Slashdot Mirror

I use Shorewall to configure packet filtering for me which does some QoS support. It seems simple enough but I'm not sure how to know if it uses or is affected by the new kernel options. I understand packet filtering a lot better than I understand traffic control.

It was apparently the only character thought to be unencumbered for this purpose at the time.

But it clearly wasn't, even at the time. It's too late now of course. It sounds ridiculously trivial, but it causes conflicts and ambiguity fucking everywhere an IPv6 address features in a script or config file or parameter, which has now led to the invention of using square brackets as additional quasi-standard outer delimiters for IPv6 (see: URLs, postfix config, shorewall (now - initially they picked something else), etc., etc.) - but unfortunately only most of the time, not always. If it was globally agreed "IPv6 address literal? let it begin with [ and end with ]", even if they kept the unfortunate colons, then you could at least write them unambiguously as part of larger strings featuring colons for other purposes, like so many command line args, config files and urls do.

At the very least, if you're implementing IPv6 support, please be aware of the de-facto conventional choice of [ and ] for extra outer delimiters, don't go inventing different ones like shorewall initially did (then fixed, to their credit).

I use a three interface linux box with Shorewall http://www.shorewall.net/MultiISP.html
as the firewall software. Shorewall allows you to do Multi-ISP routing but does not do dynamic routing so you have to restart the software to change the routing. Dynamic routing based on link quality of very hard to do properly.

I would recommend Shorewall for those looking for the power of iptables without the hassles of the syntax and/or not understanding what is going on. It is very easy to set up the most common of rules but you still have a great deal of power if you need it. The documentation is also quite good, which helps a lot, of course.

I'm using it at home for NAT and also at my company for routing and firewall.

I have been pretty happy with a debian setup with xen. I have debian as the dom0. Then 2 other virtual debian installs. One as a router with 3 nics and shorewall, squid, and some other stuff, the other as a webserver through a virtual dmz to the router. http://www.shorewall.net/XenMyWay.html Other than that there are distros like smoothwall and ipcop if you want a full distro firewall. I never could get good through put though stuff like the wrt routers which would trash voip convos.

Exactly. We got one of these for work: Supermicro Flex Atom 330+ Intel 945GC

Draws about ~16W of power with a laptop 2.5" sata harddrive and full ram slots. Pair it with either CentOS or a prepackaged firewall setup like Clarkconnect, M0n0wall, shorewall, or firestarter (IP tables gui for full linux install). You can even setup something like Asterisk NOW! and pair in an IP Tables firewall and OpenVPN support for a very robust, small, silent, and low power solution.

Here is what I have:
http://www.newegg.com/Product/Product.aspx?Item=N82E16813121383
2gb ram
Plus 2 hard drives in raid 1.
What does it all do? Here's what:
Debian lenny amd64 as the base xen dom0
Debian lenny i686 in domU as a gateway/router running shorewall, squid, dansguardian, psad
Debian lenny i686 in domU as web, smtp, imap, torrent, amule, and various perl web bots, server.
Like I said all of this through xen like here: http://www.shorewall.net/XenMyWay.html
The box with one hard drive drew 38 watts idle and 44 max. I haven't measured it since I added another hd.
Note that the psu on the box is very old and inefficient. I am sure a newer one would lower the power draw 5-10watts
Stats here. Not posting my main website since I normally only come here to troll
http://christi.ath.cx/stats/

Here is my set up. Don't need no stinking routers: http://www.shorewall.net/XenMyWay-Routed.html Shorewall is really easy to set up. I am ashamed that I put it off for so many years.

Hopefully it's less of a problem today then when I bought my router 3-4 years back

It's not. I recently gave up on hardware routers because of this - whenever I torrent something, my new routers (tried a linksys and a netgear with up-to-date firmware) would start refusing all traffic within an hour. I installed a second NIC on my home server, configured an ubuntu virtual server using Shorewall via a bridged connection to the new NIC, and have had absolutely no problems since.

Even better, it's now a matter of editing a simple config file to change routing and forwarding rules, followed by a config reload - no clunky web interface that requires me to reboot the router for every small change. Also no more artificial limits on things like # of ports forwarded, lack of good port range support , etc.

