Slashdot Mirror
Captain Crunch's New Boxes, Part II
micsaund writes: "It looks like the infamous Captain Crunch has been toiling away for 3 years on a firewall now known as the Crunchbox. It runs OpenBSD and is administered via a web-based interface. Steve Wozniak is quoted as saying it's 'next to un-crackable.' Check it out at ShopIP. The Register also has an article on it. As an aside, since the Linux Router Project (LRP) appears to have been sold-out and GnatBox is a tad expensive, is anyone aware of some kind of 'packaged' firewall with a slick interface available for free?" We mentioned Draper's venture into firewalls last year, but there's been some progress since then.
that you don't have a modem in your crunchbox
:)
Can you get into it?
"For a successful technology, honesty must take precedence over public relations for nature cannot be fooled." -Feynman
Check Out www.bbiagent.com cool, free, easy to use...
L053R
Installs in a snap, free download, stupendous interface, good support. I've used it for months now without a hickup. Just my $0.02
:-)
Smoothwall
Cheers
Have a Happy.
The mailing list is active, there are any number of distributions though few on the latest kernels, all appears kosher if not frantically active.
Was there any reason for this possibly very damaging statement?
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
That's what I use on my little NAT/Gateway thing at home. Works like a champ. Web-based config + many other add-ons for this floppy distro. More put together than LRP IMHO. Check it out at: freeSCO.org. The dicumentation is pretty good, although it may not be as secure as other distros.
MMORPG fan-boy? Prove your worth
Single Network Firewall... runs off of a 2.2 kernel, easy to set up, and runs off a "slick web based interface". You can download the ISOs for free off their website.
Some linkage:
next to un-crackable
What does Steve Wozniak have against Captain Crunch? we all know what happened to Oracle when they made similar claims.
Follow me
Note sure if this qualifies, but it is a neat little floppy disk distribution that does nat. Check it out at http://www.coyotelinux.com/.
"I have a porkchop, you have a porkchop. I have a veal, you have a veal".
I use clark connect for my firewall. Its linux based wit a web admin, it displays usage reports, bandwidth graphs. Does nslookups and whois on people who try to hack you. Even displays "12.12.12.12 tried to use Code Red 2.0"
Also includes CUPS for printing.Samba for file sharing. OpenSSH and the web based admin uses ModSSL so its all encrypted.
Its frickin awesome! Is built from Redhat 7.2 and accepts all Redhat 7.2 RPMS.
works great, easy to set up, floppy only, works on >= 486 machines. I've never seen it go below 98% idle on a 100MHz P5 with 5 hard-working machines filling a 768Kbps DSL line. You can pay $50 and get a DMZ added on to the free version, same price for a VPN license.
Download it from here. This is a BSD based firewall, but no shell, nothing for a cracker to get onto it. Uses SSL web access (new in later versions) or a Winblows client for configuration.
Oh and one point that is heavily stressed in their marketing material - it's ICSA certified.
There is a small version for ~$750 street price that gives 25-user version with DMZ, no moving parts, runs off 12VDC.
Got Wisdom?
This firewall is free for non-commercial use and has a web interface to boot. I've used this for sometime now. It supports VPN, incoming/outgoing email virus scan, IP accounting and routing. It will even update itself on the fly if you want. Here is the link: Astaro Security Linux
P.S. - I don not work for these guys, I am just impressed by what they offer.
Again, be wary of Dick (aka Richard Morrell).
From what I can gather, his attitude could use some serious positive adjustments.
He does provide a FREE fw, but it wouldn't excuse his behavior IMHO, should the IRC logs and such posted on the net turn out to be true.
Cheers!
Fast, reliable, application level proxies - with the ability to log at different levels (and run on linux).
Where can these be found?
Both generic tcp/udp proxies and application aware "smart" proxies (i.e. H.323, NetMeeting, RealAudio, etc.). I know a lot of this funationality exists in the kernel, but I'd love to have proxies for those pesky protocols that decide on random high ports. If it could see and understand the "conversation", it could then, on the fly, proxy the appropriate (randomly selected) ports.
If I am completely missing something here (i.e. I'm a moron?!), let me know. I can take it. I think??
3cx.org - A truly bad website.
From the page at iShop.com:
The latest attack signature libraries can be automatically updated from a centralized source of the computer security community.
I am certainly not a security expert, but this seems like a potential weak point. If they can automatically change the rules the firewall uses, then in theory someone else could as well, if they cracked the update protocol.
Does anyone know how they protect these updates so that they can't be intercepted and broken?
