Slashdot Mirror

Bought a dual NIC fanless MITXPC never looked back, I love the machine it's quiet reliable and small.
You can get them with more than 2 NIC's as well (I suggest you do for versatility reasons) there are a few builds you can run on these things PFSense, Smoothwall, etc.
http://www.mitxpc.com/
http://www.smoothwall.org/
https://www.pfsense.org/
http://suricata-ids.org/downlo...

http://www.smoothwall.org/

Also SmoothWall but of the three I'm happiest with pfSense.

http://www.pfsense.org/ (BSD)

http://www.smoothwall.org/ (Linux)

http://m0n0.ch/wall/ (BSD)

Screw that, roll your own.

Um, why are you guys screwing around with consumer grade crap anyway?

Take an old PC (Can even be a micro PC, provided it has more than one NIC) Put 2 NICs in it and install Smoothwall Express onto it.

Since Smoothwall is a Linux-based open source operating system, the old PC will become a nice, easy to configure, open source firewall/router alternative system, and easily more powerful than the standard SOHO crap that Cisco is slinging.

I've been running it for 10 years (with regular OS upgrades) on an old gateway 450mhz Pentium 2 PC. It's a trusty old warhorse that keeps on cranking and is WAY overpowered for the job. (Smoothwall will run on a 486DX. I know, I've done it.)

How many crappy SOHO routers have YOU gone through in that time?

Not wishing to interrupt the bickering about whether children watching people fisting each other is a good or bad idea but you could try:
Squid + SquidGuard + Whatever lists you want from http://dsi.ut-capitole.fr/blacklists/
Not the easiest to set up but the lists are just plain text (with some regexs if you really want) so you can block/unblock what you want.

Or maybe Smoothwall: http://www.smoothwall.org/ might be easier, it will do this and much more besides.

You can all carry on now.

If you find something like that... delete it, run CCleaner on the empty space with multiple passes, then install a free IDS/Firewall solution on a spare PC like SmoothWall to possibly catch future attempts.

You might take a look at IPCop or Smoothwall. Both give you access to the Linux command line, so you can use IPtables to do whatever the hell you want. Smoothwall might, possibly, have some sort of add-in to limit bandwidth by bandwidth or zone, though I'm not sure.

Ahh, yes. iptables... the intuitive interface of the linux command line combined with the arcane of networking. I used to have an old P133 as a NAT box (slackware) that also did a few other server-related tasks, and I had some iptables rules configured. I think the truth of the matter is that unless you are very, very well versed in networking, you can't write your own rules and end up copying some stale rulesets from things you find on the intarweb, hoping to bend them to your needs. I never knew what the hell I was doing aside from reading (and re-reading) the multitude of TLDP docs out there and trying, trying again and again. I was lucky I was only rooted once [that I know of].

These days, I prefer the ease of most router interfaces. I know they don't typically provide the flexibility, granularity, or power that some may want, but they probably account for the needs of 99% of typical users.

You might take a look at IPCop or Smoothwall. Both give you access to the Linux command line, so you can use IPtables to do whatever the hell you want. Smoothwall might, possibly, have some sort of add-in to limit bandwidth by bandwidth or zone, though I'm not sure.

That's what http://www.smoothwall.org/ can fix. Even with BT going over 1.3MB/s it doesn't slow a bit.

I'm not sure why this post is modded insightful, because if you take NAT (or really PAT -> Port Address Translation) out of the equation, what you are left with is a firewall with Allow All outbound, accept related + established inbound. NAT/PAT is an ugly ugly hack that is incredibly inefficient. We could significantly reduce the load on our home routers if they didn't have to store the Port mappings that make it all possible and also remove so many ugly hacks that have had to be concocted because some protocols simply don't work with NAT.

