Slashdot Mirror

Take an old Pentium I and put Smoothwall on it. No more Belkin and Netgear routers you get for $50 at Circuty City.

Install it on a spare PC with 2 network cards
Simple.

Don't expect people to abandon their systems for a firewall.

WAY better solution.

Take an old PC. Install Smoothwall GPL 2.0 (router/firewall)

Then hack squid in the smoothwall and add in Adzap

I made my adzap point back to itself to retrieve the "this ad zapped" images rather than getting them from sourceforge every time, for speed, to not hammer sourceforge and to use my own custom pics. I made some very subdued pics to replace the annoying back and yellow "This ad zapped" replacements.

Anyway, since doing that, I haven't seen ad one. No flash ads, no gifs, no jpgs, no pop-ups or unders, no nasty javascripts. EVERY pc that plugs into my lan is instantly ad blocked, including total strangers that bring pc's over for repair/service. No modification is done to any other machine on the lan, smoothwall is transparently proxying port 80 and blocking ads before they ever enter my lan.

Try it, it's very, very nice... (Sorry /. your ads are blocked too...) Oh yeah, you do have a choice to use white and black lists on the smoothwall to allow SOME ads of your chosing to come through, if you so desire or to block IP's that somehow manage to sneak one through adzapper.

If you want the fancy features, then get the commercial version and enjoy the support.

why waste your own time re-inventing the wheel when it's already been done.

I'd much rather take an older computer and throw ClarkConnect on it. Comparing the feature list above with CC's features:

Security
* Stateful Firewall * Intrusion detection with Snort * Secure shell via SSH * IPsec VPN (Office Edition only) * PPTP VPN (Office Edition only)
Web Server
* Apache web server * Support for CGI and PHP * Secure/SSL support
File Services
* Journalled file system with ext3 * FTP server * Windows file server * AppleShare file server
E-mail
* POP and IMAP servers * SMTP server
Filtering
* Banner ad blocking * Web proxy * Content filtering (Office Edition only)
Printing
* Print server support * Printer sharing for Samba/Windows networks
Easy Configuration
* Web-based configuration* Optional Webmin package
Network Support
* DSL (including PPPoE) * Cable Modem * 802.11b Wireless (Office Edition only) * Internal DHCP server * Caching nameserver

There's a few not listed on the quick info page, such as Gallery and SpamAssassin, but you get the picture. Not to say that you couldn't add on to the software on the Rumba, after all it is Linux based, but who says they'll make it easy for you to do so. I have no problems adding new goodies to my ClarkConnect box, such as a NWN and TeamSpeak server for my gaming friends or SliMP3 server for around the house music, and I wouldn't give that up.

To give fair time to two other Linux firewall distros I've used in the past and like almost as much as ClarkConnect, check out Smoothwall and IPCop.

Jonah Hex

Why recycle when you can put Linux on it and turn it into a fileserver or firewall?

or SmoothWall, which ipcop was forked from.

Obviously a complete block is not going to work, but there's plenty of systems that filter traffic smartly. Leaving an IIS server open like that is just asking for trouble. I reckon I get more hits from IIS exploits than genuine web hits. You need a firewall of some kind - take a look at something like Smoothwall with it's Sort IDS, or if you're hardcore, OpenBSD plus httpf or Pound (along with Snort or Port Sentry and co.).

Take an old clunker, two nics and go to
http://smoothwall.org/beta/
and download the latest package, smoothwall 2.0 Orient.

It's free. It works. You can find clunkers everywhere for free.

I refurb old clunkers and load smoothy on them.
I resell them and make a few $$$ for my pocket,
keep stuff out of the land fill and make some
customer very happy for saving them BIG $$$$....

With a P4 in that little case, they have to push a lot of air, so this thing will be loud. What they need is:

Not if all the CPU heat is dissapated directly out of the case....like if they drilled a hole right above the CPU. Which they did.

- Add a second ethernet port, so this can be used as a home gateway/firewall/proxy/etc.

Why the hell do you need a P4 as a proxy/firewall? You trying to run MS Proxy server or something? Try Linux with IPChanins if you must run a software firewall. Or Smoothwall. Runs just fine on a 486.