And in the rare event of a hang or lockup (once in the last six months), I don't have to trot down to my basement to physically reset hardware... I just restart the VM over ssh to the host.

http://www.shorewall.net/ - Once you use it, you'll never go back.

I use shorewall for this, by the way. http://www.shorewall.net/

AFAIK, it doesn't provide a way to throttle connections (if it does, please share).

We don't use it ourselves - and we use Shorewall to manage our firewall settings, but I refer you to Shorewall Rules. There is a section there titled "rate limit". It allows you to control how many connections per second/minute and how big of a burst are allowed before Shorewall will block it. AFAIK, this is done with iptables.

Or this older article from 2005 Using iptables to rate-limit incoming connections.

Nobody seems to have mentioned it, so I will... check out Shorewall: http://www.shorewall.net/

If you want a hardware solution, SonicWall firewalls are pretty nice these days. And I would avoid the PIX, personally.

robert

I helped a guy out with this sort of thing once before, and this is what we came up with:

Two boxes.

The first machine was set up with Debian and Shorewall All the other machines lived behind it.

The second machine was also set up with Debian, and with some rsync silliness, we got all of the lab machines re-imaging themselves every night.

It was a bit of a hassle to get running at first (we had to wipe every machine and install linux on it) and there is the drawback that the windows partition was living on FAT32 (unless NTFS write support has become significantly better, this might still be an issue). We also had to use Smart Boot Manager as it had the nice feature of being able to schedule boots. At midnight, every machine in the building would reboot into linux, rsync their windows partition against the master server, and then reboot to windows in the morning.

There was some good things to this, though:
1) Everything was done out of band, so even when windows would normally complain or make things difficult (some system files, as I recall), it was totally out of our way.
2) You could push a new image to the rsync server and within 24 hours all of your machines would be patched.
3) No matter what crap they installed or littered on the machines, it was gone the next morning.
4) Rsync is smart enough to do deltas and only push across the files that have changed, so it was reasonably bandwidth friendly.
5) When a machine crapped out (due to software, anyhow), you could walk up to it, reboot it, perform the magic keyboard voodoo, boot into linux and reimage it.


I'm sure there's fancier ways of doing this, but it's the sort of thing you can potentially scrap together the basics in a few days and with the exception of the two machines, it's only the cost of labor.

-transiit

Outlook? There's Evolution or kontact

Viruses? what's that?
Oh well, if you're worried about email viruses, you can always check out ClamAV

ActiveX controls that install software without you knowing is the last thing you have to worry about linux.

Popup blocker? It comes with Mozilla Firefox

Firewall? It's called Netfilter but if you find it too hard to configure, there are tools available, like Shorewall

And finally, there's a large choice of IM Clients on linux, like aMSN and Gaim that support animated emoticons and toaster popups (I haven't got the slightest idea about what the blue tray guy is)

Anyways, if you don't like any of these, you can always check out your distribution's package database for other other software.

1. This means you have a dedicated admin machine that only a few very trustworthy admins have access to, that is very secure (no root logins, firewalled heavily, patched often, etc). I highly recommend running SuSE Enterprise Linux 9 with the IBM EAL4+ Security Configuration
   All maintenance activities are run from this management server.
2. Use the Parallel Distributed SHell (PDSH) utilities: http://www.llnl.gov/linux/pdsh/pdsh.html. These allow you run commands or copy files to a single system, a group of systems, or all systems at the same time. Wondering what kernel all your systems are running? Just issue a `pdsh -a uname -a`. Need to copy out the sudoers file? `pdcp -a /home/admin/node_files/sudoers /etc/sudoers`
3. Run Ganglia for resource monitoring: http://ganglia.info/
4. Run Samhain for filesystem integrity scanning on all servers: http://la-samhna.de/samhain/
5. Host based firewalls for all servers: http://www.shorewall.net/
6. Power supplies have caused more instability in my experience than any other single hardware component. Buy both good equipment and buy systems with dual redundant hot-swappable power supplies for the important machines
7. Good deals can be had from the big vendors. Although we run a lot of whitebox and IBM equipment, Sun currently has a great system for a very cheap price (starts at $745): http://www.sun.com/servers/entry/x2100/.
8. NFS sucks, but is the best filesystem glue-layer available. It is very sensitive to high latency environments, so run it over Infiniband (it has very low latency, and massive bandwidth (5us, 1.25GB/s) if you need to sqeeze out the best performance.
9. Every system should have an electronic "system book", which contains the full hardware specs, including where each part gets service from (if bought separately), how long the warranty lasts (give end dates), contact info, etc. If you are managing 50 or less systems, keep track of all changes in a central location, otherwise track all changes by using a system which scales (even a handwritten script and DB table would be sufficient).
10. Good enough is the enemy of the Best, but that is a good thing. Never overengineer a solution, this only means that other problems go unsolved.

