Slashdot Mirror
Captain Crunch's New Boxes, Part II
micsaund writes: "It looks like the infamous Captain Crunch has been toiling away for 3 years on a firewall now known as the Crunchbox. It runs OpenBSD and is administered via a web-based interface. Steve Wozniak is quoted as saying it's 'next to un-crackable.' Check it out at ShopIP. The Register also has an article on it. As an aside, since the Linux Router Project (LRP) appears to have been sold-out and GnatBox is a tad expensive, is anyone aware of some kind of 'packaged' firewall with a slick interface available for free?" We mentioned Draper's venture into firewalls last year, but there's been some progress since then.
that you don't have a modem in your crunchbox
:)
Can you get into it?
"For a successful technology, honesty must take precedence over public relations for nature cannot be fooled." -Feynman
Check Out www.bbiagent.com cool, free, easy to use...
L053R
Installs in a snap, free download, stupendous interface, good support. I've used it for months now without a hickup. Just my $0.02
:-)
Smoothwall
Cheers
Have a Happy.
The mailing list is active, there are any number of distributions though few on the latest kernels, all appears kosher if not frantically active.
Was there any reason for this possibly very damaging statement?
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
That's what I use on my little NAT/Gateway thing at home. Works like a champ. Web-based config + many other add-ons for this floppy distro. More put together than LRP IMHO. Check it out at: freeSCO.org. The dicumentation is pretty good, although it may not be as secure as other distros.
MMORPG fan-boy? Prove your worth
Single Network Firewall... runs off of a 2.2 kernel, easy to set up, and runs off a "slick web based interface". You can download the ISOs for free off their website.
Some linkage:
next to un-crackable
What does Steve Wozniak have against Captain Crunch? we all know what happened to Oracle when they made similar claims.
Follow me
Looks like it's /.'d already, so use the power of the google.
Note sure if this qualifies, but it is a neat little floppy disk distribution that does nat. Check it out at http://www.coyotelinux.com/.
"I have a porkchop, you have a porkchop. I have a veal, you have a veal".
I use clark connect for my firewall. Its linux based wit a web admin, it displays usage reports, bandwidth graphs. Does nslookups and whois on people who try to hack you. Even displays "12.12.12.12 tried to use Code Red 2.0"
Also includes CUPS for printing.Samba for file sharing. OpenSSH and the web based admin uses ModSSL so its all encrypted.
Its frickin awesome! Is built from Redhat 7.2 and accepts all Redhat 7.2 RPMS.
works great, easy to set up, floppy only, works on >= 486 machines. I've never seen it go below 98% idle on a 100MHz P5 with 5 hard-working machines filling a 768Kbps DSL line. You can pay $50 and get a DMZ added on to the free version, same price for a VPN license.
Download it from here. This is a BSD based firewall, but no shell, nothing for a cracker to get onto it. Uses SSL web access (new in later versions) or a Winblows client for configuration.
Oh and one point that is heavily stressed in their marketing material - it's ICSA certified.
There is a small version for ~$750 street price that gives 25-user version with DMZ, no moving parts, runs off 12VDC.
Got Wisdom?
This firewall is free for non-commercial use and has a web interface to boot. I've used this for sometime now. It supports VPN, incoming/outgoing email virus scan, IP accounting and routing. It will even update itself on the fly if you want. Here is the link: Astaro Security Linux
P.S. - I don not work for these guys, I am just impressed by what they offer.
"I'd dare to say, next to uncrackable, is crackable."
Dr. Nonsense, cofounder of the Nonsense School of Journalism and PR.
Not quite GPL'ed, but a nifty single-disk solution. I liked it better than LRP since it has built in support for PPPoE, important to us Verizon lusers.
-- Is "Sig" copyrighted by www.sig.com?
Just the one.
Again, be wary of Dick (aka Richard Morrell).
From what I can gather, his attitude could use some serious positive adjustments.
