Slashdot Mirror

← Back to Stories (view on slashdot.org)

Captain Crunch's New Boxes, Part II

Posted by timothy on from the whistle-whistle dept.

micsaund writes: "It looks like the infamous Captain Crunch has been toiling away for 3 years on a firewall now known as the Crunchbox. It runs OpenBSD and is administered via a web-based interface. Steve Wozniak is quoted as saying it's 'next to un-crackable.' Check it out at ShopIP. The Register also has an article on it. As an aside, since the Linux Router Project (LRP) appears to have been sold-out and GnatBox is a tad expensive, is anyone aware of some kind of 'packaged' firewall with a slick interface available for free?" We mentioned Draper's venture into firewalls last year, but there's been some progress since then.

20 of 414 comments (clear)

  1. Free Firewall by L053R · · Score: 3, Informative

    Check Out www.bbiagent.com cool, free, easy to use...

    --
    L053R
  2. Smoothwall by ViceClown · · Score: 4, Informative

    Installs in a snap, free download, stupendous interface, good support. I've used it for months now without a hickup. Just my $0.02

    Smoothwall

    Cheers :-)

    --
    Have a Happy.
    1. Re:Smoothwall by GSloop · · Score: 5, Informative

      I've never used smoothwall, and I haven't gotten any support, so I am giving "hearsay" here...

      But, from what I gather, and I have done some searching, Dick (aka Richard Morrell) seems to have a few screws loose. From all accounts, he is cranky and sometimes more than downright nasty.

      His product is FREE though, you should just don your asbestos suit should you go looking for support. (View a few IRC logs etc. to get a feel for how "Dick" seems to view newbies and/or non-paying customers.)

      Frankly, I'd rather do some extra work myself, than deal with people who are unsociable.

      All standard disclaimers, YMMV etc.

      Cheers!

    2. Re:Smoothwall by Anonymous Coward · · Score: 5, Informative

      Well, I'm glad that you had nice experiences, but the general consensus seems to be that good support is a rare thing from Smoothwall (hence IPCop.org, I guess). They certainly carve bold new diretions for customers service! They'll swear at you, not answer emails, and not rarely answer specific questions (instead, cut-n-pastes are regular).

      I'm not willing to post my emails between the developers, I, and other people in the company. I really don't want to be hassled by Smoothwall anymore. The funny thing is that I'm quite sure I'm unidentifable in the masses of people who might say such a thing ;)

      (and this comes from a paying customer of Smoothwall Corp. - not a freeloader).

      I *strongly* recommend any other distro. I didn't think customer service mattered much until I found a bug in their product and wanted them to fix it.

    3. Re:Smoothwall by xtremex · · Score: 3, Informative

      Dick Moran is an asshole. I once asked him on IRC how I can upgrade software on the firewall myself, I got flames to no end, and my IP banned from the IRC server.

      --
      If you're not a Liberal in your 20's, then you have no heart.If you're still a Liberal in your 30's you have no brain.
    4. Re:Smoothwall by TellarHK · · Score: 4, Informative

      Yep, Morrell is definitely someone to watch out for. He threatens, harasses, and insults practically anyone that doesn't tell him Smoothwall's the greatest thing since using the GPL as a way to fork off to a commercial product after getting overenthusiastic community ego boosting.

      He's gone so far as to make legal quasi-threats against me and other critics of his treatment of Smoothwall users. He's driven away enough developers that the IPCop project was formed and seems to have done quite a good job at proving themselves to have intentions of being more than just another forked project. IPCop has performed just wonderfully for me since my abandonment of Smoothwall.

      For the morbidly curious, I have an archive of my emailing back and forth with Richard on this webpage.

      --
      My own pointless vanity vintage computing page
  3. LRP "sold out" ? by maggard · · Score: 4, Informative
    How so? They took offerings from VA Linux?

    The mailing list is active, there are any number of distributions though few on the latest kernels, all appears kosher if not frantically active.

    Was there any reason for this possibly very damaging statement?

    --
    I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
    1. Re:LRP "sold out" ? by slamb · · Score: 5, Informative
      The mailing list is active, there are any number of distributions though few on the latest kernels, all appears kosher if not frantically active.

      Was there any reason for this possibly very damaging statement?