I'm partial to shorewall - and the shorewall webmin plugin.

I just add a bit on that list from top of my head.
Although I think the listed app goes beyond what the so called 'average pc user' wants, but there goes...

1. Konqueror ( http://www.konqueror.org/ )

2. Email - Sylpheed ( http://sylpheed.good-day.net/ )

3. I think Evolution is more like in this place.

4. Lately "Sound Juicer" is taking more attention too

5. VideoLAN aka VLC ( http://www.videolan.org/ ) and Ogle ( http://www.dtek.chalmers.se/groups/dvd/ ) [and Goggles ( http://www.fifthplanet.net/goggles.html ) for Ogle GUI wrapper] for DVD watching.

6. There are plenty way to do this, but the typical ones could be 'Jinzora' ( http://www.jinzora.org/ ) and 'MusicPD' ( http://www.mpd.org/ ), even plain Apache does it fine too, in a way.

8. If you want easier to manage iptables wrapper, Shorewall ( http://www.shorewall.net/ ) and there are other wrappers too.

9. KOffice ( http://www.koffice.org/ ) and by individual components, Abiword ( http://www.abisource.com/ ), Gnumeric ( http://www.gnome.org/projects/gnumeric/ ), Gnucash ( http://www.gnucash.org/ )

10. Inkscape ( http://www.inkscape.org/ ) or Sodipodi ( http://www.sodipodi.com/ ) for vector graphics.

11. Miranda ( http://miranda-im.org/ ). Windows only.

13. Hmm , Samba? ( http://www.samba.org/ ), WedDAV (Look parent post), FTP (plenty ftp daemons, ex : http://www.proftpd.org/, http://vsftpd.beasts.org/ etc)

16. GPhoto ( http://www.gphoto.org/ ), EOG ( http://www.gnome.org/ ? ), GQView ( http://gqview.sourceforge.net/ ). The latters are for just viewing mainly.

20. FreeNX ( http://www.nomachine.com/ , http://freenx.berlios.de/ ) http://www.poptop.org/ ), L2TPd ( http://sourceforge.net/projects/l2tpd ), RP-L2TPd ( http://sourceforge.net/projects/rp-l2tp/ )

24. Postfix ( http://www.postfix.org/ ), Sendmail ( http://www.sendmail.org/ ), Exim ( http://www.exim.org/ ), Cyrus ( http://asg.web.cmu.edu/cyrus/imapd/ ), Xmail ( http://www.xmailserver.org/ ), qmail ( http://www.qmail.org/ )

25. Spamassassin ( http://spamassassin.apache.org/ )

26. Same as above.

27. XSane ( http://www.xsane.org/ ) for sane frontends.

30. Buzzmachines ( http://www.buzzmachines.com/ ) I could be wrong...

31. 'various GUI frontends' - X CD Roast ( http://www.xcdroast.org/ ), K3B ( http://k3b.sourceforge.net/ )

32. Don't know any opensource ones...

I was basicaly doing this on a 486 33Mhz pc using shorewall and a tc script, untill i replaced it with a linksys wrt54G running openwrt, shorewall and wondershaper.
the openwrt handle everything i throw at it. on my 5/5Mbit link, with low cpu consumption (10-30% depending on load). and the pingtimes are lovely with wondershaper.
the linksys isn't a powerhouse exactly, and a shorewall restart akes about 90 seconds. but with iptables save/restore, this is a nonissue. Boottimes are quite acceptable compared to all semiadvancved routers out there. Not that you ever reboot the thing...