He does provide a FREE fw, but it wouldn't excuse his behavior IMHO, should the IRC logs and such posted on the net turn out to be true.
Cheers!
I blew real hard and couldn't get a tone out of
the damn thing.
-Kevin
is anyone aware of some kind of 'packaged' firewall with a slick interface available for free?
Yeah. It's called "stealing a copy of Firewall 1 from work". Sometimes you have to spend money for things.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
When friends want to share a cable modem I usually go over to the local computer surplus sale and get 2 PCs that have NICs in them and a HDD and intall freesco.
It is based on an old kernel, and doesn't have socks so not everything will work, but it's easy to set up and even an idiot can use the web-based panel.
For a super low hassle setup I'd recommend it. It goes right onto an ex DOS PC, no re-formatting or anything.
+++ ATH0 +++
Give IPCop a go. Very similar to Smoothwall without the "attitude" that some people suffer from.
Fast, reliable, application level proxies - with the ability to log at different levels (and run on linux).
Where can these be found?
Both generic tcp/udp proxies and application aware "smart" proxies (i.e. H.323, NetMeeting, RealAudio, etc.). I know a lot of this funationality exists in the kernel, but I'd love to have proxies for those pesky protocols that decide on random high ports. If it could see and understand the "conversation", it could then, on the fly, proxy the appropriate (randomly selected) ports.
If I am completely missing something here (i.e. I'm a moron?!), let me know. I can take it. I think??
3cx.org - A truly bad website.
He has the mentality for finding ways around security. Be it with technological gagets, or otherwise.
It's a matter of not knowing how, but thinking of how it could be attacked. Security isn't just about plugging holes, it's about thinking about new holes that could be used.
From the page at iShop.com:
The latest attack signature libraries can be automatically updated from a centralized source of the computer security community.
I am certainly not a security expert, but this seems like a potential weak point. If they can automatically change the rules the firewall uses, then in theory someone else could as well, if they cracked the update protocol.
Does anyone know how they protect these updates so that they can't be intercepted and broken?
Sailing over the event horizon
Steve Wozniak is quoted as saying it's 'next to un-crackable.'
...and as soon as the story was posted, the screen read "j00've b33n h4x0r3d" and nature once again revealed its irony.
It's a great way to make that ole' Packard Bell 486 come back to life!
I have no problem with your religion until you decide it's reason to deprive others of the truth.
I hate to be a prat, but what's the point on adding a web-based interface to OpenBSD. The whole OS is damn easy to setup - the man pages are idiot proof and the documentation on installation are wonderfull. There are some rough spots that look a bit difficult if you don't have OpenBSD's documentation on hand - so keep another computer nearby to browse the web and man pages.
Hints:
Buy the OpenBSD CD - they are bootable and support the project.
Learn a bit of VI beforehand for editing those text files - of course other editors are available but VI comes built in.
Other hints:
Trust Theo and his friends to get the operating system secure - not a has-been cracker cashing in on name recognition.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
I've tried several different types of Firewall distros. Coyote, Smoothwall, that Mandrake one, etc. I finally settled on Freesco, because it runs off the fat32 filesystem. All of the other ones are basesed on non-journaling Filesystems (Ext2). And my electric goes out quite frequently.
Please check out ClarkConnect... it's a great little firewall based on RedHat 7.2. It gets regular updates, and has an active user community.
...but a solid firewall.
http://www.fwtk.org/main.html
There's still a lot of support and I believe an active mailing list.
I put one together 5 years ago, and the company I work for still uses it for their mailing host.
Interface? There is none. But it works pretty damned good if you're willing to spend 1 day understanding how it works.
Not a bad deal.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
My bad.
Here is the correct link.
My own pointless vanity vintage computing page
I was grocery shopping today. I noticed that the elephant is no longer on the peanut butter cap'n crunch. And that 'thing' is no longer on the crunch berry box. I figured the first link in this story would go here. Nope. Just some boring hacker crap.