I recommend Smoothwall. In my experience, it seems to be secure, it's definatly reliable and fast on slow hardware. I run this at home and at the office. The setup is simple, and it has all the features you are mentioning. There is a free (as in GPL) release, and there are commercial versions with additional features (VPNs, etc).

Smoothwall has built in support for it, plus it is probably the best router distro around...

Smoothwall GPL 2.0 Beta 4 (mallard)
http://smoothwall.org/beta/

I put three nics in a Pentium 90 that I found on a trash heap. One nic goes to my RR cable modem, one nic goes to my switch and one nic is for my son's Playstation 2.
I can control every aspect of the firewall from any pc on the green nic. The firewall pc doesn't even have a keyboard or monitor.

I can VPN through it with ease and I have port forwarding from an oddball port number to port 21 for a private FTP so that RR won't find it.

It's really easy to use and so far I've had no problems.
Of course ALL the machine inside of it are Linux boxes and all of them are using iptables (w/shorewall) so everything is really secure..

For a super easy, very cheap and very fast firewall try floppyfirewall at http://zelow.no/floppyfw

No worries here...

If you want to quickly turn an old box into a dedicated and very secure firewall, then Smoothwall and a fork of it, IPCop are fine GPL examples. Smoothwall also sells a non-GPL version of their firewall with extra custom functions, but the basic Smoothwall is still GPL.

Both of the above support a load of network cards, and even USB-based ADSL (like the Speedtouch) right out of the box and are an absolute cinch to get running, even if you only have limited networking knowledge. They also provide a simple but powerful browser interface for administration (port forwarding, dyndns registration, squid caching web proxy, etc.).

If you want to add a firewall to an exising Linux box, then a good recommendation is ShoreWall which I've just recently set up on a Mandrake box and been very pleased with. It uses the kernel's Netfilter (iptables) support to do its thing, and is the best option if you want a multi-function firewall/router, etc., since both smoothwall/ipcop are designed to be more restrictive 'all in one' firewall distros where it can get tricky to do things like recompile the kernel without it breaking. Smoothwall and IPCop do provide regular security patches which are very easy to install via the browser admin interface (which even warns you when new ones have become available).

Smoothwall are usually a little quicker than IPCop at getting new patches out. Shorewall is a standalone firewall so it's up to you to keep the other apps updated.

And a few years ago, it was still possible to install Slackware on a 486 w/ 8 MB of RAM and 40 MB hard drive, including the development tools such as gcc. Arguably there wasn't left space to be of any real use, but that was more of an exercise to the reader!!

Did something new happen in the ME/XP/2k versions of windows? I don't use those, but on my win98 and winNT boxes the netbios ports are 137,138, and 139. Did Microsoft kerberize these services or something?

In /etc/services on all my *nix boxen port 445 is undefined, but IANA says Microsoft does indeed own 445. My samba boxes and NT servers don't show the port live with nmap, though.

The smoothwall firewall SSL admininstration application runs on 445. That's the only thing I know of offhand that uses it.....

Clarkconnect is a robust "turnkey" server package that really kicks ass. I have used e-smith, Mandrake's SNF (Single Network Firewall) and Smoothwall.
I am running this firewall/fileserver on a P100 with 96M of ram, so performance was pretty important to me.
I run the following servers on the box...
Appletalk (netatalk), Samba, FTP (Proftpd), HTTP (Apache), SMTP (exim), DHCP, SSH, CUPS, WEBMIN and SQUID.
The performance of the box is outstanding and very robust. It has a really nice web-based interface for modifying the box's setup.
I'm not knocking any of the others... I still have an e-smith server running at a clients and it's been chuggin' along for a couple of years now.

Just my $.02
-Fordboy0

Last night I had my first outage with Adelphia in a year. It's been solid and reliable. At least here in Southern VA... May be I'm just lucky? -As far as Security, I use smooth wall. Don't think this will protect me from poison arp, but you should see my IDS log files!

The first thing you should do after install is go through your list of services and see what is really needed. Start with xinetd because that can start up some really unnecessary beasts. Doing a "netstat -a" is a good way to find out what ports are open or alternatively "lsof -i" will tell you the name of a program attached to a port. Just go through all the things open and shutdown everything you don't really need.

