Slashdot Mirror

Actually, since we're on Slashdot and all, the instruction should be:
Install your own VPN server and use that on all public networks. It's not that hard.
- https://openvpn.net/index.php/...
- https://wiki.openwrt.org/doc/h...
- https://play.google.com/store/...

Well then, it's time to learn some encryption techniques and roll your own.

Here's what I did. Perhaps it would work for your level of security / privacy needs:

1. Rent VPS (Virtual Private Server) running linux. From my vendor, I get 2TB of data transfer per month for less than $5.00.

2. Set up OpenVPN on remote CentOS linux server.

3. Install OpenVPN on my laptop. Verify against DNS leakage.

That process took about 15 minutes to set up and it's pretty straightforward. Security may be additionally enhanced by locating the remote VPS in another country, though your performance may suffer. The monthly cost of the VPS can be defrayed by using the server to host websites and files in addition to its service as a VPN gateway.

If both sites are owned by you, it would be smarter to just deploy OpenVPN yourself at one site and connect the other site to it directly. No reason to pay a 3rd party service for that.

Pay special attention to the difference between openvpn.net and openvpn.com. The first one is the free, open source software project. The second is their commercial service for said software. You do not need to subscribe to the second to use the first.

You just create your own CA cert and you use it to sign the other certs. So you are your own CA. Very accessible to mere mortals... ;-)

As always, you need to put your CA cert and the signing machine in a safe, without internet connection. I am only half kidding here. The CA cert is not required to run openvpn, only to sign certs.

https://openvpn.net/index.php/...

Most machines running VPNs haven't updated their SSL libraries could be more precise. Maybe some VPNs bundle their own SSL libraries within their product but in that case, it would make more sense if they used the system wide libraries.

Example, you don't need to update OpenVPN, only the SSL libraries:

https://community.openvpn.net/...

What killer Windows phone apps ever made any waves? None.

They can't. The API set is so god damn restrictive that there's a lot of shit you just can't even do on the platform that you can on iOS/Android/Win32. Universal App slightly alleviated that problem, but barely.

Slightly off topic, but what's particularly annoying is the WP fan sites periodically name and shame different developers who either don't make an app or make one but don't add all of the same features, which typically results in a small but annoying flash mob on app developer forums about how they're assholes for not supporting WP and how they're going to boycott the developers of what is often a free app. Example, some derp shaming OpenVPN developers even though it's not possible to write an OpenVPN app for WP.

OpenVPN does exactly what you need. You can link your locations with a site-to-site tunnel and include the nets on both sides.

https://openvpn.net/index.php/...

You can set one of the VPN gateways as the default gateway for the other net and OpenVPN runs on all sorts of hardware including WLAN routers and iOS devices.

pfsense plus openvpn does a decent job. Building your certs with XCA takes some time, but it is very easy to manage after it is up. Plus, it is BSD under the hood.

There are tons of options available to you.

Side-note: as OpenVPN does not use vanilla SSL sockets, simple-minded Heartbleed exploits that work against HTTPS etc. won't be usable against it, but it is possible to hand-craft a Heartbleed attack against OpenVPN servers (or clients) running with unpatched libopenssl (although AFAIK such an attack has not been seen in the wild yet).

See this notice - the answer is yes, if affected versions of openssl are on the system.

Hmm, so a quick browse over to http://openvpn.net/index.php/open-source/faq/community-software-general/295-are-there-any-known-security-vulnerabilities-with-openvpn.html and we see: "Are there any known security vulnerabilities with OpenVPN? Not to our knowledge (as of 2004.12.08)" Not to be paranoid, but is it too much to ask for them to update their knowledge by about a decade?

Perhaps the developers cannot make the same claim now and are unable to state that backdoors exist?

Hmm, so a quick browse over to http://openvpn.net/index.php/open-source/faq/community-software-general/295-are-there-any-known-security-vulnerabilities-with-openvpn.html and we see: "Are there any known security vulnerabilities with OpenVPN? Not to our knowledge (as of 2004.12.08)" Not to be paranoid, but is it too much to ask for them to update their knowledge by about a decade? Am a bit surprised that there doesn't seem to be much published analysis of the protocol.