(and for those keeping score, I am in fact blocking timothy's articles from the front page. I came here after seeing the headline on another site.)
Jesus was all right but his disciples were thick and ordinary. -John Lennon
Seriously: check out the Reg® at http://www.theregister.co.uk/
It's an excellent news source, with a British/European focus, it's extremely well-written, and covers a lot of stuff that most of the people who read *^H (oops: not supposed to do that ;-) this place would probably find interesting.
If conservation of bandwidth is your gig, check out the USA version at http://www.theregus.com/
It's a little different in content (less British focus..) so I personally find it a little less interesting..
t_t_b
I'm on PJ's "enemies" list! Are you?
Yes, but olds are what people pay for from news services. Think about it. CNN - reports stuff people already know, but tries to make them feel good about it. NBC - does the same. Practically any newspaper - same.
Occasionally they include some true news, but then again, so does Slashdot.
If anything, Slashdot is about as bad (good?) as most "reputable" news sources. IOW, they fuck up on a regular basis, report on things that are out-of-date, and spin stories to fit their personal biases.
Go figure, they're human. I dare you to do better.
LRP has been superceded by the LEAF project at http://leaf.sourceforge.net. I'm running a current LEAF distro (Oxygen) and it's rock solid. There are quite a few different flavors, depending on your needs and experience level.
From the LEAF site:
Last Oxygen release was about 2 weeks ago.Karma: Marginal (mostly due to the border around the website)
I bet some enterprising 15 year-old nicknamed "Captain Furby" will find that the 8156khz sound of a Furby's voice produces the perfect pitch to crack the "Crunch Box".
Ergonomica Auctorita Illico!
If you can read Japanese (and if you can't just look at the pictures), how about OpenBlockS?
It's tiny (look at the picture about halfway down the page to get an idea of how small it really is - those are RJ-45 ports), runs Linux, and you can fit it with a HD if you really want to (although I don't see why you would).
check out astaro firewall at www.astaro.com.
it is a linux based firewall solution with vpn & virus scanning support. it's the most comprehensive firewall package that i have seen (and that is freely downloadable).
astaro includes implementations of other security related products (swan, etc) all in one package. definately worth a try.
Sheesh! :)
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
(this post isn't worth modding so don't)
The FAQ devotes 32 of 88 pages to how to correctly interact with the community, with such topics as "On Not Reacting Like a Loser" and "RTFM and STFW: How to tell you've seriously screwed up."
Furthermore, the remaining 56 pages are liberally sprinkled with the same: "Asking this question on the mailing list or IRC will inevitably result in the verbal equivalent of being hit round the head with a baseball bat. The answer is NO."
While I appreciate the sentiment of these statements, devoting nearly half of the document to this topic might be a little overboard.
Firewalls using iptables with 2.4.x kernel:
Firewalls using ipchains with 2.2.x kernel:
Firewalls using ipfwadm with 2.0.x kernel:
My question is, isn't it best to use an iptables-based firewall on a 2.4.x kernel instead of an ipchains- or ipfwadm-based firewall on a 2.2.x or 2.0.x kernel? I definetely want the connection tracking capabilities in the 2.4.x kernel, especially for screwy things like FTP, IRC, etc. (Yes, I know there is an IRC connection tracking patch out now for 2.4 kernels...) Is a kernel that doesn't support connection tracking for firewalls a reasonable option these days?
The emBSD Firewall seems to be right on track, and you can download it right now. I've not tried it, but it runs off a 32MB Compact Flash.
What were the skies like when you were young?
dp
I like Coyote Linux. I used it for some time. It has one of the easiest installers. It even installs from windows. But if you run it through GRC's Shields Up at: http://grc.com/default.htm you will see closed ports on the default firewall ruleset.