Wikipedia has some light reading on the subject and there are plenty of resources out there. NAT/PAT != security and the thought that application writers would blame the "firewall" on the router for the problems is ridiculous, even Smoothwall comes with the option to have "Allow All Outbound" and I dare say home routers would be setup with that as default.

home routers crap out if you open too many. Hopefully it's less of a problem today

I tell you sir, it's still a problem. The $30 NAT routers of today are just as big of a hunk of crap as they were 4 years ago, they just increased the profit margins with the lower manufacturing costs that economy of scale has brought to the industry.

Personally, I threw a second NIC in my server, installed VMWare Server, and now run Smoothwall as a guest, routing for my network. I probably would have done this years ago but it took a lot for me to break my love/hate relationship with DD-WRT and it's GPL violating "author," and I finally gave up trying to find good support for UPnP on a Windows-based solution.

Give it a try if you like to torrent stuff, especially while gaming.

"We purchased a 25K euros firewall last month with which we had some issues"

What for, all you needed was a redundant PC and SmoothWall, not that a firewall is much good in this day-and-age of RPC over HTTP and various apps allowed to open most any high port. Firewall were only really useful when the original nix system only allowed 'root' to open low ports for sending, so any packets received (nix-to-nix) from one of these ports was deemed semi-validated. Whatever, read what an expert has to say on Firewalls and security.

"using firefox to type adresses in the search bar, nothing was responding"

Why not have a heartbeat applet running on the firewall that SMSed your phone in the event of an outage. That way you don't have to set up camp in the server room, clicking on things ..

Get an old computer and install smoothwall3.0 and then install the dansguardian mod for it http://community.smoothwall.org/forum/viewtopic.php?f=49&t=28154

If you don't have an old computer or want to save space then for about $150 you can get this small alix board plus case plus power supply: http://www.mini-box.com/Alix-2B0-Board-2-LAN-2-MINI-PCI_LX700_2

My biggest question is where on this blue marble do you live with insane restrictions like that. I get 60Gb a month on my home connection, 6Gb on my smart phone, and unlimited internet at my University where I take night courses.

But I agree with a previous post. Use a squid-cache. However, Squid-cache isn't the most friendly thing to setup. I'd look in to a solution like IPCop or Smoothwall which are easy to install with Squid or Squid-like plug-ins

as a very paranoid person i have a few suggestions.

first off, there is noscript, no script only runs on gecko browsers, so you really only have firefox, icecat, ice weasel, and ephiphany, and whatever other gecko based browsers are out there... noscript is sexy, and was the first program to protect from clickjacking.

secondly i recommend getting a hardened firewall running on some cheap dumpster grade pentium 1-2,3 system, dumpster grade systems are easy to find, and if you cant' find one, there is always the option of hitting pricewatch.com and grabbing the cheapest 'no os' complete desktop, with the oldest, cheapest parts. for a beginner, smoothwall is pretty easy to learn. http://www.smoothwall.org/

i suggest going with half-open, and getting a crash course in what ports need to be opened for whatever you use besides web browsing.

then, you can worry about anti virus, and code execution protection, and outbound application level blocking on your native os. if your network isn't secure, then the best anti virus in the world isn't going to help you a lick.

I did a bit of research into OpenDNS a while ago, the link is here

I've been a little intrigued by what sort of real benefit the likes of OpenDNS might actually have on, so I thought I'd do a bit of a test of, and see what it does.

SO I thought I'd start with the worlds most popular websites, according to http://www.alexa.com/ I got a list of the top 100 global websites.

the basic results turned out to be...
1. OpenDNS server at 208.67.222.222 average = 108.8787879 min = 15 max = 1273

2. my ISP's DNS server at ns0.zen.co.uk average = 16.9798 min = 13 max = 24

3. a local server running bind 9.2.4 server, having done a rndc flush (this will force a full DNS tree root name resolution - hence the very large times) average = 828.4747475 min = 43 max = 4983

4. the same server as 3, run without flushing the cache average = 1.424242424 min = 0 max = 93

which I think is pretty much what I expected! a local ISP's DNS servers will generally be faster than anything elsewhere because they take advantage of being well used and hence having full cache, and being local so traffic doesn't have to go very far.

a local server doing full root DNS resolutions will take the longest to resolve simply because there is a DNS tree that it needs to propagate through.

