Slashdot Mirror
Captain Crunch's New Boxes, Part II
micsaund writes: "It looks like the infamous Captain Crunch has been toiling away for 3 years on a firewall now known as the Crunchbox. It runs OpenBSD and is administered via a web-based interface. Steve Wozniak is quoted as saying it's 'next to un-crackable.' Check it out at ShopIP. The Register also has an article on it. As an aside, since the Linux Router Project (LRP) appears to have been sold-out and GnatBox is a tad expensive, is anyone aware of some kind of 'packaged' firewall with a slick interface available for free?" We mentioned Draper's venture into firewalls last year, but there's been some progress since then.
that you don't have a modem in your crunchbox
:)
Can you get into it?
"For a successful technology, honesty must take precedence over public relations for nature cannot be fooled." -Feynman
How many backdoors are there in it?
Check Out www.bbiagent.com cool, free, easy to use...
L053R
me too.
Installs in a snap, free download, stupendous interface, good support. I've used it for months now without a hickup. Just my $0.02
:-)
Smoothwall
Cheers
Have a Happy.
The mailing list is active, there are any number of distributions though few on the latest kernels, all appears kosher if not frantically active.
Was there any reason for this possibly very damaging statement?
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
That's what I use on my little NAT/Gateway thing at home. Works like a champ. Web-based config + many other add-ons for this floppy distro. More put together than LRP IMHO. Check it out at: freeSCO.org. The dicumentation is pretty good, although it may not be as secure as other distros.
MMORPG fan-boy? Prove your worth
Sorry, he's done some great things in the past, but what the hell does Steve Wozniak know about computer security?
Single Network Firewall... runs off of a 2.2 kernel, easy to set up, and runs off a "slick web based interface". You can download the ISOs for free off their website.
Some linkage:
next to un-crackable
What does Steve Wozniak have against Captain Crunch? we all know what happened to Oracle when they made similar claims.
Follow me
Looks like it's /.'d already, so use the power of the google.
Note sure if this qualifies, but it is a neat little floppy disk distribution that does nat. Check it out at http://www.coyotelinux.com/.
"I have a porkchop, you have a porkchop. I have a veal, you have a veal".
Why do you say the LRP has been sold out?
I use clark connect for my firewall. Its linux based wit a web admin, it displays usage reports, bandwidth graphs. Does nslookups and whois on people who try to hack you. Even displays "12.12.12.12 tried to use Code Red 2.0"
Also includes CUPS for printing.Samba for file sharing. OpenSSH and the web based admin uses ModSSL so its all encrypted.
Its frickin awesome! Is built from Redhat 7.2 and accepts all Redhat 7.2 RPMS.
Smoothwall has been doing the job for me for ages... Only a 20 meg download for the ISO and you install the system off that... It's pretty cool!
these machines will be given away in packets of cereal within the year ;) and you'll be able to access a trunk line with them!
free (as in mp3s) electronic music
works great, easy to set up, floppy only, works on >= 486 machines. I've never seen it go below 98% idle on a 100MHz P5 with 5 hard-working machines filling a 768Kbps DSL line. You can pay $50 and get a DMZ added on to the free version, same price for a VPN license.
Download it from here. This is a BSD based firewall, but no shell, nothing for a cracker to get onto it. Uses SSL web access (new in later versions) or a Winblows client for configuration.
Oh and one point that is heavily stressed in their marketing material - it's ICSA certified.
There is a small version for ~$750 street price that gives 25-user version with DMZ, no moving parts, runs off 12VDC.
Got Wisdom?
This firewall is free for non-commercial use and has a web interface to boot. I've used this for sometime now. It supports VPN, incoming/outgoing email virus scan, IP accounting and routing. It will even update itself on the fly if you want. Here is the link: Astaro Security Linux
P.S. - I don not work for these guys, I am just impressed by what they offer.
Get the Google mirror here: http://www.google.com/search?q=cache:9eTg0-gz5L8C: www.shopip.com/+&hl=en.
"I'd dare to say, next to uncrackable, is crackable."
Dr. Nonsense, cofounder of the Nonsense School of Journalism and PR.
Not quite GPL'ed, but a nifty single-disk solution. I liked it better than LRP since it has built in support for PPPoE, important to us Verizon lusers.
-- Is "Sig" copyrighted by www.sig.com?
Uncrackable, perhaps...
UnSlashdotable, hell no!
Burn, baby burn!
On another note, I wonder if a good slashdotting could be considered ddos in court?
"A terrorist is someone who has a bomb but doesn't have an air force." -William Blum
He spoke at UIUC's Reflections/Projections conference last year, and he showed us a bit of the Crunchbox. As far as we could tell, it was essentially a box with snort running to drop packets from anyone who tried an attack. Secure, yes, but also overly paranoid for most systems. Also, it pulls the CVS snort rules daily, so that's a potential weakness. It looked like it allowed you to view changes to the rules, but you didn't have to approve them in any way. I wasn't impressed.
I blew real hard and couldn't get a tone out of
the damn thing.
-Kevin
is anyone aware of some kind of 'packaged' firewall with a slick interface available for free?