Might I suggest FrazierWall Linux. It is a fork of Coyote and LRP, but with better default firewall rules, and a built in web server for local firewall status information. And it will even e-mail the firewall logs to you.
http://www.frazierwall.com/
Plus it passes both the Shields Up and Sygate Scans : http://scan.sygatetech.com/
with stealth mode almost everywhere.
I did have some problems with in initial install. I looked in the config files from Coyote to get things straight with FrazierWall. Other than that, FrazierWall is a well done firewall.
Their webpage says:
"Evaluate our demo at:
https://demo.shopip.com"
But I don't get a connect, has it been cracked already?
ttyl
Farrell
CAN-CON 2019 - Ottawa's only book oriented Science Fiction Convention! October 18-20, Sheraton Hotel, Ottawa, Canada h
Are there any packages for Debian or RedHat that provide firewall functionality easily?
Well dude, I guess you got the publicity you were looking for ;-)
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
It may be unbreakabale but looks like it is
slashdottable.
...No more Soggies!
Donate background CPU time to fight cancer.
yes, thank you for stating what i was going to say.
i'm glad your response was modded up. I am quite satisfied with the level of activity on LEAF. We are going to move to a recent version of Oxygen in the near future. And the reason for doing that is to be able to run Seawall as a firewall on our
'embedded' boxes.
It's always interesting to see people so quick to attack an author of security-related software when they ask how to essentially "de-secure" the product!
I mean, honestly, it's probably a little "over the top" to ban your IP over the question -- but looking at it from the author's side for a minute; You're basically trying to modify the package to suit your specific needs. If you do this, you run a risk of introducing new code that's untested as to the level of security inherent in it. If the author helps you do these modifications, and then your box gets hacked later, how do you think that reflects on his original product?
Richard Morrell may have his share of attitude problems, but I don't think this is really a fair one to use against him. Firewalls are *not* supposed to run other services. People keep trying to add ftp, printing and Samba file sharing services to Smoothwall, among other things - and it's just a BAD idea.
Eh... I remember in the "good old days" of computing (when the Commodore 64 ran most of the BBS's out there, and people had fights over which platform was best: Tandy, Commie, or Atari), Woz was pretty well-regarded in the phone phreaking and system hacking communities. I don't think it was necessarily because anyone thought he was really good at it, but more because he had "celebrity status", yet still kept friends in those circles.
I even remember getting called up, late one night, and added to a huge conference call that a phone phreaker set up. Woz was in the call, along with a lot of regular attendees of the 2600 group meetings and so forth. (It's been years now, but I believe they hacked a code for a conference calling service called "Alliance", and they were trying to see how long they could keep the call going -- adding new participants as other people got off the phone.)
I don't even recall what the topic of dicussion was, but I don't think it was anything substantial. Pretty much just a lot of "Oh wow, cool - so who's all in here tonight?" and misc. chit-chat.
I looked at Clarkconnect, but I refuse to run it. Why? Because honestly, what kind of serious firewall product also leaves all those other services running? What's the point in protecting your systems and data behind a firewall, when at least some of your important files and servers *are* the firewall? There's no line of defense in front of your print server, file server, etc.
Let's say you have a good product and you want to get it endorsed. Bring it to a business guy, and he'll say: "This box is uncrackable. It's totally secure and cannot be comprimised."
Bring the same thing to a well-respected engineer and he might say: "It's darn, near impossible to crack. Hey, nothing is impossible, and there's always a risk, but this product is as good as it gets."
Too bad only the first endorsement would ever help sell the product.
Too big to fail? Does that make me to small to succeed?
Yes, smoothwall is good, and yes, Clark Connect is even better. I haven't tried this Freesco thing, but I'd have to say it may not serve you if you want to have more services than the average router. If you look in the nearly unnoticable corner of the web you'll find the "shop" with the real beauty - the Start-up server. This is a router with a lot of interesting features, including a console menu system called "smat" that lets you do everything you need, and which, I might add, is highly configurable because its written in Bash (you also get webmin). Its also based upon Slackware, so you get to download any of its packages if you need them. The one feature I particularly like about this distro is the fact that it uses the keyboard LEDs (num, caps, and scroll) as status indicators for the network, so you don't have to plug in a monitor to troubleshoot the connection at the source if anything goes wrong.