If you want the free open source version of SmoothFirewall, here you've got it:
http://www.smoothwall.org/

It doesn't have as many things as the payed version, but it'll probably do well enough for your demands.

I've been using a QOS mod for smoothwall 2.0 for about 5 years now: http://community.smoothwall.org/forum/viewtopic.php?p=164920 Works fine, not sure what everyone is whining about. It seems that QOS is some kind of black art or something. I have spent hundreds of hours trying to help people on that forum to get a good working qos setup and every time it just ends up being a waste of my time. People just don't take the time to read up on the technology that they are trying to implement and I just end up going around and around in circles. But what I can tell you is that no matter what the heck goes on on my network, no matter how much p2p apps are ran, I always have clear voip calls and lag free gaming. I remember seeing an article about a device that was supposed to automatically shape your traffic and give you lag free gaming and stuff. I am sure it never took off because as it seems no matter how simple you make QOS, people still can't figure it out.

"I have no idea how to do it in Windows"

Free as in beer, smoothwall express http://www.smoothwall.org/get/vmware.php
vmware player http://www.vmware.com/products/player/

you do have to play around with your network configuration to route it through smoothwall in the vmware player, and i don't know if you can have vmware player automatically load the smoothwall vm on boot, but there probably is a way.

a smoothwall VM will need a little cpu resource and a little ram, not as much as a full desktop linux would need though, and i've had a full debian desktop using 128 mb of ram..

at anyrate, yes you can do it in windows.

you can put it between the router and the net if you're using the wireless capabilities.

a forum about traffic shaping with smoothwall

http://www.linux-noob.com/forums/index.php?s=dffc19493975498724b50564217f05e4&showtopic=3250&pid=11502&st=0&#entry11502

smoothwall linux
http://www.smoothwall.org/

And frankly, if you can get ISDN, you can probably get IDSL. Remember IDSL? It's 144K (because it also uses the D channel for data), and is the only DSL service that can be extended through fiber. If you have wired telephone service, you can get IDSL, as long as there's a company that will sell it to you.

Also, with just plain old dialup, it might be useful to use a demand dial router instead of dialing from the client computer directly. I'm using Smoothwall (http://www.smoothwall.org/) at my house on cable (instead of the Linksys phone router from Vonage), and I know it does modem dialing, too.

Wait...

You people actually run consumer-level commercial wireless routers?

Apparently I'm the only one here that runs a Smoothwall router and a separate wireless bridge connected to a DMZ'ed network. Wired connections on the normal network, wireless on the DMZ. Soon I'll be upgrading to include a wireless card in my smoothie, and it will run everything. What self-respecting geek actually uses consumer-end garbage and doesn't DIY a proper router/firewall?

I AM on Slashdot, right? ;)

As everyone has pointed out, there is nothing you can do on a machine which the child has physical access to to do what is requested.

But a separate firewall and proxy that can be locked away can do the job. If the DSL modem (or whatever) and a firewall and proxy server (say smoothwall running on old hardware) are in a room that can be locked then you can force all port 80 traffic to go through a proxy that uses something like SquidGuard). You can also have a default deny policy for outbound traffic so that you select what sorts of services are available.

Of course a determined teenager will learn about third party proxies (the same kinds of things people set up to assist those getting around the Great Firewall of China). But, of course, one can log the web traffic to try to detect these and end up playing whack-a-mole.

As for the rightness of doing this sort of thing, I don't find it so clear cut. My daughter is turning nine tomorrow. We've already told her more than she really wanted to know about how babies are made (she did ask). And she knows in principle about contraceptives (she asked about a particular scene in Grease), but we've got a few years before she'll need practical instructions. She is still in the "yuck" phase, but things will change.