The next thing to do is to setup some sort of firewall script. How you do this really depends on how confident you are. If you think you know what you are doing then use iptables to setup a custom restrictive firewall. There are many example scripts here and an excellent tutorial here. If you want a GUI to do the work, I would recommend Smoothwall. I know of quite a few novices who successfully use it.

You should then be reasonably secure. BUT, keep an idea on the Redhat updates; there are usually loads released in the first few weeks of a new distro.

What you need is a firewall with multiple interfaces. You could go commercial and buy something like a Watchguard Firebox or set up a cheap linux box and use a pre-packaged linux firewall like IPCop or SmoothWall where you just boot off a cd and install/configure a Linux firewall.

What you end up setting up is a DMZ. You would have a "Trusted" interface that could be your private library network, a DMZ interface that could be your public access network, and an external interface that is your connection to the Internet.

You could set up the IPs as 192.168.0.0/24 for the trusted, 192.168.100/24 for the DMZ, and use your external ip segment for the external. You still can use all of the same network hardware that you have in place.

Hope this helps.

Nice work whoring yourself, Phil. I supose you couldn't resist stooping to a new low. Well, I am damned if I'm staying in the shadows any longer. I think I'm best qualified to comment on the "IPCop feature list", since really IPCop is something I wrote a significant amount of. I thought it might be interesting to see what (if any) progress you've made.

- Installs from bootable CD, or with a floppy to kick it off, installs from CD, http or ftp.

So it uses the installer I wrote for SmoothWall then. Ah, you did change the banner along top to remove both mine and Richard Morrell's names.

- IPChains based firewall, - Analog/ISDN/ADSL modem support
- Support for almost any connection type

Yeah. Again, looks just like a SmoothWall feature.

- Full DMZ Support, - Web Based GUI Admin & Config System

So lets see. You changed the logo (very nice btw!!!) And did some edits of the header.pl file. Well done! Thanks for the tiny mention in the Credits page. It's nice to credit where it's due. I don't think any member of the IPCop team wrote the DMZ support code, did they?

- Full Status Display, - Full Traffic Graphs

Hmm... SmoothWall features, those! Of course, I would never use the word "Full" in describing any feature. It shows that you are unable to think of something better.

- Full Connections Information

If you call "netstat -taM" in a CGI 'Full Connections Information', that's up to you. I find it very funny though. You've obviously not used real tools before if you think thats "Full Connections Information". But Jack had to get his "feature" in, didn't he.

- PPP Settings/Configuration Area

I wrote that for Smoothie too. This is getting DULL. Where are the improvments, Phil? Where is support for unlimited numbers of profiles, which I will one day get around to writing? Etc etc?

- PPtP ADSL Support

You score one point :) It's only not been written for SW because the demand is so small.

- PPPoE Support Pierre-Yves Paulus wrote that for SW, with some help from me. Ah, that was fun. Wrting scripts to actually connect to the net on a remote box was a memorable experience. Anyway, where do you credit him?

- USB ADSL Firmware Upload Area

Dan Goscomb wrote the CGI/scripting support for USB ADSL. Where do you credit him?

- Modem Configuration Area

MMM yes, I seem to remember writing that page too.

- SSH server for Remote Access, Password Control Area, HTTP/FTP/HTTPS Web Proxy, DHCP Server, Caching DNS, TCP/UDP Port Forwarding, External Service Access Control, DMZ Pinholing Capacity

All standard features of SW, mostly the script work was done by me with some help from other people in the team.

- Dynamic DNS Support

CGI and script written by Pierre-Yves Paulus, for SW.

- Intrusion Detection System (SNORT)

Conf file tweaked by SW team member Dan Cutherbert. CGI (such that it is) writen by me.

- VPN Support (FreeSWAN) with Control Area

CGI and setuid helper writen by me in a bored afternoon.

- Full System Logs, Web Proxy Logs, Firewall Logs, Intrusion Detection System Logs

Hmm, wonder who wrote those log viewers? :) It wasn't an IPCop team member, thats for certain.