Live it, love it, use it (oh and it has commercial support too so it's not just a toy). http://openvpn.net/

What I did after I went to china for the first time was to setup an openVPN server on a free AWS VM.
If you know how to use the Linux command line, this is probably the cheapest way to get around any censorship, insecure wifi and other things. Steps (not very detailed):
1. Get an AWS account (you need a credit card, but it will not be charged until you get over 15GB traffic and then it's 0.12$/GB) (here)
2. Set up a micro VM of your choice (I prefer debian-based OSs)
3. Install openVPN and configure it according to the HOWTO
4. Install the client software on the computer you will be taking there (everything except iOS is supported)
5. Test it

You may want to set up a dynamic DNS for your server so the address doesn't change after restarts.

As a bonus, the location of your AWS server is the exit point, so you can choose where you want your VPN to exit based on what is censored where at which time (I currently have it exiting in the USA because in Germany almost all music on Youtube is blocked).

Apparently Private Internet Access (VPN) is quite a popular way of getting around the great firewall of China...

It costs money, but it's pretty cheap, and apparently quite a reliable way to work around the firewall.

My only recommendation is to set it up before you get there since it requires OpenVPN, and http://openvpn.net/ is blocked within China. (The website, not the service)

Uhh, run openvpn on a non-standard udp port and I bet most will never even see it. Further run unpriveleged, chroot'd, require rsa cert/key, tls auth key, and user credentials. There's a whole section about hardening it. http://openvpn.net/index.php/open-source/documentation/howto.html#security

Anything can be compromised given time and a discovered vulnerability, but I would bet this would be security enough for most people...

1. Set up a secure VPN server at your site. This serves two purposes: getting access to external machines, and security.

OpenVPN is a good one to use, but if you can set up OpenVPN AS either on a Linux box or in a Linux VM you'll make life much simpler for everyone.

2. Set up the people you want to support with VPN access.

3. Set up VNC on their machines. TightVNC running as a service is ideal, but take the following precautions:

a. Set the service to Manual so they have to turn it on each time.

b. Have authentication.

4. Create easily-accessible shortcuts for them to use, and train them to use them.

5. At the start of a support session, get them to connect to the VPN, start the VNC service. You can either get them to tell you the IP address, or look at the currently-active VPN connections.

6. At the end of a support session, get them to shut down the VNC service and disconnect from the VPN.

I've found that even computer neophytes can be trained to do their part, and if they've got a minimal level of skill it's possible to talk them through the initial setup of the VPN and VNC client software. You just need to get them to the point that you can remote control, and then you can lock it down (changing service to Manual, etc).

1. Set up a secure VPN server at your site. This serves two purposes: getting access to external machines, and security.

OpenVPN is a good one to use, but if you can set up OpenVPN AS either on a Linux box or in a Linux VM you'll make life much simpler for everyone.

2. Set up the people you want to support with VPN access.

3. Set up VNC on their machines. TightVNC running as a service is ideal, but take the following precautions:

a. Set the service to Manual so they have to turn it on each time.

b. Have authentication.

4. Create easily-accessible shortcuts for them to use, and train them to use them.

5. At the start of a support session, get them to connect to the VPN, start the VNC service. You can either get them to tell you the IP address, or look at the currently-active VPN connections.

6. At the end of a support session, get them to shut down the VNC service and disconnect from the VPN.

I've found that even computer neophytes can be trained to do their part, and if they've got a minimal level of skill it's possible to talk them through the initial setup of the VPN and VNC client software. You just need to get them to the point that you can remote control, and then you can lock it down (changing service to Manual, etc).

I haven't used openvpn for years, but what log verbosity did you set the openvpn server to?

http://openvpn.net/index.php/open-source/documentation/howto.html

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

The only truly private cloud is the one you own, manage and host yourself. For most users this is of course not feasible; they lack the knowledge, time and inclination to set one up. For us tech types however it's getting to the feasible stage.

We have all seen the news about the Raspberry Pi, a dirt cheap mini computer that can run on a handful of AA batterys. Take a linux distro of your choice which runs on the Raspberry Pi, add some lovely open source software like Zarafa, sprinkle lightly with a dynamic DNS and bake for however long you want in a cool Raspberry Pi. Serves an entire household (or more).

For that extra security flavour you can garnish with an OpenVPN connection, and deny all other incomming traffic.

Et voila! Mobile, web accessable email, contacts and calendar (plus whatever else you want to set up on there) with the data being on your machine and in your control.

A router should support both modes simultaneously, offering itself as two access points. Encrypted links should have higher packet priority over nonencrypted links, so that guest access can't starve out authorized users.