I'm not really concerned about anything she might see or read out there now or later. But my concern is about who she interacts with. On the Internet nobody knows your a dog, and so really what I'm concerned about is getting her to follow a "don't meet or give too much information to someone without me or my wife checking it out first" rule. I think that that is a kind of rule that is easily to break once you no longer think of some on-line persona as a friend. Does this mean that I'll be snooping in on her chats and email? I hate the idea of doing that, but I'm not ruling it out either.

You have run a full blown http proxy that examines the content of the webpages coming in and make decisions blocking based on that. This is complicated to setup and maintain and/or costly to purchase/outsource.

Well fairly good anyway. check out Smoothwall Linux Firewall. http://www.smoothwall.org/get/ SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. SmoothWall includes a hardened subset of the GNU/Linux operating system, so there is no separate OS to install. Designed for ease of use, SmoothWall is configured via a web-based GUI, and requires absolutely no knowledge of Linux to install or use. We use this in our business. VERY good.

SmoothWall Firewall
DansGuardian Content Filter
Domain Block of Ad-Servers.


Nope...I won't notice at all.

I suggest SmoothWall if you want and easy to use and setup PC firewall. The forums section of the site has many mods to the base package. I've been using it for at least 2 years on a Pentium 200 with 128MB ram with no problems at all. I switched to SmoothWall because I got tired of the different quirks and problems and lack of flexibility that seem to plague every commercial personal home router I have ever tried.

That's nothing new. For example, the Smoothwall firewall is based on the same model.

Does anyone knowledgeable want to contrast IPCop to SmoothWall?

Advantages/Disadvantages? Pros/Cons?

Another vote for DeepFreeze here. I use it at our library's computer lab and can get a good night's sleep at night. Faronics also has other security programs worth looking into, including Anti-Executable and WinSelect. Hopefully, the school has a firewall in place to keep intruders out, if not, look into a good firewall program, like Zone Alarm, or get an old computer and set up a SmoothWall firewall.

Have a look at SmoothWall at http://www.smoothwall.org/
It's based on GNU/Linux and provides at par or better features and it is there for almost 4-5 years now.

What's so new about this? http://smoothwall.org/, http://ipcop.org/ and http://m0n0.ch/wall/ could easily be custimized to perform a similar function. Easy as installing a bittorrent application, and using SSH.

By the way, these 3 options happen to be free and upgradable.

The obvious solution to people going around and surfing myspace etc, is content filtering I believe. Honestly, unless there is a proxy out there that will take naughty requests and format them into a flash animation page for you no matter what...then the text is still there. It is still filterable.
The other way around it is encryption...but I'd imagine most of the proxy's are not encrypted. Perhaps I'm wrong though, as I haven't searched for a proxy for a while. But even then, the proxy site may have the word 'proxy' in it...and you could simply score the word 'proxy' when used in conjuction with 'web' or 'internet' or 'free' add up to be over the threshold for blocking.
SmoothWall Firewall does a fine job of being a firewall, and the DansGuardian Content Filter with Antivirus mod will allow such things very easily.
Domain block lists and white lists have their place, so does true content filtering. There are free versions that work well for home users including smoothwall firewall, and there are also better featured versions of different content filtering products for enterprise users.
While obviously content filtering intruduces some delay into your web transactions, don't underestimate the utility of the machine also serving as a cache - out of 5000 people, do they really need to download 'google.com' 1000 times a day? or maybe only 100 due to caching... I know google is light on the load and bandwidth, but other sites also get cached. Its a pretty good deal.