- Remote Shutdown/Reboot Area, Integrated JAVA Based SSH Shell Area

Richards idea that one. Obvious when you think about it, but his idea none-the-less. Where are your ideas??

- IPCop Linux Updates Area

Dan Goscomb wrote the update feature, and associated routines. Again, can't you do anything different?

Ah well, that was interesting wasn't it? I hope everyone thought so. As to progress, it seems a nice round (fat) 0 would be the best score to give. IPCop is SmoothWall GPL with a different banner along the top, and very little else. They also refuse to give credit where it is due, and this, IMNSHO, is totally unethical. The IPCop team also seems to have a total lack of talent. You've had getting on 5 months, and all you've produced is a clone with a ugly web interface. Anyway, I thought I would stick my head out for once. Personally I don't give a damn what you do with IPCop. The fact that you don't even give us proper credit shows what a sick bunch of people you are, though.

Lawrence Manning (lawrence@smoothwall.org)
Principle Author, SmoothWall

• http://www.superant.com/smalllinux/
  
• http://ibiblio.org/vectorlinux/
  
• http://www.zelow.no/floppyfw/
  
• http://www.xandros.net/
  
• http://www.gentoo.org/
  
• Smoothwall ...
  
• http://www.ipcop.org/
  
• http://www.mandrakesoft.com/products/snf
  
• http://www.freesco.org/
  
• http://www.coyotelinux.com/
  
• http://leaf.sourceforge.net/
  
• http://www.gnatbox.com/Pages/gblight.html
  (this ones based on BSD IIRC)
  
• http://www.bbiagent.com/
  
• http://www.clarkconnect.org/"
  
• http://www.linux-firewall-tools.com/
  

> Smoothwall: kernel 2.2.19

2.2.20 since the fixes5 update

• Astaro Security Linux: kernel 2.4.x
• BBIAgent: kernel 2.4.13
• ClarkConnect: iptables, kernel 2.4.9-31 (RH 7.2)
• Trinux: iptables, kernel 2.4.x (Slackware)

• Coyote Linux: kernel 2.2.19
• IPCop: kernel 2.2.x
• LEAF/LRP/Dachstein: kernel 2.2.19
• Mandrake SNF: kernel 2.2.19
• Smoothwall: kernel 2.2.19

• Freesco: ipfwadm, 2.0.38 (!)
• FWTK: Dunno, looks old, mentions ipfwadm

The FAQ devotes 32 of 88 pages to how to correctly interact with the community, with such topics as "On Not Reacting Like a Loser" and "RTFM and STFW: How to tell you've seriously screwed up."

Furthermore, the remaining 56 pages are liberally sprinkled with the same: "Asking this question on the mailing list or IRC will inevitably result in the verbal equivalent of being hit round the head with a baseball bat. The answer is NO."

While I appreciate the sentiment of these statements, devoting nearly half of the document to this topic might be a little overboard.

1. Freesco which I personnally use on a 486/dx2 with 8mb of ram. It has many functionalities like remote access, dhcp, dns, print server, firewalling, masquerading, bridging, support for many ethernet cards and best of all fits on a floppy (no HD required, but possible to do a HD install) Works like a charm and very easy to setup... almost plug and play (although not like windoze's plug and pray)
   
2. Coyote Linux which seems to offer a few more features than freesco, but requires 12mb of ram. Again, fits on a floppy.
   
3. SmoothWall which seems to be more of a feature complete firewalling solution includes web-based admin, proxy server and much more. It's larger (30MB or so) but seems fairly easy to use.
   

Smoothwall has been doing the job for me for ages... Only a 20 meg download for the ISO and you install the system off that... It's pretty cool!

Installs in a snap, free download, stupendous interface, good support. I've used it for months now without a hickup. Just my $0.02

Smoothwall

Cheers :-)

my thoughts exactly, how about a SmoothWall up front and a halted firewall behind?

I agree, smoothwall seems great and i'm thinking of using it or probably ipcop in the near future.

I wouldnt be suprised if Jürgen did have a little bit of ill feeling since Morrell seems to try his best to bring it out in people, as he did here:"i'm still on IRC at 2am kicking and banning people".