Yeah. It's called "stealing a copy of Firewall 1 from work". Sometimes you have to spend money for things.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
When friends want to share a cable modem I usually go over to the local computer surplus sale and get 2 PCs that have NICs in them and a HDD and intall freesco.
It is based on an old kernel, and doesn't have socks so not everything will work, but it's easy to set up and even an idiot can use the web-based panel.
For a super low hassle setup I'd recommend it. It goes right onto an ex DOS PC, no re-formatting or anything.
+++ ATH0 +++
Give IPCop a go. Very similar to Smoothwall without the "attitude" that some people suffer from.
Fast, reliable, application level proxies - with the ability to log at different levels (and run on linux).
Where can these be found?
Both generic tcp/udp proxies and application aware "smart" proxies (i.e. H.323, NetMeeting, RealAudio, etc.). I know a lot of this funationality exists in the kernel, but I'd love to have proxies for those pesky protocols that decide on random high ports. If it could see and understand the "conversation", it could then, on the fly, proxy the appropriate (randomly selected) ports.
If I am completely missing something here (i.e. I'm a moron?!), let me know. I can take it. I think??
3cx.org - A truly bad website.
From the page at iShop.com:
The latest attack signature libraries can be automatically updated from a centralized source of the computer security community.
I am certainly not a security expert, but this seems like a potential weak point. If they can automatically change the rules the firewall uses, then in theory someone else could as well, if they cracked the update protocol.
Does anyone know how they protect these updates so that they can't be intercepted and broken?
Sailing over the event horizon
Steve Wozniak is quoted as saying it's 'next to un-crackable.'
...and as soon as the story was posted, the screen read "j00've b33n h4x0r3d" and nature once again revealed its irony.
the server is lagged as hell, if it cannot protect against the slashdot effect, the single greatest denial of service attack known to the internet... is it really worth all the money on the page I cant even access to buy it?
a bit more about me http://www.advogato.org/person/trelane/ or my private page http://trelane.net
I do believe that everyone who usually writes "just my $0.02" on slashdot should change their comment to something a bit more universally understood. Perhaps: "just my 4 pages" ?
Just my 4 pages.
Do you even know anything about perl? -- AC Replying to Tom Christiansen post.
It's a great way to make that ole' Packard Bell 486 come back to life!
I have no problem with your religion until you decide it's reason to deprive others of the truth.
I hate to be a prat, but what's the point on adding a web-based interface to OpenBSD. The whole OS is damn easy to setup - the man pages are idiot proof and the documentation on installation are wonderfull. There are some rough spots that look a bit difficult if you don't have OpenBSD's documentation on hand - so keep another computer nearby to browse the web and man pages.
Hints:
Buy the OpenBSD CD - they are bootable and support the project.
Learn a bit of VI beforehand for editing those text files - of course other editors are available but VI comes built in.
Other hints:
Trust Theo and his friends to get the operating system secure - not a has-been cracker cashing in on name recognition.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
I've tried several different types of Firewall distros. Coyote, Smoothwall, that Mandrake one, etc. I finally settled on Freesco, because it runs off the fat32 filesystem. All of the other ones are basesed on non-journaling Filesystems (Ext2). And my electric goes out quite frequently.
Please check out ClarkConnect... it's a great little firewall based on RedHat 7.2. It gets regular updates, and has an active user community.
OK. The interface isn't slick.
...but a solid firewall.
http://www.fwtk.org/main.html
There's still a lot of support and I believe an active mailing list.
I put one together 5 years ago, and the company I work for still uses it for their mailing host.
Interface? There is none. But it works pretty damned good if you're willing to spend 1 day understanding how it works.
Not a bad deal.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
My bad.
Here is the correct link.
My own pointless vanity vintage computing page
http://www.ipcop.org/
It started as a fork of SmoothWall (without the
attitude) and has grown steadily since.
I encourage everyone to check it and the mailing lists out!
SIGLOST && SIGUNUSED && SIGQUIT
You have exhausted your use of the '*' key! If you use it again, your computer will let out high doses of radiation aimed at your manhood. Luckily for human kind this would rid your strain from the genepool! Have a nice day!
Platinum Networks Hosting www.platinum-networks.com
Now I have to go find every BBS archive that has my G-Phile with box lists and update them.
LRP hasn't sold out. Check out http://lrp.steinkuehler.net. The latest version is only 3 months old, and comes in CD form.
I was grocery shopping today. I noticed that the elephant is no longer on the peanut butter cap'n crunch. And that 'thing' is no longer on the crunch berry box. I figured the first link in this story would go here. Nope. Just some boring hacker crap.
(and for those keeping score, I am in fact blocking timothy's articles from the front page. I came here after seeing the headline on another site.)
Jesus was all right but his disciples were thick and ordinary. -John Lennon
Seriously: check out the Reg® at http://www.theregister.co.uk/
It's an excellent news source, with a British/European focus, it's extremely well-written, and covers a lot of stuff that most of the people who read *^H (oops: not supposed to do that ;-) this place would probably find interesting.
If conservation of bandwidth is your gig, check out the USA version at http://www.theregus.com/
It's a little different in content (less British focus..) so I personally find it a little less interesting..
t_t_b
I'm on PJ's "enemies" list! Are you?