Mod me down and I will become more powerful than you can possibly imagine!
Why couldn't he say it like YOU did??? I wanted to upgrade a process running on the server. Just a simple question. It didn't have an ftp client, so I asked if there was a way for me to upgrade a package..he didnt even ANSWER the question. He said "*I* made this damn product, and if you don't like how it's made, go fuck yourself", and then kicked me out of the channel and banned me (this was a while ago). I could take a flame if it's deserved, but this just SHOCKED me..it was uncalled for. I still use Smoothwall however.
If you're not a Liberal in your 20's, then you have no heart.If you're still a Liberal in your 30's you have no brain.
I'm using OpenBSD 3.0 (which means pf instead of ipf for the filtering) and set it up as an ethernet bridge that does firewalling (IE - this sucker has no IP address, and can't be hacked from the outside world - in fact, it's friggin invisible. What a wonderful setup!) The disadvantage for most people, however, is that if you do it this way there's no remote administration. That's fine with me - the firewall machine has monitored physical access (in other words, it's locked in a cabnet the sets in my office :-)
There's some oddness doing it this way, but, it's really worth while if you want a machine that can't be screwed with at all. And, vi sucks, but is survivable ;-)
Oddly enough, all the docs I found on doing it this way were for previous OpenBSD versions, which used ipf for filtering. pf and ipf are close enough that the docs for doing it are still pretty close to in date - but there's just a few things that would have to change for it to be correct. A little searching through the pf man pages will show the differences.
Davis Ray Sickmon, Jr - looking for something to read? Check out my three free novels at MidnightRyder.org
There is a real nice, stripped clean and naturally free linux distro for firewalls/routers called bifrost. The latest few versions use 2.4-kernels, but they keep a nice annotated back-log of their old distros since 1997. The distro has a fairly clever system for dealing with mobile users (called nomad). It lacks a "click-and-go" wui by design, due to the risk of unneccesary security breaches - in my translation from the swedish pages - Correct filterrules are preferentially constructed "offline", and transfered by scp. For those who want clickability and colors, we recommend Xemacs for suitable coziness. Imho, thats the way to go (although I zealously use emacs instead).
The guys who maintain bifrost/nomad spend a lot of time on fairly advanced network performance testing with different hardware/driver combinations, so you maight want to consider their hardware recommendations as well. For the machines they put together for the Swedish university network, they go with flash-drives for safe (and fast) storage.
If you are curios about the name of the distro, the following helps:
The name Bifrost comes from the nordic mythology, where Bifrost is the bridge between Midgård (The Earth) and Asgård (the home of gods) and is called The Rainbow by humans. It's so strong that it will not be destroyed until Ragnarök - the end of the world. Bifrost is guarded by Heimdall and the red color one can see in it, is a flaming fire that prevents the giants to climb up to Asgård.
Unfortunately it has some problems. you can produce screwed up disks easily out of fraizerwall. and trying to make modifications can be a pain in the ass for anyone that isnt intimately familiar with it.
Also, any firewall that doesn't respond to icmp pings is incorrectly configured. "stealth mode" is just a broken firewall config and should never ever be encouraged... as it can cause huge headaches with dhcp leases to the firewall, and other networking problems for the firewall user as the provider shut's down the users link due to not being up. (@home had this in some areas... you didn't allow pings in? your dhcp didnt lease an IP (even if you had a "static" ip.)
Fraizerwall needs alot of work before it can be unleased on anyone that has less than 4 years Linux experience.
Do not look at laser with remaining good eye.
From one of the fist fellows to bring a RoadRunner clinet to Linux, Josh Jackson.