      Yeah, because at the linked site:

      • There have been no releases since 0.9.8 on 12 Sep 2000 (a year and a half).
      • The only news since then has been three seperate sponsers (Cyclades, VA, and Sangoma). It's not clear what the money is being used for.
      • The mailing list archives, give 404s on the -devel list. Only the users list seems to be active.
      • The "unstable" directory on the site contains only (besides the 0.9.8 release) a few kernel patches made to 2.2.19 in July of 2001.

      On the other hand, this site seems quite active. I'm not sure what their relationship is.

    2. Re:LRP "sold out" ? by zsazsa · · Score: 5, Informative

      linuxrouter.org is no longer the center of "Linux-firewall-on-a-floppy" development. It's been seldom updated for several years now; the only important thing on it being the mailing list. The site even apologizes for its own lack of maintenance: Unfortunately most all of the LRP docs at this site are painfully out of date. The LRP still is the basis of most Linux floppy distros, albiet heavily modified.

      Instead of linuxrouter.org, the real hotbed of development these days is the LEAF site, LEAF standing for Linux Embedded Appliance Firewall. The steinkuehler.net site you mentioned is a part of LEAF, hosting the Eiger/Dachstein distributions. Unfortunately the linuxrouter.org project doesn't point the way to LEAF. I only found out about it by following the mailing lists.

      Ian

    3. Re:LRP "sold out" ? by GlobalEcho · · Score: 5, Informative

      I wrote what was once widely appreciated as the most useful howto for using LRP. It is now woefully out of date, and I recommend Eigerstein or Dachstein, which are so well-designed that they don't need that kind of detailed documentation.

      I can shed a little more light on the middle-recent history of LRP and LEAF. Two years ago, LRP was indeed the center of all linux floppy firewall/router activity. However, people were starting to innovate, and Dave Cinege (who owns the domain name) never seemed to find the time to update his own work or incorporate that of others. It was a running joke on the mailing list. It would not have been much work for Dave to at least put up links to the sites documenting and extending LRP, but it never seemed to happen.

      For a while, linuxrouter.sourceforge.net (now changed to leaf.sourceforge.net) was a repository of all the extra work. Before that everything had been on a crazy collection of obscure personal websites (like mine).

      Dave promised major updates to LRP, and then gave up on LRP and decided a completely new, cool project was necessary. This was around the time Tim McVeigh was executed, which Dave considered the murder of a hero or prisoner of war. Without getting into politics or morality, I merely note that it was the last straw for many people, who made a complete split and formed LEAF. I presume it was the rancor behind this split that keeps Dave from mentioning LEAF on his website.

      Unfortunately, if you type "linux router" into Google, LEAF shows up way down the list -- maybe 20th.

      IMHO, the people working on LEAF are dedicated and impressive. It remains far and away the best floppy-based router/firewall available. It is certainly the most actively maintained.

  4. FreeSCO by groove10 · · Score: 4, Informative

    That's what I use on my little NAT/Gateway thing at home. Works like a champ. Web-based config + many other add-ons for this floppy distro. More put together than LRP IMHO. Check it out at: freeSCO.org. The dicumentation is pretty good, although it may not be as secure as other distros.

    --
    MMORPG fan-boy? Prove your worth
  5. LinuxMandrake SNF by DCowern · · Score: 3, Informative

    Single Network Firewall... runs off of a 2.2 kernel, easy to set up, and runs off a "slick web based interface". You can download the ISOs for free off their website.

    Some linkage:

  6. Coyote Linux by servoled · · Score: 4, Informative

    Note sure if this qualifies, but it is a neat little floppy disk distribution that does nat. Check it out at http://www.coyotelinux.com/.

    --
    "I have a porkchop, you have a porkchop. I have a veal, you have a veal".
  7. Clarkconnect by Anonymous Coward · · Score: 5, Informative

    I use clark connect for my firewall. Its linux based wit a web admin, it displays usage reports, bandwidth graphs. Does nslookups and whois on people who try to hack you. Even displays "12.12.12.12 tried to use Code Red 2.0"
    Also includes CUPS for printing.Samba for file sharing. OpenSSH and the web based admin uses ModSSL so its all encrypted.

    Its frickin awesome! Is built from Redhat 7.2 and accepts all Redhat 7.2 RPMS.

  8. Gnat box has a Free 5-user version by young-earth · · Score: 5, Informative

    works great, easy to set up, floppy only, works on >= 486 machines. I've never seen it go below 98% idle on a 100MHz P5 with 5 hard-working machines filling a 768Kbps DSL line. You can pay $50 and get a DMZ added on to the free version, same price for a VPN license.