Yes, but olds are what people pay for from news services. Think about it. CNN - reports stuff people already know, but tries to make them feel good about it. NBC - does the same. Practically any newspaper - same.
Occasionally they include some true news, but then again, so does Slashdot.
If anything, Slashdot is about as bad (good?) as most "reputable" news sources. IOW, they fuck up on a regular basis, report on things that are out-of-date, and spin stories to fit their personal biases.
Go figure, they're human. I dare you to do better.
LRP has been superceded by the LEAF project at http://leaf.sourceforge.net. I'm running a current LEAF distro (Oxygen) and it's rock solid. There are quite a few different flavors, depending on your needs and experience level.
From the LEAF site:
Last Oxygen release was about 2 weeks ago.Karma: Marginal (mostly due to the border around the website)
I bet some enterprising 15 year-old nicknamed "Captain Furby" will find that the 8156khz sound of a Furby's voice produces the perfect pitch to crack the "Crunch Box".
Ergonomica Auctorita Illico!
IPCop now is using Ext3. See features of V0.1.1. 2.4 Kernel and IPTables in V0.2
From now on it'll be <strong>strong tags</strong>
How's that?
t_t_b
I'm on PJ's "enemies" list! Are you?
It is a full linux distribution, based on redhat 7.2, and is your typical linux firewall/router, but also comes with Snort, SSH, Junkbuster, Apache, proftpd, samba, cups, webmin, MRTG, etc.
The interface is web-based or commandline-based.
I am currently running it on a 486-66, 20M ram system, and the routing is very quick (I don't notice any slowdowns at all), but administration is a bit slow with this old box.
I'd highly recommend it.
Although I do reserve the right to use an asterisk in an expletive, as I did in the offending passage, above, by replacing the vowel with a star to soften the full weight of my choice of words...
t_t_b
I'm on PJ's "enemies" list! Are you?
If you can read Japanese (and if you can't just look at the pictures), how about OpenBlockS?
It's tiny (look at the picture about halfway down the page to get an idea of how small it really is - those are RJ-45 ports), runs Linux, and you can fit it with a HD if you really want to (although I don't see why you would).
The Trinix distribution seems like a powerful way to do this also. The homepage is hear ...). I've havn't tried it yet myself as I am currently running the LRP distro without a problem.
Trinix
It is intended as a network analysis tool, but it is has all the cool features (OpenSource, runs entirely in RAM, floopy boot, etc
This is an amazing thriving project with multiple branches. The coordinating web site is http://leaf.sourceforge.net/. The original poster couldn't be more wrong about its demise.
check out astaro firewall at www.astaro.com.
it is a linux based firewall solution with vpn & virus scanning support. it's the most comprehensive firewall package that i have seen (and that is freely downloadable).
astaro includes implementations of other security related products (swan, etc) all in one package. definately worth a try.
IPCop works just like Smoothwall for now. The next version has some incredible features that will take you to places you can only go with Smoothwall if you're willing to pay, if you can go there at all. Plus, the support is quick and friendly.
I use IPCop at home, at work and set it up for freinds and couldn't be happier.
It has IDS, VPN, a web proxy...eh, I could go on and on. Go check out the page!
Long live IPCop!
SFNative
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Nothing exceeds like excess
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sheesh! :)
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
(this post isn't worth modding so don't)
I called the number on the site to find out the price because it wasn't listed.
/. he freaked and said "Oh no! Our site is getting /.ed guys!!".
/.ers!
One of the developers picked up the phone and told me all sorts of stuff about the firewall including the price and then, when I told him that his product was on
Way to go
The FAQ devotes 32 of 88 pages to how to correctly interact with the community, with such topics as "On Not Reacting Like a Loser" and "RTFM and STFW: How to tell you've seriously screwed up."
Furthermore, the remaining 56 pages are liberally sprinkled with the same: "Asking this question on the mailing list or IRC will inevitably result in the verbal equivalent of being hit round the head with a baseball bat. The answer is NO."
While I appreciate the sentiment of these statements, devoting nearly half of the document to this topic might be a little overboard.
Agreed...the writing in the Register is too lurid for my tastes. I prefer having my Register stories filtered by other /. readers.
"It take 9 months to bear a child, no matter how many women you assign to the job."
Firewalls using iptables with 2.4.x kernel:
Firewalls using ipchains with 2.2.x kernel:
Firewalls using ipfwadm with 2.0.x kernel:
My question is, isn't it best to use an iptables-based firewall on a 2.4.x kernel instead of an ipchains- or ipfwadm-based firewall on a 2.2.x or 2.0.x kernel? I definetely want the connection tracking capabilities in the 2.4.x kernel, especially for screwy things like FTP, IRC, etc. (Yes, I know there is an IRC connection tracking patch out now for 2.4 kernels...) Is a kernel that doesn't support connection tracking for firewalls a reasonable option these days?
This kinda seems like PicoBSD a free, small BSD dist for this purpose... along with others.
God save our Queen, and Heaven bless The Maple Leaf Forever!