You can also do this without having two access points.
I would use OpenWRT on a cheap consumer-grade router.If you want to provide a guest network as well as a secure, encrypted network for yourself, you could install a VPN solution on the router, e.g. OpenVPN. You would then connect to your unencrypted WiFi but then tunnel all your traffic over the VPN. The guest user can just connect normally. That also allows you to restrict guest users to some services, as well as using different QoS and traffic shaping (bandwith throttling) settings. Some info on traffic shaping on Linux routers can be found here, as well as here (specific to openwrt)..

There is a nice table of hardware supported by OpenWRT here.
I wouldn't say that is an easy way the average consumer could do though. It requires some knowledge of Linux as well as Networking.

Get a VPS and a VPN and call it day. You have complete control of both ends. Its easy, cheap, safe, and secure.

It costs me 20 bucks for a server with incredible performance and lets my laptop and android cell VPN in from anywhere.

Simple as that.

Easiest solution you have full control of:

VPS + VPN= secure. cheap. safe.

It will cost you 20 bucks per month for a reliable system you know is secure because you control the other end. I use both my laptops an android phone to connect to my vpn when ever using public wifi.

• MS internal CA management tool howo (not tried)
• Similar for Linux (UNIX) (used often)

http://openvpn.net/ would be ideal.

OpenVPN is designed to operate optimally over UDP, but TCP capability is provided for situations where UDP cannot be used. In comparison with UDP, TCP will usually be somewhat less efficient and less robust when used over unreliable or congested networks.

Maybe I'm paranoid. Or maybe I just really want to reign hell down on whom ever steals my laptop.

First, most thieves are dumb, they're not going to wipe it. They're going to sell it as fast as possible to get cash.

All of this is free and open source and should work on Mac and Linux, not sure how to create services in Windows.

1) Prey Project. An OSS theft recovery tool. Uses google geo location, web camera if it comes installed.
2) AutoSSH. I have an autossh run as a service that creates a link between my home router and my laptop. ssh -R 2222:127.0.0.1:22 home.example.com. So no matter where I leave my laptop, if it can get out to the internet, I can ssh into it from my home router.
3) OpenVPN. AutoSSH * 10. No matter where my laptop is, it IS no my home network. Leave it at a friend's house.
4) Keylogger. . I have a launchd (cron) set up to sftp me the log every day and then restart the log.

So now I know: 1) Where my laptop is and possibly have a photo of who is using it. 2 & 3) Can access my laptop and play fun tricks 4) Know exactly what said person is up to and when they login to gmail, facebook, etc. I have their passwords.

Sadly my laptop hasn't been stolen yet.

I travel quite frequently and often need to subvert the various restrictions of local ISPs (DNS redirection, throttling, censorship etc.). The method that works for me is:

1). Rent a cheap 512MB VPS (I use Linode and highly rate them but there are many other providers)
2). Grab a copy of OpenVPN and set it up in server mode on your VPS (make sure you push "redirect-gateway" to clients so that they send all their internet traffic through the VPN)
3). Install a copy of OpenVPN on the computer you'll be travelling with (set it up in client mode and configure it to point to your VPS).

That's it. All your traffic will now flow encrypted to your VPS where it will then break-out on to the open, unfiltered internet.

Additional tips:
- If you are using Windows on the computer you're travelling with, you need to make sure your DNS queries are going through the VPN (see: http://openvpn.net/archive/openvpn-users/2006-09/msg00020.html for what steps you need to take)

- To help obscure the fact you are using a VPN, set the server to use TCP rather than UDP (note: this will increase latency a bit) and set it to listen on a port normally associated with something else (e.g. TCP 993 which is normally used for secure imap or TCP 443 which is normally used for https traffic).

If you haven't got the cash for a VPS (frankly though you should, they are really cheap!), you could always setup the OpenVPN server on your home machine and point your travelling computer to that.....

Good luck!

PPTP can rot as far as I care. I've been using OpenVPN for a while now. It is much easier to set up, much less intrusive and much more secure.

Is anyone else struggling to find the actual article? My CPU and fans went crazy on the actual article.

