0n0.ch/wall/

I'm in the process of upgrading my home firewall to soekris/m0n0wall, although I plan on using an EPIA VIA M 10000 board for an home fileserver.

well, if it makes you feel any better, we just made a purchasing decision against cisco in favor of two simple linux boxes running a combination of shorewall and heartbeat. The cost savings versus the cheapest cisco firewall that does failover was worth the effort of installing the open source software. I also highly recommend m0n0wall for a SOHO cisco replacement. I'd chose m0n0wall over a cheaper watchguard or sonicwall box any day.

Figured i'd better point this out, but there are already some good solutions to fixing this problem with FBSD. Check out this software router project called M0n0wall.

http://m0n0.ch/wall/index.php

I currently use it on a old p1, 200mhz, 40Mb of ram to control up and downstream bandwidth, so my computers dont interfere with my Vonage phone service. Works like a champ! Must have taken a total of 30 minutes to setup. Only a 5 MB download, no Harddrive required, just a CDROM and a floppy drive.

You can setup a Soekris box running m0n0wall and do everything in a single small box with no moving parts. Alternately you can save some cash using an old PC and either a CD-R or some sort of bootable flash drive.

It's embedded FreeBSD and will do all of the basic AP functions plus firewalling, traffic-shaping to keep P2P hogs from becoming nuisances, local DNS registration, etc.

Why spend $500 on a noisy, failure prone PC when you can buy a small embedded computer that acts as an access point and a router? A Soekris net4521 is an excellent choice at $235. You can even get a high power 802.11b PCMCIA card, pigtail, and antenna kit

The OS work is already done for you as well, check out m0n0wall for a complete FreeBSD solution with a fancy GUI config system, or one of the small Linux AP distros, or roll your own. I run OpenBSD on mine.

m0n0wall runs on Soekris as well as a PC with just a floppy and cdrom (no loud HDD needed). I've been running this at the office for a few months now and I love it. (FreeBSD based).

(I even wrote about my Soekris/m0n0wall box on my website recently).

Interesting, I just finished setting up this on one of these.

I was pretty damn impressed with m0n0wall, it's freebsd-based and fits on an 8MB CF card, and has a nice web interface. Of course it's free software so you can hack it and improve it all you like (you need another FreeBSD box to do it on).

Check out this combo, it's the best of "play and play" and "high quality free software" in one Institutional Green sheet metal case!!

Check out m0n0wall, its a stripped down FreeBSD router distro, running ipfilter, PHP (CGI version), thttpd, MPD, ISC DHCP server, ez-ipupdate (for DynDNS updates), Dnsmasq(for the caching DNS forwarder), racoon (for IPsec IKE). It has support for prism wireless cards too and has a build specifically for the net45xx. I just set one up at home with a netgear MA311 wireless pci card, makes for a nice router.

If a company would come out with a cheap mini-pc just like the one in this article(no fans, small, etc) with 3 or 4 interfaces, I bet they would sell like hotcakes for use as cheap linux firewalls that don't take up a huge amount of space and don't sound like a jet engine all the time.

Soekris Engineering already has these. They build custom single-board PCs which are low-power and run fanless. They are not going to replace a PC for desktop use, but are terrific for firewalls, VPNs, wireless base stations, and the like.

They have several different models, with 2 or 3 network interfaces. The units with 2 interfaces have a slot to take a wireless PCCard to become a base station. They boot off compact flash, or tiny IDE drives. They can take a crypto hardware acceleration card. They can be powered by PoE (Power Over Ethernet).

The new net4801 takes the processor clock up to 233MHz. Like I said, not a speed demon, but it's a beautifully designed piece of hardware.

There's also a nice turnkey firewall package for the Soekris boxes, called m0n0wall, that's pretty functional and virtually idiot-proof. You could build a business selling these things, it's commercial quality polish.

While I like m0n0wall (seriously -- check it out!), it's based upon FreeBSD, and not Linux.

M0n0wall (yes, the l33t spelling is correct), was originally written for the low-cost Soekris communication PCs, which I also recommend that people check out, although the new VIA EPIA boards are also attractive (but more expensive).

Just thought I would throw in a quick plug for m0n0wall, a linux based firewall that I use.. it is 5mb in size and can run from a HD, an CD and FD combo, or a CF card. With a nice looking web based front end. Also has support for NAT, wireless, a DHCP server, ummm lots of other stuff. m0n0wall site is here if you want more info.

It seems that CF cards are the next thing for the mini-OS's at the moment. Quiet, low power, starting at around 3x the cost of a FDD for about 50 times the space (64mb card).