The emBSD Firewall seems to be right on track, and you can download it right now. I've not tried it, but it runs off a 32MB Compact Flash.
What were the skies like when you were young?
Coyote Linux has one of the easiest installers. It even installs from windows.
http://www.coyotelinux.com/
But if you run it through GRC's Shields Up at: http://grc.com/default.htm
You will see closed ports on the default firewall ruleset.
Might I suggest FrazierWall Linux. It is a fork of Coyote and LRP, but with better default firewall rules, and a built in web server for local firewall status information. And it will even e-mail the firewall logs to you.
http://www.frazierwall.com/
Plus it passes both the Shields Up and Sygate Scans : http://scan.sygatetech.com/
with stealth mode almost everywhere.
I did have some problems with in initial install. I looked in the config files from Coyote to get things straight with FrazierWall. Other than that, FrazierWall is a well done firewall.
dp
I like Coyote Linux. I used it for some time. It has one of the easiest installers. It even installs from windows. But if you run it through GRC's Shields Up at: http://grc.com/default.htm you will see closed ports on the default firewall ruleset.
Might I suggest FrazierWall Linux. It is a fork of Coyote and LRP, but with better default firewall rules, and a built in web server for local firewall status information. And it will even e-mail the firewall logs to you.
http://www.frazierwall.com/
Plus it passes both the Shields Up and Sygate Scans : http://scan.sygatetech.com/
with stealth mode almost everywhere.
I did have some problems with in initial install. I looked in the config files from Coyote to get things straight with FrazierWall. Other than that, FrazierWall is a well done firewall.
The modified RedHat distribtion peviously known as e-smith (now SMEserver) is available for free download at http://www.e-smith.org (follow the download link). It includes pretty good ipchains based firewalling, even when configured to run as a server and internet gateway on the same machine. If you haven't seen e-smith, it is basically an office-in-a-box providing internet NAT routing and all the usual server functions with administration through a web interface simple enough that you can let someone else do it all. They have been purchased by Mitel who sells service related to the software - if you vist the http://www.e-smith.com site (instead of .org) you won't even see the free download mentioned.
I might as well blow my own horn...
http://www.frazierwall.com
It is an LRP floppy distro that is customized, runs a 2.2.18 kernel, supports most NICs, and has a thttp web interface with tons O'info about your hardware, network, and connections.
It also mails firewall blocking logs daily, provides a network time service for your LAN and has a user oriented interface.
Their webpage says:
"Evaluate our demo at:
https://demo.shopip.com"
But I don't get a connect, has it been cracked already?
ttyl
Farrell
CAN-CON 2019 - Ottawa's only book oriented Science Fiction Convention! October 18-20, Sheraton Hotel, Ottawa, Canada h
Are there any packages for Debian or RedHat that provide firewall functionality easily?
For a real FREE firewall go to http://www.ipcop.org and download a firewall that's easy to set up, has a great Administration manual and a FREINDLY user list for those special problems. I used to use that other firewall but got tired of reading how I wasn't supposed to ask for support because I didn't freaking buy his corporate product, thing is I was GOING to buy the Home Server when it came out but now I've moved on to a better producy with freindly support. Michael T
Dont blame me, I didn't vote for him! Then again, neither did a lot of other people. Linux User #228869 on Machine #1475
but I wonder if it stuff cuts the roof of your mouth :D
and yes I know friendly is spelled wrong twice and I meant product not producy. SmoothWall support still sucks. Michael T
Dont blame me, I didn't vote for him! Then again, neither did a lot of other people. Linux User #228869 on Machine #1475
Well dude, I guess you got the publicity you were looking for ;-)
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
> IPCop now is using Ext3. See features of V0.1.1.
:)
As is SmoothWall Corporate Server, and as will the next release of the free version of SmoothWall.
> 2.4 Kernel and IPTables in V0.2
should be interesting to see just how much breaks when you do that Jack
neuro at well dot com (when I post, it's my opinions, no-one elses)
It may be unbreakabale but looks like it is
slashdottable.
...No more Soggies!
Donate background CPU time to fight cancer.
Mandrake Single Network Firewall - http://www.mandrakesoft.com/products/snf . Simple to install, and simple to maintain. The latest version, which is still in 'Cooker', uses shorewall - http://www.shorewall.net and can be installed from the Cooker Beta ISO simply be select the 'snf' package only.
.
-- I care not for your foolish signatures.
I dare you to do better.
Most real sources actually have the decency to RETRACT incorrect stories.
yes, thank you for stating what i was going to say.
i'm glad your response was modded up. I am quite satisfied with the level of activity on LEAF. We are going to move to a recent version of Oxygen in the near future. And the reason for doing that is to be able to run Seawall as a firewall on our
'embedded' boxes.
What? A free packaged firewall. This I think fits that question like a glove.
emBSD based firewalls are built on OpenBSD. Right now there is a 1.x line of emBSD which is built on OpenBSD 2.9, and there is a 2.0 emBSD beta which is built on OpenBSD 3. It is built to be a hard core firewall/router running from 32 megs of flash memory. I'm running LRP on a few systems (some floppy, some from IDE based solid state disks). I plan to migrate my LRP systems to emBSD 2.0 when it comes out of beta.