I Admit that it do takes quite a beating to saturate my 5/5 in the first place, but it happened frequently enoughf to be worth the 30 minutes it took to setup shorewall and wondershaper on the router.

the wrt54g+opwnwrt have lower power consumption then a full pc, and very low noise compared to a pc. But still remain a full linux with the ipkg package management, allowing you the usualy freedom you experience in linux. Something you dont get from all the custom firmwares out there.

And It's dead easy to install for even the least technical inclined gamer out there. But it do require the use of ssh and reading skills, so it's a notch harder then custom firmware's that use the webinterface only.

sepski

I was basicaly doing this on a 486 33Mhz pc using shorewall and a tc script, untill i replaced it with a linksys wrt54G running openwrt, shorewall and wondershaper.
the openwrt handle everything i throw at it. on my 5/5Mbit link, with low cpu consumption (10-30% depending on load). and the pingtimes are lovely with wondershaper.
the linksys isn't a powerhouse exactly, and a shorewall restart akes about 90 seconds. but with iptables save/restore, this is a nonissue. Boottimes are quite acceptable compared to all semiadvancved routers out there. Not that you ever reboot the thing...

I Admit that it do takes quite a beating to saturate my 5/5 in the first place, but it happened frequently enoughf to be worth the 30 minutes it took to setup shorewall and wondershaper on the router.

the wrt54g+opwnwrt have lower power consumption then a full pc, and very low noise compared to a pc. But still remain a full linux with the ipkg package management, allowing you the usualy freedom you experience in linux. Something you dont get from all the custom firmwares out there.

And It's dead easy to install for even the least technical inclined gamer out there. But it do require the use of ssh and reading skills, so it's a notch harder then custom firmware's that use the webinterface only.

sepski

Hello, Very nice firewall http://www.shorewall.net/ and it has a GUI on webmin, http://www.webmin.com/ run it on any Linux Distro Ihave it since 2 years, and im so happy with, and the community beyond it is very active Good Luck Kind Regards Samer

Try this for a good (non-GUI) iptables frontend:
http://www.shorewall.net/
Works well, is very flexible, easier to config than iptables directly & has stock configs for multiple interface setups.
Run it with Mandrake mnf or ipcop & ur good to go.

And, don't ask me why a main page title mentions Shoreline firewall. :)

Another programmer who hates do write documentation

While there are plenty of good reasons to have an all in one little box that does this. I like my current linux box setup for flexibility. Like Running a dynamic dns client on the router or a script to do dshield reports. Anyway, you can do all the qos stuff pretty easily event if you are fairly new to linux. Just install your favorite linux distro, use the shorewall firewall, grab the wondershaper, and follow these directions to adjust the shaper to your needs. Like lowest priority bittorrent and ftp and highest priority ssh, http, and your games. Its probably free if you have an old box laying around too.

I second OpenVPN was well.

We've used FreeS/WAN (now OpenVPN) since 2001, with nary an issue. We currently have 12 connections ranging from 144KBit to 3Mbit (all business quality!) all connected together. The VPN/firewall hardware at each site is a Pentium 120Mhz w/ 32MB or RAM, two network cards, and nothing but a floppy disk booting/running LEAF's Bering-uCLib. We have Win2K/XP VPN clients connecting to these "LEAF" systems as well. In theory, OpenVPN can support many hundreds of VPN tunnels - though the highest we've pushed it was around 30 (ie: permeant tunnels plus the Win32 clients) - with about 600 users between all the sites.

When we stress-tested this hardware/software combo, we were able to push just over 7Mbit/sec, and only added about 5ms latency to the link!

This combo has been rock solid - not a single connection failure can be blamed on the VPN software - it has been either the last mile, a NIC failure, or a bad floppy disk. Administration is via SSH (with a web-based admin console in development), and the firewall code is Shorewall.

You could try using those lists with shorewall http://www.shorewall.net/ but it may slow down the poor 'puter as well.