If you ask me, open source projects need to do these to appeal to the outside world:

• Treat the project like an actual marketable product, look at UltraVNC homepage It's delicious, you'd almost expect that you would have to purchase it. The author is obviously passionate about all these features. The download page even has videos for parts of the product!
• Naturally, put lots of beautiful screenshots and videos
• Advertize open developer chats to get user feedback. Maybe a moderated IRC channel which could then be turned into an interview on the website.
• Create narrated videos with Wink. Take a look at some o
• Using Mozilla's Press Center as a guide, I found the following:
• • A dedicated press email address. You could set up an email address that autosubmits to your bug or issue tracker I reckon.
  • Links to all closely related communities, like Mozillazine, Foxiewire and For the Record. Anything that expresses 'community support' to a journalist will be juicy!
  • There's a list of rewards and awards down the right side. This kind of thing is quoted by magazines, stuff like 'worlds most secure browser', of course you need reviews first.
• User testimonials. Look at OpenVPN.
• Have a section called 'Community' and link to the IRC channel, mailing list and web forums.
• KDE has a section called 'KDE for your business'. It is explicitly trying to sell KDE to users by suggesting success stories of real people
• Impress businessy types makes me go cool.

If you want support from everyday people, you have to sell them the idea.

If there exists any means of communication that is not blocked, that means can be subverted to support every form of communication. As a result, any partial technological block will inevitably be defeated.

People like to think in a boolean fashion, because it limits the number of things to think about. Something is "secure" or it isn't. Except that the real world doesn't work that way.

You lock the doors when you go to bed at night, but does that offer any real security when a craptastic $1 hammer at the local dollar store will break through all but the most resistant steel doors in moments? Apparently so, since it's widely documented that locking your door does, in fact, reduce crime.

Your statement might be re-worded:

If there exists any means of ENTRY that is not blocked, that means can be subverted to support every form of entry. As a result, any partial technological security device will inevitably be defeated.

Since most people will NOT unlock the door, the measures as simple and cheap as a $10 security lock will, in fact, provide useful levels of security for your home. Correspondingly, measures such as those taken by the current Iranian government will work to suppress free communication.

Sure, some folks are smart enough to set up an ICMP tunnel or use to tunnel IP over UDP/53 that's very difficult to trace, but those of us who can aren't the majority. We aren't even a significant minority.

There's a reason why freedom of speech is, in fact, important.

• Tor: Onion-based routing that acts as a proxy layer between the client computer and the Tor network. http://tor.eff.org/
• I2P: Also known as the Invisible Internet Project. The network is regarded as a message based system. http://www.i2p.net/
• FreeNet: is a distributed information and storage retrieval system designed to address the concerns of privacy. Freenet is designed to be anonymous and totally peer to peer. http://freenetproject.org/
• GNUnet: is a P2P network that can support many different forms of peer-to-peer applications. http://gnunet.org/
• Open VPN: is where one can use software that encrypts your traffic on a server created in another country instead of the one you are in. http://openvpn.net/

There are other programs and if you do not want others knowing what "traffic" you carry then you would be wise to use them.

Pretty lame, people.

Move sshd to another port?
Obscurity.

Rate limiting?
IP-based bans on failed logins?
Elaborate username based bans?
All reactive solutions.

Portknocking?
A more complex obscurity tactic, but very weak as an extra authentication layer.

TFA mentions ssh public key auth, and disabling password authentication. That would be much better/more effective than anything mentioned here.

If you're serious about security, then you aught to actually add another layer. Firewall off ssh completely and require a VPN connection first. eg: http://openvpn.net/

Back in the day, I used H.323. Nowadays, I use mostly SIP. Both are open standards that can be used with a variety of clients, such as Ekiga, XMeeting, and Gizmo.

By default, these protocols are unencrypted. I would run them over a VPN (I use OpenVPN) so that all communication is encrypted. This also solves some of the connectivity problems that Network Address Translation creates.

is a great solution (Windows, OS X, Linux, *BSD, Solaris, etc). Once you've started the daemon, it's available everywhere you go, transparently. Just proxy your web surfing, mail access through the VPN server.

(Of course in the FA's example, it only encrypts half of the transmission - to your proxy - but it's these edge networks that are generally most vulnerable - home wireless, Starbucks, random offices, hotels, airports and local ISPs. That said, never forget the NSA is listening on core networks.)

Pre-shared X.509 certs, plus an optional pre-shared transport access key.

That said, incredibly, I've seen some sysadmins email OpenVPN certificate/key pairs around. :-( In both cases, people who considered themselves security experts...