It's always interesting to see people so quick to attack an author of security-related software when they ask how to essentially "de-secure" the product!
I mean, honestly, it's probably a little "over the top" to ban your IP over the question -- but looking at it from the author's side for a minute; You're basically trying to modify the package to suit your specific needs. If you do this, you run a risk of introducing new code that's untested as to the level of security inherent in it. If the author helps you do these modifications, and then your box gets hacked later, how do you think that reflects on his original product?
Richard Morrell may have his share of attitude problems, but I don't think this is really a fair one to use against him. Firewalls are *not* supposed to run other services. People keep trying to add ftp, printing and Samba file sharing services to Smoothwall, among other things - and it's just a BAD idea.
Eh... I remember in the "good old days" of computing (when the Commodore 64 ran most of the BBS's out there, and people had fights over which platform was best: Tandy, Commie, or Atari), Woz was pretty well-regarded in the phone phreaking and system hacking communities. I don't think it was necessarily because anyone thought he was really good at it, but more because he had "celebrity status", yet still kept friends in those circles.
I even remember getting called up, late one night, and added to a huge conference call that a phone phreaker set up. Woz was in the call, along with a lot of regular attendees of the 2600 group meetings and so forth. (It's been years now, but I believe they hacked a code for a conference calling service called "Alliance", and they were trying to see how long they could keep the call going -- adding new participants as other people got off the phone.)
I don't even recall what the topic of dicussion was, but I don't think it was anything substantial. Pretty much just a lot of "Oh wow, cool - so who's all in here tonight?" and misc. chit-chat.
I looked at Clarkconnect, but I refuse to run it. Why? Because honestly, what kind of serious firewall product also leaves all those other services running? What's the point in protecting your systems and data behind a firewall, when at least some of your important files and servers *are* the firewall? There's no line of defense in front of your print server, file server, etc.
Let's say you have a good product and you want to get it endorsed. Bring it to a business guy, and he'll say: "This box is uncrackable. It's totally secure and cannot be comprimised."
Bring the same thing to a well-respected engineer and he might say: "It's darn, near impossible to crack. Hey, nothing is impossible, and there's always a risk, but this product is as good as it gets."
Too bad only the first endorsement would ever help sell the product.
Too big to fail? Does that make me to small to succeed?
Yes, smoothwall is good, and yes, Clark Connect is even better. I haven't tried this Freesco thing, but I'd have to say it may not serve you if you want to have more services than the average router. If you look in the nearly unnoticable corner of the web you'll find the "shop" with the real beauty - the Start-up server. This is a router with a lot of interesting features, including a console menu system called "smat" that lets you do everything you need, and which, I might add, is highly configurable because its written in Bash (you also get webmin). Its also based upon Slackware, so you get to download any of its packages if you need them. The one feature I particularly like about this distro is the fact that it uses the keyboard LEDs (num, caps, and scroll) as status indicators for the network, so you don't have to plug in a monitor to troubleshoot the connection at the source if anything goes wrong.
Mod me down and I will become more powerful than you can possibly imagine!
floppyfw is a sweet deal. 1 floppy. easy config. i've got mine set up to do dhcp for the internal network and everything. very nice.
----
All of whose base are belong to the what-now?
Here is a google cache of the page with the specs.
If we don't make light of everything, we are just stumbling in the dark - Blank
Why couldn't he say it like YOU did??? I wanted to upgrade a process running on the server. Just a simple question. It didn't have an ftp client, so I asked if there was a way for me to upgrade a package..he didnt even ANSWER the question. He said "*I* made this damn product, and if you don't like how it's made, go fuck yourself", and then kicked me out of the channel and banned me (this was a while ago). I could take a flame if it's deserved, but this just SHOCKED me..it was uncalled for. I still use Smoothwall however.
If you're not a Liberal in your 20's, then you have no heart.If you're still a Liberal in your 30's you have no brain.
will be Nileswall. :-)
I'm using OpenBSD 3.0 (which means pf instead of ipf for the filtering) and set it up as an ethernet bridge that does firewalling (IE - this sucker has no IP address, and can't be hacked from the outside world - in fact, it's friggin invisible. What a wonderful setup!) The disadvantage for most people, however, is that if you do it this way there's no remote administration. That's fine with me - the firewall machine has monitored physical access (in other words, it's locked in a cabnet the sets in my office :-)
There's some oddness doing it this way, but, it's really worth while if you want a machine that can't be screwed with at all. And, vi sucks, but is survivable ;-)
Oddly enough, all the docs I found on doing it this way were for previous OpenBSD versions, which used ipf for filtering. pf and ipf are close enough that the docs for doing it are still pretty close to in date - but there's just a few things that would have to change for it to be correct. A little searching through the pf man pages will show the differences.
Davis Ray Sickmon, Jr - looking for something to read? Check out my three free novels at MidnightRyder.org
>> IPCop now is using Ext3. See features of V0.1.1.
:)
>As is SmoothWall Corporate Server
>[smoothwall.co.uk], and as will the next release
>of the free version of SmoothWall.
hmmm. Ext3 under GPL and Ext3 after paying.