I can recommend shorewall. Very easy to set up and "secure by default" (ie. has built-in rules to prevent various forms of spoofing, denies incoming traffic by default, etc).

well, if it makes you feel any better, we just made a purchasing decision against cisco in favor of two simple linux boxes running a combination of shorewall and heartbeat. The cost savings versus the cheapest cisco firewall that does failover was worth the effort of installing the open source software. I also highly recommend m0n0wall for a SOHO cisco replacement. I'd chose m0n0wall over a cheaper watchguard or sonicwall box any day.

The LEAF distribution of Linux (leaf.sourceforge.net has performed excellently over the years. Various sub-distributions have tackled different things, and I've happily been using Bering at my company for years now. Smoothwall and Bering sound similar: Bering offers a 2.4 kernel, one floppy default running size, easy setup, good documentation, an active and helpful mailing list, and Shorewall for those of who don't want to muck around with iptables scripts. (I'm guilty of using iptables by itself for some time. Shorewall's thorough implementation is sobering to this do-it-yourself-er).

use Shorewall. Simple as it can be.

I don't know why this guy spends so long complaining about Netfilter. If he wants ease-of-configuration, then download something like Shorewall. I am not a Linux newbie, but I am fairly new to software firewalls. However when I moved one of my boxes out from behind its hardware firewall/router for a few days, I downloaded Shorewall and had it up and running in less than 10 minutes, then it took me about a minute to work out how to open port 22 for SSH.

You may want to try the shoreline firewallif you want to learn to use an iptables firewall on linux.(or even if you dont, you can just use shorewall and never actually write your own custom scripts.)
add wondershaper and you can have a VERY decent firewall/traffic shaper knowing almost nothing of how it works.
If you have problems editing text files(such as shorewall uses for configuration) you can also use webmin for a point and click interface with most of the funtions.

• Shorewall
• SuSE Linux's "susefirewall2" (read Togan's susefirewall2 faq)
• Webmin's IPTables management module

If you want to quickly turn an old box into a dedicated and very secure firewall, then Smoothwall and a fork of it, IPCop are fine GPL examples. Smoothwall also sells a non-GPL version of their firewall with extra custom functions, but the basic Smoothwall is still GPL.

Both of the above support a load of network cards, and even USB-based ADSL (like the Speedtouch) right out of the box and are an absolute cinch to get running, even if you only have limited networking knowledge. They also provide a simple but powerful browser interface for administration (port forwarding, dyndns registration, squid caching web proxy, etc.).

If you want to add a firewall to an exising Linux box, then a good recommendation is ShoreWall which I've just recently set up on a Mandrake box and been very pleased with. It uses the kernel's Netfilter (iptables) support to do its thing, and is the best option if you want a multi-function firewall/router, etc., since both smoothwall/ipcop are designed to be more restrictive 'all in one' firewall distros where it can get tricky to do things like recompile the kernel without it breaking. Smoothwall and IPCop do provide regular security patches which are very easy to install via the browser admin interface (which even warns you when new ones have become available).

Smoothwall are usually a little quicker than IPCop at getting new patches out. Shorewall is a standalone firewall so it's up to you to keep the other apps updated.

I'm not trying to knock you, I'm just plugging a cool product (although I'm just a user, myself).

I use LEAF, and have since they forked their code from the original "Cop Killer" Dave at linuxrouter.org. The Bering floppy and CD images are the best, with tools like GRSecurity (enhanced kernel security), Shorewall (great tool for configuring ipchains, for every possible setup), FreeS/WAN (IPSEC/VPN tools), and a 2.4 based kernel that works great on a 486. The best thing is the developers over at LEAF, keep their packages current.

At present, I have 6 offices, hanging off this setup, with each one running the VPN daemon as well. There are plans in place (installation stage) to get 6 more internet circuits for the rest of our offices, making making for a total of 12 offices running off this code. It's excellent code, with a very well integrated setup, using standard tools, and gobs of documentation.

The best thing; except for the main office (which uses a P166), everyone else will be running their firewall and VPNs on pentium 100's or 120's, with 24 or 32 megs of ram.

I spent a while fooling with various IPTables scripts, but finnally settled on the gpl'd shorewall package.

It handles all my iptables configuration, including NAT with port forwarding.