Judging by their news page they are no longer clamouring for donations, instead they want donations to go to the FSF? I wonder if their IRC channel still has the same message on it ;)

Perhaps trying to recoup some PR...

Notes
From: William Anderson
Date: Mon, 14 Jan 2002 17:35:00 +0000 (GMT)
Subject: Info file for fixes7

* Patches pppsetup CGI to further increase security of ppp secrets file

* Upgrades passwd file to shadow passwords

* This patch removes the capability to connect to the web admin interface
over the RED (external) interface by DNS name - you must use the IP
address instead, e.g. https://213.123.312.231:445/ instead of
https://mymachine.someisp.net:445/

Notes
From: William Anderson
Date: Mon, 14 Jan 2002 17:35:00 +0000 (GMT)
Subject: Info file for fixes7

* Patches pppsetup CGI to further increase security of ppp secrets file

* Upgrades passwd file to shadow passwords

* This patch removes the capability to connect to the web admin interface
over the RED (external) interface by DNS name - you must use the IP
address instead, e.g. https://213.123.312.231:445/ instead of
https://mymachine.someisp.net:445/

Notes
From: William Anderson
Date: Mon, 14 Jan 2002 17:35:00 +0000 (GMT)
Subject: Info file for fixes7

* Patches pppsetup CGI to further increase security of ppp secrets file

* Upgrades passwd file to shadow passwords

* This patch removes the capability to connect to the web admin interface
over the RED (external) interface by DNS name - you must use the IP
address instead, e.g. https://213.123.312.231:445/ instead of
https://mymachine.someisp.net:445/

It's realeased under the GPL. If you want to poke, go download the source and poke all you want.Your most was definately redundant (and prbably a troll.)

... when the guy looks like this.

It's just ooooozing football hooligan!

After having had trouble with all those dumb journalists ( the smoothwall developers team has two statements on their web site, one against an article in the UK Linux Magazine and now another one against the article in C'T ) in the last weeks who would wonder if Mr. Morrel and his team decide to print their own magazine:

I suppose the name of the new magazine to be:
how-to-become-a-prick-in-order-to-flame-everybody- who-does-not-pay-me
Headline suggestions welcome!

After having had trouble with all those dumb journalists ( the smoothwall developers team has two statements on their web site, one against an article in the UK Linux Magazine and now another one against the article in C'T ) in the last weeks who would wonder if Mr. Morrel and his team decide to print their own magazine:

I suppose the name of the new magazine to be:
how-to-become-a-prick-in-order-to-flame-everybody- who-does-not-pay-me
Headline suggestions welcome!

Just to clear up any confusion or misinformation about use of the smoothwall irc server, please look at: http://www.smoothwall.org/gpl/interact/irc.html as the current discusion in the chan is how unfair it is for some to post their irc logs to slashdot as #smoothwall is to quote:

dickmorrell: this is our private channel
dickmorrell: created for OUR team
dickmorrell: not a window on the world

Hint: Thats not what your website says

we have an article taking what dang has said along with our comments on the way the article author behaved when collecting his "evidence" ...

our response

Unfortunately we didn't have the luxury of wiring the house from scratch so it's all carefully placed under carpets. If we did however, we'd DEFFINATELY have cat 5 going to things like lights and heaters and stuff. How cool would it be to get a radio system with some server that does voice recognition - so you could walk in and just say "computer, lights!" (sorry I'm back onboard Voyager).

I installed Smoothwall and was amazed at the process. It detected everything and I had a firewall/gateway setup in twenty minutes - amazing!

(I'm also chuckling over data owning :)

I've found the best solution to an MS free office is plain ole' XHTML + CSS. There are many editors available and in the last year they actually produce rather nice clean code (and the older software's output can be cleaned with HTMLTidy). The only other format that comes close is RTF, but that's just a bloated plain-text version of MS Word (typically a document grows five or ten times its size from HTML to RTF). Other than that each office package still defaults to it's own format - it's sad.

XHTML isn't advanced in the slightest but for most uses it does cut it. Get some XSL to convert XHTML to XSL:FO and run FOP over them to get some PDFs when you need a printed page version. CSS3 has page breaks and XHTML has some support for footnotes - most other features of MS Word aren't supported. I guess it's luck that they are features that are unused by most people.