>> 2.4 Kernel and IPTables in V0.2
>should be interesting to see just how much
>breaks when you do that Jack
Yes. It should
Charles Williams
PM IPCop Linux
IT Admins Group: Where you decide the content
Haha! I remember being called from Alliance conferences. This was about - 7 yrs AFTER I was "popped". Do you know Adfam Bauman?
:-)
Contact me, King_TJ, I'm sure I know you...
Crunch
Vatican security checked the call with FO though, so he (Pope) never actually answered.
:wq
There is a real nice, stripped clean and naturally free linux distro for firewalls/routers called bifrost. The latest few versions use 2.4-kernels, but they keep a nice annotated back-log of their old distros since 1997. The distro has a fairly clever system for dealing with mobile users (called nomad). It lacks a "click-and-go" wui by design, due to the risk of unneccesary security breaches - in my translation from the swedish pages - Correct filterrules are preferentially constructed "offline", and transfered by scp. For those who want clickability and colors, we recommend Xemacs for suitable coziness. Imho, thats the way to go (although I zealously use emacs instead).
The guys who maintain bifrost/nomad spend a lot of time on fairly advanced network performance testing with different hardware/driver combinations, so you maight want to consider their hardware recommendations as well. For the machines they put together for the Swedish university network, they go with flash-drives for safe (and fast) storage.
If you are curios about the name of the distro, the following helps:
The name Bifrost comes from the nordic mythology, where Bifrost is the bridge between Midgård (The Earth) and Asgård (the home of gods) and is called The Rainbow by humans. It's so strong that it will not be destroyed until Ragnarök - the end of the world. Bifrost is guarded by Heimdall and the red color one can see in it, is a flaming fire that prevents the giants to climb up to Asgård.
> >As is SmoothWall Corporate Server
:)
> >[smoothwall.co.uk], and as will the next release
> >of the free version of SmoothWall.
>
> hmmm. Ext3 under GPL and Ext3 after paying.
which part of "next release of the free version" didn't you understand?
neuro at well dot com (when I post, it's my opinions, no-one elses)
The original document is available on ESR's site, BTW. (If you're interested.)
--
Runnin' around, robbin' banks all whacked on the Scooby Snacks...
From one of the fist fellows to bring a RoadRunner clinet to Linux, Josh Jackson.
This is simply put the slickest stuff going from what Ive seen, I actually waled my mom through an install over the phone.
COYOTE LINUX
There is it appears a new embedded version, Ill have to look at that,
Ive had 2 installs up for over a year, both only ceased functioning once, when the people at their location forgot it was there and unplugged em, (both places:)
To me something you can truly forget about is the ticke, VPN clients and all....
Sig went tro...aahemmm.....fishing........
... does it comes with bells and a whistle?????
I can understand Steve's misdirected trust for John "Captain Crunch" Draper, but is there any network administrators out there who would stake their reputations, and possibly their jobs on a firewall written by this guy? Having reviewed code written by this man, I beleive I am accurate in saying he should stick to hardware design, and leave the software to the pros.
I have to admit, he is rather good at "networking", but not the sort used in telecommunications. Social engineering skills do not qualify a person for the hairy task of writing an unbreakable firewall, and unless his skills in the hard sciences have dramatically improved in the last 10 years, I figure there will be plenty of opportunities for buffer over-run and DOS attacks in the near future.
Prove me wrong John, put your source in the public domain, under the same open source scrutiny as OpenBSD, and if it is a secure (and not through obfuscation either) as you say it is, I'll sing your praises instead.
Fast machines, powerfull AI, impulsive invention,... All I lack is a good espresso machine!
did anyone else notice that there are almost no comments about the box itself, just tons of comments about other Linux-based firewalls?
has anyone ever seen the box, used it, witnessed a demo, anything? or knows some more details, like pricing, which aren't immediatly apparent from the website?
if so, please share your knowledge.
Assorted stuff I do sometimes: Lemuria.org
You dumbass, those are options that you have to manually turn on during the installation.
By default it is set up simply as a firewall/router.
Any distro is only as safe as the services its running on open ports. duh.
I looked at Clarkconnect, but I refuse to run it.
You looked at what the package listing on the website?
You obviously didn't "look at" the distro enough to know what you're talking about.
Who in the fuck modded this guy up anyway?
Securepoint is a free Linux 2.4.x based firewall. You can find it at www.securepoint.de. Itlooks priety secure to me but it has one draw back, if you want to use the graphical administration software that comes with it you have to have a windows box, other than that it looks like it could rank right up there with a checkpoint-1 system. The system is administerable from the console if you do not want to use a windows box.
"Really, I'm not out to destroy Microsoft. That will just be a completely unintentional side effect." Linus Torvalds
Here's another !!
/. today is great - truly the reason /. exists.
http://www.zelow.no/floppyfw/
The info on
The Reg usually makes for an interesting read
The Inquirer is a good source for AMD/Intel roadmaps and bleeding edge tech news.
Anandtech is not updated that often but the often have the best coverag and reviews of new products and technologies.
I don't visit Toms Hardware often but it is another good source for benchmarks and reviews.