The obvious solution to people going around and surfing myspace etc, is content filtering I believe. Honestly, unless there is a proxy out there that will take naughty requests and format them into a flash animation page for you no matter what...then the text is still there. It is still filterable.
The other way around it is encryption...but I'd imagine most of the proxy's are not encrypted. Perhaps I'm wrong though, as I haven't searched for a proxy for a while. But even then, the proxy site may have the word 'proxy' in it...and you could simply score the word 'proxy' when used in conjuction with 'web' or 'internet' or 'free' add up to be over the threshold for blocking.
SmoothWall Firewall does a fine job of being a firewall, and the DansGuardian Content Filter with Antivirus mod will allow such things very easily.
Domain block lists and white lists have their place, so does true content filtering. There are free versions that work well for home users including smoothwall firewall, and there are also better featured versions of different content filtering products for enterprise users.
While obviously content filtering intruduces some delay into your web transactions, don't underestimate the utility of the machine also serving as a cache - out of 5000 people, do they really need to download 'google.com' 1000 times a day? or maybe only 100 due to caching... I know google is light on the load and bandwidth, but other sites also get cached. Its a pretty good deal.

Wouldn't this be what Smoothwall does? http://www.smoothwall.org/

I've got it running at home. It's got 3 NICs, Green, Orange and Red. Red is Internet (not trusted), Green is local private network (trusted), and Orange is local webservers, etc (partially trusted).

It's got a built in IDS, Snort proxy, packet and connection logging, etc.etc. and addon modules give things like web content filtering and bandwidth management.

Does this count as an application level firewall? I'd think with the IDS it does, but what does everybody else think?

Linksys makes a very nice firewall/router that allows 2 simultanious VPNs. If there are more than 3 sites you could go for a Smoothwall server using an old PC and 2 nics.

I haven't used it in a while, but have you investigated Smoothwall linux? It's a linux distribution converts old PCs into very network-capable routers. Not only that, but it's manageable through web and SSH (I believe).

One of the reasons it came to mind is that it supports VPN connections between routers (again, I believe; haven't worked with it in a while). If you've got some spare PCs lying around (usually a prerequisite to reading Slashdot), this might be a great way to get your family networked for free while cleaning out the basement.

Smoothwall Express (home router), has a Samba homebrew add on package but I could not find anything for NFS. These meet 2/3 of your goal and Smoothwall can be a print server as well ;)

Smoothwall Express (home router), has a Samba homebrew add on package but I could not find anything for NFS. These meet 2/3 of your goal and Smoothwall can be a print server as well ;)

http://www.smoothwall.org./ Free. Pay for corporate support if you want to feel better. Use tons of free clients (ssh sentinel, openvpn).

I have had multiple issues with at least 5 different makes and models of home routers. I finally made my own on an old PC running Smoothwall Express. Not as "easy" as a small non moving parts home router but if you have an extra PC, it works much better. I've been using my Smoothwall box for over a year on P200/128MB ram/1GB HD. In the last 365 days, I've downloaded 720GB and uploaded 125GB through it and it has been rock solid. YMMV

How is this any better than Smoothwall? Smoothwall has incredibly easy setup routine and a dynamite interface. Want top notch support? Buy the commercial version.

Heck, you don't even need a $29 router. Just get an old company PC lying around or something, doesn't have to be all that new. http://ipcop.org/ or even http://smoothwall.org/. I personally use IPCOP, but smoothwall works just as well. These won't get rid of your Windows boxes, but at least you can setup a linux box inbetween them and the internet.

I have seen more problems caused by Symantec's software then I could count. I feel that if you have to run Windows then any extra layers of protection that you would need can be provided by free applications online. For example: Ad-aware, Spy-Bot, AVG Anti-Virus, ZoneAlarm, and the best firewall protection, SmoothWall.

The only difference between a dedicated computer and a router is the amount of stuff the computer has running on it. If you can setup a pretty stripped down system (Smoothwall is great for this), there won't be much difference. Plus the linux box gives you the power to do whatever you want. This may not be important in a regular house, but I administer a network at school and Smoothwall+Squid+ClamAV+Dansguardian makes a killer combination.