If you aren't already using it, check OpenVPN out, it's wonderful.

http://openvpn.net/

Given the average /. reader, I beg to differ on that point.

If you're referring to the average user, then perhaps it would be a valid point that MS was out to screw you for the availability of that one feature (pun intended).

However, if you're even remotely adept at dealing with network apps, then you would be actually screwing yourself by forking over "$200+" for a feature you could actually install for free by using OpenVPN or OpenSSH running on Cygwin.

Just my 2 cents...

http://www.openvpn.net/

OpenVPN is a very good userland VPN if you don't want the kernel-patching-goodness of FreeSWAN or other IPSec implementations.

I think you're wrong. VPN is a general concept with many implementations. You may be confusing VPN with PPTP (point-to-point tunneling protocol), which is a Microsoft protocol for implementing VPN. There are many robust implementations of VPN that don't involve Microsoft. For example, OpenVPN is supposed to be quite good.

At my university, Cisco-based VPN is the principal way you authenticate from an off-campus IP address to be able to use campus services. My iMac had no problem connecting to my University network, and the University supports Redhat with a RedHat specific setup script. I have no doubt that the University could have supplied a Ubuntu script, and that if I were more knowledgable I could have constructed one myself.

The bottom line remains that Ubunutu didn't work for me (I literally could not follow the documented steps because the program did not work as documented), and the responses I got were "yeah, that's broken."

I setup my parents windows PC with an OpenVPN connection to my house and an FTP server (only listening on the TAP interface). I use Duplicity to do an GPG encrypted incremental backup to the FTP server over the VPN.

Duplicity uses encrypted TAR files for the backup, so your internal filenames...etc are never visible, which is an added benefit if you wanted to do this to a hosting provider..etc. Depending on the amount/size of your files, the first backup can be large. To get around that, I made the first backup to an external hard drive, and brought it with me on a visit (rinse and repeat a couple of times a year for good measure).

I haven't tried to restore a single file over the network, but have tested a full restore (copying the files back to an external). That being the case, I'm not sure I'd recommend this solution for an quasi on-line backup system. However, it does work quite well for just getting your data off-site (securely and incrementally), and since my parents live about 60 miles away, I'm getting a bit of geographical diversity as well.

We use UltraVNC over a VPN built into a hardware firewall. UltraVNC has "repeater" software that works around firewalls: "Repeater: With the help of the repeater you can use UltraVNC viewer behind a NAT router. NAT-to-NAT: The NAT to NAT connector allows for connections between UltraVNC viewer and server behind NAT routers without any router modification."

OpenVPN works around firewalls: "With OpenVPN, you can: * tunnel any IP subnetwork or virtual ethernet adapter over a single UDP or TCP port". I haven't used OpenVPN because the documentation was cryptic, but it looks like very good software. There is an OpenVPN How-To, but it seemed poorly written to me. OpenVPN 2.1_rc4, released on 2007-04-25 looks a little easier, but I didn't test it. The basic idea of OpenVPN software seems to be that, if you are a very advanced networking professional, you will be able to read the explanation.

UltraVnc SC, as someone said below: "UltraVNC SC is a mini (166k) UltraVNC Server that can be customized and preconfigured for download by a Customer. UltraVNC SC does not require installation and does not make use of the registry. The customer only has to download the little executable and Click to make a connection. The connection is initiated by the server, to allow easy access thru customers firewall."

It's crazy to use closed-source remote software, in my opinion. They say, in effect, "You can trust us, none of our employees built in a back door. Really. You can trust us also that our company hasn't been sold recently, or changed policies without notifying customers."

Joel on Software's Fog Creek remote software is a joke, in my opinion. Joel says, in effect, "Let us perform a billectomy on your wallet. Then you can use our software that built on open source software and was extended by some interns over one summer."

I think the same about encryption software. There is only one good option. The open source, excellent, cross-platform TrueCrypt.

We use UltraVNC over a VPN built into a hardware firewall. UltraVNC has "repeater" software that works around firewalls: "Repeater: With the help of the repeater you can use UltraVNC viewer behind a NAT router. NAT-to-NAT: The NAT to NAT connector allows for connections between UltraVNC viewer and server behind NAT routers without any router modification."