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
For those looking for instructions on building a linux floppy take a look at some documentation I made up while working on my own.
I had not found any good linux floppy firewall distributions running 2.4 the kernel so I figured out how to do it myself. This document doesn't include the instructions on how to include iptables but I will be adding that soon (it isn't too difficult).
The reason for that attitude is having 100% control, not 100% security. You cannot assume someone is security illiterate and conclude just wanting to be able to change anything is a security vulnerability.
One day, they may find this FW has a vulnerability, and ALL of this firewall will have that one. Because they are all the same.
Bottom line: i think you are plain wrong, tohugh I will agree that anyone security illiterate is better of leaving things as they are.
unfinished: (adj.)
It's not in the freeloader version.
Also, it doesn't have DHCP ("because a firewall is not supposed to do that, and is a security vulnerability.......") so if you use a cablemmodem or anything that gets the IP from a DHCP server, you are out of luck. There are some ways to add DHCP, but from external parties. But the web interface is not very aware of the fact the IP will change (rule making nightmare).
unfinished: (adj.)
Bad attitudes must be very prevalent among the "security elite" (in the computer industry that is).
Think about it: Darren Reed, Richard Morrell, Theo De Radt, etc. etc.
They all share common traits: bad attitudes and superiority complexes.
From what I read and understand, Richard Morrell is just a mean wanker, with no justification or provication. Darren Reed and Theo deRadt aren't so flamboyant as Morrell. They are pretty understanding, and you can atleast communicate with them, unless you are one of the other.
They seem to be stubborn more than anything; however, they have the right to do what they want with their respective projects.
I think the source for all of this is, of course, insecurity (in a personal, non computer related way).
eeeeeeeeeeeexcellent - the AC crowd show their true colours once again! "raping cott deaths"?? isn't this a family show?
neuro at well dot com (when I post, it's my opinions, no-one elses)
Unfortunately the previous poster made the mistake of implying more terrorist incidents were a good thing. But for those of us not isolated from the incidents, the few weeks after 9/11 were the only prolonged periods where I can remember Americans actually caring about people other than themselves.
The original poster's ignorance that Arab=bad is pathetic and on a good day is considered racist. I didn't think the slashdot community was this narrow-minded about anything other than open source.
... and for the record, I live in Manhattan, lost friends and colleagues, and don't condone terrorism.
Ok, bright guy - so you think it's a good programming decision on the part of Clarkconnect and other firewall authors to give the user the option of running server services on top of the firewall??
Of course you can turn the stuff off. The point is, it's misleading to release a security product with the ability to do quite insecure things with it. At the very least, it's bad practice and teaches bad habits.
Show me a single Cisco firewall product with Samba or print services optionally running on it?
After reading the whole introduction written by ESR, my thoughts were "What an overinflated sense of self importance!"
Anyone who has the time to write a 30 page document on how to properly ask a question of a hacker has WAY too much time on his hands.
Quit trying to convert the world, and just use your "delete" key. It's there for a purpose.
If you lurk on the smoothwall email list for a while you'll see why Richard get a bit cranky. Threatening phone calls to his home with rude messages left with his children.. Having to exlain (for the 1,000th time) why a firewall should not be running {ftp|tftp|rsh|rexec}. Lusers asking the same old questions for the 50th time and getting all upset when the response to their badly phrased question is a quick "sod off!". I agree that Richard can be a very disagreeable fellow, but I can't fault the software or the behavior of the rest of the team from what I've seen.
I've been running smoothwall for several months and other than the nag screen and ads on the web interface, I have no issues with it - I even donated to the team before that whole subject got tense. I've found it easy to install, maintain and use. Several friends have also installed it and are quite happy with it.
M = Man looking for support, R = Receptionist, Q = Mr. Morrell
M: Ah. I'd like to have some support, please.
R: Certainly sir. Have you been here before?
M: No, I haven't, this is my first time.
R: I see. Well, do you want to have just one support incident, or were you thinking of taking a course?
M: Well, what is the cost?
R: Well, It's one pound for a five minute incident, but only eight pounds for a course of ten.
M: Well, I think it would be best if I perhaps started off with just the one and then see how it goes.
R: Fine. Well, I'll see who's free at the moment.
Pause
R: Mr. DeBakey's free, but he's a little bit conciliatory.
Ahh yes, Try Mr. Barnard; room 12.
M: Thank you.
(Walks down the hall. Opens door.)
Q: WHAT DO YOU WANT?
M: Well, I was told outside that...
Q: Don't give me that, you snotty-faced heap of parrot droppings!
M: What?
Q: Shut your festering gob, you tit! Your type really makes me puke, you vacuous, coffee-nosed, malodorous, pervert!!!
M: Look, I CAME HERE FOR CUSTOMER SUPPORT, I'm not going to just stand...!!
Q: OH, oh I'm sorry, but this is abuse.
M: Oh, I see, well, that explains it.
Q: Ah yes, you want room 12A, Just along the corridor.
M: Oh, Thank you very much. Sorry.
Q: Not at all.
M: Thank You. (Under his breath) Stupid git!!