    Download it from here. This is a BSD based firewall, but no shell, nothing for a cracker to get onto it. Uses SSL web access (new in later versions) or a Winblows client for configuration.

    Oh and one point that is heavily stressed in their marketing material - it's ICSA certified.

    There is a small version for ~$750 street price that gives 25-user version with DMZ, no moving parts, runs off 12VDC.

    --
    Got Wisdom?
  9. Astaro Security Linux by lethalp1mpslapper · · Score: 4, Informative

    This firewall is free for non-commercial use and has a web interface to boot. I've used this for sometime now. It supports VPN, incoming/outgoing email virus scan, IP accounting and routing. It will even update itself on the fly if you want. Here is the link: Astaro Security Linux

    P.S. - I don not work for these guys, I am just impressed by what they offer.

  10. A few firewall linux based distros by Dacmot · · Score: 4, Informative
    1. Freesco which I personnally use on a 486/dx2 with 8mb of ram. It has many functionalities like remote access, dhcp, dns, print server, firewalling, masquerading, bridging, support for many ethernet cards and best of all fits on a floppy (no HD required, but possible to do a HD install) Works like a charm and very easy to setup... almost plug and play (although not like windoze's plug and pray)
    2. Coyote Linux which seems to offer a few more features than freesco, but requires 12mb of ram. Again, fits on a floppy.
    3. SmoothWall which seems to be more of a feature complete firewalling solution includes web-based admin, proxy server and much more. It's larger (30MB or so) but seems fairly easy to use.
  11. Re:SINCE WE'RE ON THE SUBJECT... by kir · · Score: 3, Informative

    OK... apparently, I am a moron... well, maybe not a moron, but LAZY. I got off my arse and did some poking around. Look what I found.

    I found a few application level proxies -

    OpenGateKeeper H.323 Proxy

    ftp.proxy - This looks very well done.

    smtp.proxy - done by the same guy as tcpproxy below.

    For the generic tcp proxy -

    nportredird - This looks very promising.

    aproxy - looks a little too simple, but it's perl! (English can be found via babelfish.)

    tcpproxy - This one seems the most complete and designed for a firewalling environment.

    I found a whole slew of different app "level" proxies (Quake, POP3, etc.), but most seemed a bit basic. Some of the POP3 ones were cool (proxy auth support).

    I was not able to find a good udp proxy - with multi-source/multi-destination (proxy with an ACL). I've a small local port udp redirector (I have no idea where I got it) that I use on my home network, but it's not something I could use at work. So... there ya go.

    --
    3cx.org - A truly bad website.
  12. Summary of mentioned firewalls, and a question by Anonymous Coward · · Score: 5, Informative
    It looks like a lot of the Linux-based firewalls I've seen recommended here use ipchains with the 2.2 kernel instead of iptables with the 2.4 kernel. As far as I understand, this would mean they can't do connection tracking for things like FTP and IRC. Here's what I'm able to figure out so far...

    Firewalls using iptables with 2.4.x kernel:

    Firewalls using ipchains with 2.2.x kernel:

    Firewalls using ipfwadm with 2.0.x kernel:
    • Freesco: ipfwadm, 2.0.38 (!)
    • FWTK: Dunno, looks old, mentions ipfwadm

    My question is, isn't it best to use an iptables-based firewall on a 2.4.x kernel instead of an ipchains- or ipfwadm-based firewall on a 2.2.x or 2.0.x kernel? I definetely want the connection tracking capabilities in the 2.4.x kernel, especially for screwy things like FTP, IRC, etc. (Yes, I know there is an IRC connection tracking patch out now for 2.4 kernels...) Is a kernel that doesn't support connection tracking for firewalls a reasonable option these days?
    1. Re:Summary of mentioned firewalls, and a question by GlobalEcho · · Score: 4, Informative

      Linux firewalls and NAT routers were able to handle FTP and IRC at least as far back as the 2.0.x series kernels, using kernel modules that I assume basically forced state tracking on these types of connections. Other modules handle all the other major protocols like this (e.g. RealAudio).

      LEAF/LRP/Dachstein do so automatically. I assume most if not all of the others you cite do so as well.

      So, to answer your question, the answer is "no". Lack of support for connection tracking is indeed unacceptable. But 2.0.x and 2.2.x have tracking after all, at least where it matters.