This is simply put the slickest stuff going from what Ive seen, I actually waled my mom through an install over the phone.
COYOTE LINUX
There is it appears a new embedded version, Ill have to look at that,
Ive had 2 installs up for over a year, both only ceased functioning once, when the people at their location forgot it was there and unplugged em, (both places:)
To me something you can truly forget about is the ticke, VPN clients and all....
Sig went tro...aahemmm.....fishing........
... does it comes with bells and a whistle?????
Here's another !!
/. today is great - truly the reason /. exists.
http://www.zelow.no/floppyfw/
The info on
For those looking for instructions on building a linux floppy take a look at some documentation I made up while working on my own.
I had not found any good linux floppy firewall distributions running 2.4 the kernel so I figured out how to do it myself. This document doesn't include the instructions on how to include iptables but I will be adding that soon (it isn't too difficult).
It's not in the freeloader version.
Also, it doesn't have DHCP ("because a firewall is not supposed to do that, and is a security vulnerability.......") so if you use a cablemmodem or anything that gets the IP from a DHCP server, you are out of luck. There are some ways to add DHCP, but from external parties. But the web interface is not very aware of the fact the IP will change (rule making nightmare).
unfinished: (adj.)
Ok, bright guy - so you think it's a good programming decision on the part of Clarkconnect and other firewall authors to give the user the option of running server services on top of the firewall??
Of course you can turn the stuff off. The point is, it's misleading to release a security product with the ability to do quite insecure things with it. At the very least, it's bad practice and teaches bad habits.
Show me a single Cisco firewall product with Samba or print services optionally running on it?
Heaven forbid that Red Hat Liux users would want to upgrade any of their software. They may destabilize the whole operating system! This would make RH look bad.
Yes, your argument IS that stupid. If I want to upgrade my Palm, Tivo, PC, Mac, Dishwasher, toilet, install Dr. Sholls insoles in my goddamn shoes, it my right. If my feet smell, it's MY problem, and Nike shouldn't care!!! It doesn't make Nike look bad...
Once I buy a product, it's mine. If I upgrade it and fuck it up, it's my fault. If the mfr. gets pissy, then it's time to find a new product.
Richard Morrell is not the god of all firewall products. Maybe I know what I need in a firewall better than he does. Maybe MY business needs exceed the artificial limitations that his product has. Maybe I want to add IDS capability - THAT certainly belongs in a firewall. Maybe transparent filtering proxy. That belongs there too. Maybe better NAT support. Whatever.
Look where Linux would be if Linus refused to incorporate patches written by others, and didn't release source. Hmm. Probably a pile of crap. It's one thing to be strong willed, and another to be an arrogant asshole.
Yes, adding some services random service like samba, etc. isn't very smart, but forewarn the user. Educate. Do NOT put artificial restrictions and limitations in the product, as that reduces the utility greatly.
[Smacks you in the nose]
"Well, you're just DAMN UGLY"
Explaination doesn't make it any more correct. Manners are what my/your mother should have taught you. Obviously, Dick either didn't have a mother, or one that didn't do her job. (Or was that a father?)
Cheers!
ROFL! That seems to explain it fully.
Dick is trapped in flashbacks of MP shows.
I KNEW there was some logical explaination!
Thanks!
Cheers!
Intelligent people usually learn what they do well, and what they don't.
Dick seems to not realize the fact that abusing people isn't correct - EVER!
If he can't handle support, please do something else. If Dick is a "friend" to OSS, we don't need enemies.
Just in case yo wondered, I do have to work with clueless users. I usually bite my tongue, grind my teeth, and then SMILE and try to be helpful. Anything else really doesn't help.
Cheers!
You do have a point there, and I wish Slashdot would do that a little more often.
Then again, it'd probably require some hefty modifications to Slashcode, and from what I've heard, its a miracle that Slashcode works at all. ;)