In other news, astrophysicists have announced that they now know what all that dark matter is: it's stupidity.
Heaven forbid that Red Hat Liux users would want to upgrade any of their software. They may destabilize the whole operating system! This would make RH look bad.
Yes, your argument IS that stupid. If I want to upgrade my Palm, Tivo, PC, Mac, Dishwasher, toilet, install Dr. Sholls insoles in my goddamn shoes, it my right. If my feet smell, it's MY problem, and Nike shouldn't care!!! It doesn't make Nike look bad...
Once I buy a product, it's mine. If I upgrade it and fuck it up, it's my fault. If the mfr. gets pissy, then it's time to find a new product.
Richard Morrell is not the god of all firewall products. Maybe I know what I need in a firewall better than he does. Maybe MY business needs exceed the artificial limitations that his product has. Maybe I want to add IDS capability - THAT certainly belongs in a firewall. Maybe transparent filtering proxy. That belongs there too. Maybe better NAT support. Whatever.
Look where Linux would be if Linus refused to incorporate patches written by others, and didn't release source. Hmm. Probably a pile of crap. It's one thing to be strong willed, and another to be an arrogant asshole.
Yes, adding some services random service like samba, etc. isn't very smart, but forewarn the user. Educate. Do NOT put artificial restrictions and limitations in the product, as that reduces the utility greatly.
[Smacks you in the nose]
"Well, you're just DAMN UGLY"
Explaination doesn't make it any more correct. Manners are what my/your mother should have taught you. Obviously, Dick either didn't have a mother, or one that didn't do her job. (Or was that a father?)
Cheers!
ROFL! That seems to explain it fully.
Dick is trapped in flashbacks of MP shows.
I KNEW there was some logical explaination!
Thanks!
Cheers!
Intelligent people usually learn what they do well, and what they don't.
Dick seems to not realize the fact that abusing people isn't correct - EVER!
If he can't handle support, please do something else. If Dick is a "friend" to OSS, we don't need enemies.
Just in case yo wondered, I do have to work with clueless users. I usually bite my tongue, grind my teeth, and then SMILE and try to be helpful. Anything else really doesn't help.
Cheers!
You do have a point there, and I wish Slashdot would do that a little more often.
Then again, it'd probably require some hefty modifications to Slashcode, and from what I've heard, its a miracle that Slashcode works at all. ;)
I'd have to agree.. I downloaded smoothwall 0.9.9SE a few months ago while searching for a low/no cost site-to-site VPN solution. The install was quick and easy, and although I needed to modify some of the scripts to make the Free-S/WAN VPN components interoperate with my Checkpoint FireWall-1/VPN-1 gateway at work, the end result is a secure and stable firewall with the desired full-time encrypted connection to the office. Now I've seen Mr. Morrell's postings to the "gpl" mailing list, and I don't think he's going to win any awards for open-source customer service, but his product delivers as advertised and then some. It's certainly worth the download to try it out, and most likely will be worth a nominal donation to most users. Features include statically or DHCP assigned external address, modem support with dial-on-demand, Intrusion detection (snort), web and DNS proxies, DMZ interface support, IPSec comliant VPN, traffic logging with nifty graphs, an easy-to-use SSL web interface and a few other little goodies.
chown -R us
Seems a little high - anyone have some stats on latency for the different packages available?
...I thought you said 'Boxers' - combined with the wolf whistle, i thought we were gettin pr0n.
Regards, timf.
I don't speak for the pro-floppy legions, but while your previous post was insightful, it did not deserve a score of 5. I don't use a floppy based distro, but this debate has acutally pushed me towards the benefits of such a solution. In any event, the issue is not as cut-and-dry as you or Theo seem to think, and your being overmoderated encourages me to play the devil's advocate.
;) passe. Performance is not an issue because single function devices should run from RAM - running from a harddrive would be undesireable. It is even argueable that read-only floppies can be better than CD-ROMs because they are easier to update. CD-R defeats the whole inexpensive aspect, unless you already have the hardware and buy blank media in bulk. Even then, floppies are still cheaper. While you may now get AOL CDs in the mail, these aren't as useful as AOL floppies! If AOL ever starts mailing preformatted harddrives, then I will gleefully retract my arguments.
Unless you are a long time computer hobbyist with generations of surplus hardware laying around, a hard drive is not trivial to acquire. On the otherhand, anyone who gets junkmail more than likely has thrown away many floppies. A harddrive is only cheap compared to what harddrives used to cost. For the price of one inexpensive hard drive, you can get hundreds of floppy disks. Hard drives are not impervious to failure, and for the cost, redundant copies of your packet filter conf. file have a better chance of survival on $50 worth of floppys than one $50 hard drive.
If top security is your concern, then you don't keep log files on a rewriteable medium like a hard drive. A better answer is a read-only boot device, with logs sent to a printer. You can reboot if anything goes wrong, and still have access to the logs while offline. You can stay online while making and testing updates on another floppy, and even keep multiple floppies with multiple configs.
For a single function device, it is tough to argue that a harddrive makes a RAID (Redundant Assortment of Inexpensive Diskettes
-castlan
i like :)
Ceci n'est pas un post