- Sven.

A mindless dialup/adsl gateway? Anything will do (try smoothwall as a distro)

A webserver/fileserver? Well, ignore supposed 'server category' systems with cache and blah and go for the fastest pony you can get (gigabyte ethernet... bite the bullet). Any distro but Mandrake.

I install dsl and cable modems for two of the big boys as a private contractor. I have had the opportunity to go back on my own time and install several different types of firewalls depending in the users needs and wants, commercial and residential. I personally use a SmoothWall box, at my home. It is an old pentium 120, 540MB HD, 4X CD, 32 MB Ram, 2X 100baseT full duplex to a 960/816 RADSL external, and a 100baseT switch internal. It has web based admin and a text based setup similar to a simple linux install. It is able to do MOST types of wan links, including @Home's dynamic crap and Dial on demand(It is amazing all the stuff it will interface to). I have yet to be able to tax this little box to its limit even with 15+ people over for an Internet/LAN party. We were able to saturate the WAN link but not the firewall. Smoothwall Rocks!

As for the dedicated stuff from Dlink, SMC and Linksys. All of these are good solutions for setup and forget if you don't have an old PC you can use. The dlink and linksys both have Web based setup and admin, very slick. I have setup several of these for people and have not had to go back to any of them, some in over 6 months.

If you have an old PC that will meet basic linux requirements (486 or higher) and a little bit of time, try SmoothWall. If you dont have a little time, and I mean a little(20 mins to setup on a working box), get one of the ready made solutions.

I install dsl and cable modems for two of the big boys as a private contractor. I have had the opportunity to go back on my own time and install several different types of firewalls depending in the users needs and wants, commercial and residential. I personally use a SmoothWall box, at my home. It is an old pentium 120, 540MB HD, 4X CD, 32 MB Ram, 2X 100baseT full duplex to a 960/816 RADSL external, and a 100baseT switch internal. It has web based admin and a text based setup similar to a simple linux install. It is able to do MOST types of wan links, including @Home's dynamic crap and Dial on demand(It is amazing all the stuff it will interface to). I have yet to be able to tax this little box to its limit even with 15+ people over for an Internet/LAN party. We were able to saturate the WAN link but not the firewall. Smoothwall Rocks!

As for the dedicated stuff from Dlink, SMC and Linksys. All of these are good solutions for setup and forget if you don't have an old PC you can use. The dlink and linksys both have Web based setup and admin, very slick. I have setup several of these for people and have not had to go back to any of them, some in over 6 months.

If you have an old PC that will meet basic linux requirements (486 or higher) and a little bit of time, try SmoothWall. If you dont have a little time, and I mean a little(20 mins to setup on a working box), get one of the ready made solutions.

I personnaly gave a try to SmoothWall, here :http://www.smoothwall.org/gpl/

An amazing number of features in a so little Linux distribution. Well, find an old PC (almost any might be enough), install SmoothWall on it, then you've got your personal router/firewal/NAT/almost-whatever-you-want.

All being controlable through a web browser.

My 2c

He said he was on a budget, so I suggested running a Linux based network. Nope. He said he couldn't get into the RedHat server, so I did for him, then doubted that I was "actually in it. He said he needed to cut down the spending of the new boxes he was going to get. but insisted that he needed to get PIIIs. Doh. So then it came time to find a software based firewall. After i told him about SmoothWall he said that there was no way he was going to use a firewall based on free software. Then he read an article on his own (that was probably his biggest revelation ever!). I'll be installing this firewall next week on a PII350 with 128M and a 10GHDD, whatta goof.

This guy's no more than 27 years old, has a sleek lil volvo ride and dresses pretty damn hip (the later two are probably the things that got him hired), so i can't begin to believe that the age of a boss has anything to do with the treatment of the people under him when listening skills are involved.

What it comes down to IMHO is how much knowledge and forward thinking the person has. Also, how much is someone really willing to leave their ego at the testing center and be ready to learn from someone else once they acheive certificate status.

BTW Kendall will probably be looking for a new admin soon.