OpenVPN works around firewalls: "With OpenVPN, you can: * tunnel any IP subnetwork or virtual ethernet adapter over a single UDP or TCP port". I haven't used OpenVPN because the documentation was cryptic, but it looks like very good software. There is an OpenVPN How-To, but it seemed poorly written to me. OpenVPN 2.1_rc4, released on 2007-04-25 looks a little easier, but I didn't test it. The basic idea of OpenVPN software seems to be that, if you are a very advanced networking professional, you will be able to read the explanation.

UltraVnc SC, as someone said below: "UltraVNC SC is a mini (166k) UltraVNC Server that can be customized and preconfigured for download by a Customer. UltraVNC SC does not require installation and does not make use of the registry. The customer only has to download the little executable and Click to make a connection. The connection is initiated by the server, to allow easy access thru customers firewall."

It's crazy to use closed-source remote software, in my opinion. They say, in effect, "You can trust us, none of our employees built in a back door. Really. You can trust us also that our company hasn't been sold recently, or changed policies without notifying customers."

Joel on Software's Fog Creek remote software is a joke, in my opinion. Joel says, in effect, "Let us perform a billectomy on your wallet. Then you can use our software that built on open source software and was extended by some interns over one summer."

I think the same about encryption software. There is only one good option. The open source, excellent, cross-platform TrueCrypt.

Because SSL doesn't work for UDP

Excuse me?

1) The router would be in the safe country anyway, therefore wouldn't be subject to physical wiretaps at the endpoint.

2) Don't waste your money on a Cisco router. It is MUCH easier and cheaper to just rent a Linux machine in a "safe country" and install OpenVPN on it.

3) Most of your traffic is going to be routed back through the US or EU anyway, where most of the world's servers (and backbones) are located.

4) Your "safe" routing node is still identifiable, even if your ISP refuses to give up your name/address. There are other ways of achieving the same goal through analyzing your traffic after it leaves the endpoint of your encrypted node.

It's difficult to play multiplayer warcraft 3 without going through battlenet as even though the game is hosted by the game creator, you cannot directly connect to that player without setting up some kind of vpn, packet forwarder (to make the server look like it's on the local network) or a cracked version of the game and a pirate bnet server

The only new thing here is the standard format for the compliance with the court order (and the new requirement that you be able to produce the records for the court). Most ISPs have been saying, "yeah, we don't have that information because we wouldn't have the capacity to store it, duh" up until now.

Did you feel like your civil liberties were stripped away when the court authorized a wiretip on so-and-so or whats-his-face? How do you suppose the court or the legislature would react if your telco said, "Yeah, we don't have the equipment to tap that line." I don't think that would go over so well. Thus: CALEA.

What frightens me a great deal more than the ability of the court to order us to produce data (and the requirement that we store it) is the remote control wire tapping device installed at the police station that can listen in on any line at our small phone company.

They're supposed to get a warrant first, but my feelings indicate that if I were a cop (and believed I was helping people) I probably wouldn't bother with a warrant until I knew there was something to get a warrant about. That is much more serious than this. Let me introduce you to my little friends openssl, openssh, openvpn and gnupg.

If you believe the discrete log problem is "hard" then you have no worries. Now try doing that with your phone...

• ...is a great abstraction layer for iptables, so writing your firewall policies and rules is more like writing them in English* than straight iptables (although you'll still want to understand iptables enough to debug problems);
• ...uses a modular config, including "macros" for commonly-used rulesets;
• ...allows you to set arbitrary variables, like $WEBSERVER or $ALL_PRIVATE_NETWORKS, which make your rules all the more natural-language-like;
• ...gives you an elegant "did I just compose a firewall that's going to lock me out of the box?" sanity check ('shorewall safe-start' or 'shorewall safe-restart');
• ...offers excellent advanced features like multi-ISP use and integration of bandwidth shaping (using 'tc') in a satisfyingly-straightforward way;
• ...and manages to put firewall admins "on rails" without sacrificing advanced capabilities (see above).

* I have no experience with its internationalization.

No, I'm not on the Shorewall devel team. ;-)

It's just a set of scripts, so it should run on any system that offers iptables and an sh-compatible shell. There are prebuilt packages ("noarch" RPMs, for instance) maintained for most major distros.

Coupled with Webmin (for which there is a Shorewall module available) and add-ons like OpenVPN, Squid, and DansGuardian, this makes for a pretty capable "edge box" that even "non-Unixy types" can manage, provided they understand the OS-independent aspects of firewall management...

(No, I'm not on any of those devel teams, either.)