Sailing over the event horizon
I've tried several different types of Firewall distros. Coyote, Smoothwall, that Mandrake one, etc. I finally settled on Freesco, because it runs off the fat32 filesystem. All of the other ones are basesed on non-journaling Filesystems (Ext2). And my electric goes out quite frequently.
...but a solid firewall.
http://www.fwtk.org/main.html
There's still a lot of support and I believe an active mailing list.
I put one together 5 years ago, and the company I work for still uses it for their mailing host.
Interface? There is none. But it works pretty damned good if you're willing to spend 1 day understanding how it works.
Not a bad deal.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
I was grocery shopping today. I noticed that the elephant is no longer on the peanut butter cap'n crunch. And that 'thing' is no longer on the crunch berry box. I figured the first link in this story would go here. Nope. Just some boring hacker crap.
(and for those keeping score, I am in fact blocking timothy's articles from the front page. I came here after seeing the headline on another site.)
Jesus was all right but his disciples were thick and ordinary. -John Lennon
LRP has been superceded by the LEAF project at http://leaf.sourceforge.net. I'm running a current LEAF distro (Oxygen) and it's rock solid. There are quite a few different flavors, depending on your needs and experience level.
From the LEAF site:
Last Oxygen release was about 2 weeks ago.Karma: Marginal (mostly due to the border around the website)
You know, after reading the entire thing, I think both you and Dick should be taken out and spanked. :)
It's obvious Dick is genetically incapable of responding civilly, and he should be physically prevented from responding to users. There are certain people who seem to revel in the Bastard Operator From Hell stereotype. One suspects he started his own company because if he tried to work for anyone else, they'd fire him, ideally with a cannon.
Having said that, though, it's also clear that you simply weren't willing to take "it's a firewall, and isn't competing with a Linux distribution" for an answer. Dustmite didn't start out irritable--he got that way after explaining the rationale. Then doing it again. Then repeating himself. Over. And over. And over.
Quite frankly, any engineer would have started sounding irritable by the end of that IRC log. He could have handled it better, but honestly, you didn't come across like you were going to accept any "closure" other than a Smoothwall employee saying, "Yes, it's a great idea to put GCC and a web server on our firewall, and we'll get right on it."
It's interesting to hear these things about Smoothwall, though, since I work for a company that makes a box that competes with them. (Incidentally, our box does have a web server on its firewall if you want it. Dustmite is right: it's bad security to do that.)
The FAQ devotes 32 of 88 pages to how to correctly interact with the community, with such topics as "On Not Reacting Like a Loser" and "RTFM and STFW: How to tell you've seriously screwed up."
Furthermore, the remaining 56 pages are liberally sprinkled with the same: "Asking this question on the mailing list or IRC will inevitably result in the verbal equivalent of being hit round the head with a baseball bat. The answer is NO."
While I appreciate the sentiment of these statements, devoting nearly half of the document to this topic might be a little overboard.
Firewalls using iptables with 2.4.x kernel:
Firewalls using ipchains with 2.2.x kernel:
Firewalls using ipfwadm with 2.0.x kernel:
My question is, isn't it best to use an iptables-based firewall on a 2.4.x kernel instead of an ipchains- or ipfwadm-based firewall on a 2.2.x or 2.0.x kernel? I definetely want the connection tracking capabilities in the 2.4.x kernel, especially for screwy things like FTP, IRC, etc. (Yes, I know there is an IRC connection tracking patch out now for 2.4 kernels...) Is a kernel that doesn't support connection tracking for firewalls a reasonable option these days?
It may be unbreakabale but looks like it is
slashdottable.
It's always interesting to see people so quick to attack an author of security-related software when they ask how to essentially "de-secure" the product!
I mean, honestly, it's probably a little "over the top" to ban your IP over the question -- but looking at it from the author's side for a minute; You're basically trying to modify the package to suit your specific needs. If you do this, you run a risk of introducing new code that's untested as to the level of security inherent in it. If the author helps you do these modifications, and then your box gets hacked later, how do you think that reflects on his original product?
Richard Morrell may have his share of attitude problems, but I don't think this is really a fair one to use against him. Firewalls are *not* supposed to run other services. People keep trying to add ftp, printing and Samba file sharing services to Smoothwall, among other things - and it's just a BAD idea.
Let's say you have a good product and you want to get it endorsed. Bring it to a business guy, and he'll say: "This box is uncrackable. It's totally secure and cannot be comprimised."
Bring the same thing to a well-respected engineer and he might say: "It's darn, near impossible to crack. Hey, nothing is impossible, and there's always a risk, but this product is as good as it gets."
Too bad only the first endorsement would ever help sell the product.
Too big to fail? Does that make me to small to succeed?