If you want a good antivirus, I suggest AVG or Avast. Both are excellent free products that are nowhere near as invasive as Norton.

However, I'm not sure if there are other products more suitable for corporate use. But maybe these have special "editions" for that too. I'm talking mostly about server centralized immunizing features. But I agree with Norton/Symantec having poor security products. The defaults in.. get this... Symantec's anti virus tool blocked VNC and Remote Desktop connections for me once. Found it out after turning Smoothwall inside out trying to see what the hell was the problem, but it was apparently doing what it should all along.

Btw, another good, free, non-invasive and rather resource efficient one suitable at least for home use is Antivir. For Windows 98/Me/NT/XP/2000/NT, and also Linux/FreeBSD/Solaris.

http://www.smoothwall.org./ That's all you need.

Wow, a reply! I rarely post so its something of a novelty to have a conversation on slashdot rather than just passively reading other people's comments. Thanks for taking the time. Re-reading my post I think I was a bit vague.
I didn't really intend to disparage smoothwall, especially since I didn't get to try it. It's just that the story is about running on older hardware, many of these boxes will not support for this method of installation or at least, may find it awkward (lots of non el-torito drives out there). My intention was only to point out that it was not 'dead easy' in my case.
Personally I much prefer their method of distribution and philosophy to some other OSS projects' who are inclined to give the user a tarball and vague instructions to "figure it out." While that's fine for a hobby project, it's a crummy way to make a product -- even one you're giving away for free.
True true, but in my case I found this particular method (booting from a cd) of installing s/w crummy, especially finding a readme that has one line of text pointing to a website and the faq could do without referring to other docs (even without hyperlinking). That said, it's not fair to single out smoothwall for this type of behaviour, I've come across this type of poor documentation from innumerable foss folks over the years.
I understand this probably boils down to some very basic disagreement over the philosophy of software and OSS in particular
Again not at all! I wasn't considering OSS philosophy, was just having a little rant. Since I mention that it was GPL'ed I should've realised that the source would be made available and I could build it from there. http://www.smoothwall.org/get/build.html
Wow, this posting thing could get addictive! I think I first need to work on my paranoia and defensiveness a bit though. ;-)

At risk of sounding like a shill, I have to disagree with you about SmoothWall. Although I haven't actually tried to install their software yet (it's on my list of things to do), unless their manual is a complete pack of lies (which I don't think it is), I'm not sure how they could have made it simpler. I think perhaps what you were trying to do is something that's just outside the intended use. They're pretty upfront about the fact that the CD-Rom installation option is the easiest way to go, and that if you can't do this the network or floppy installs are more complicated.

Personally I much prefer their method of distribution and philosophy to some other OSS projects' who are inclined to give the user a tarball and vague instructions to "figure it out." While that's fine for a hobby project, it's a crummy way to make a product -- even one you're giving away for free.

SmoothWall isn't a piece of software in the same way a regular application is; it's really an operating system / distro that turns an old box into a dedicated appliance. So the distribution methods that might be convienient for software aren't necessarily as suited to it. One of the reasons I bookmarked SmoothWall's page though is specifically because of the way they give you a straight install ISO, no screwing around with compiling or configuring anything. If it was a tarball, I wouldn't have given it a second glance, such has been my experience installing software from source. (I'm actually pretty sure that it is available as a tarball also, here.)

I understand this probably boils down to some very basic disagreement over the philosophy of software and OSS in particular, but I think StoneWall is an example of how a project ought to operate: producing a relatively easy-to-use, robust, single-purpose product, which is both 'Free' and 'for free,' to the public.

It's something of a pity that they charge money for the version that lets you install over a RS232 serial connection, so you can't do a true headless install with the free one, but I guess they have to support themselves somehow. (Also it doesn't do load balancing even in the corporate version, which I found somewhat surprising, although it will do a fallback from a primary to a secondary connection.)