Slashdot Mirror
IPCop 0.1.1 Review
Selanit writes "I just found a link on Distrowatch to a SecurityFocus Review of IP Cop 0.1.1. IP Cop is a fork of the GPL version of the Smoothwall Linux firewall distro, which had a review linked by Slashdot. Though it has a slick, easy install. and good features, a number of people had issues with Smoothwall.. IPCop has implemented shadow passwords to fix the security flaw, and their mission statement includes a provision that they will "Provide an enjoyable environment for the Public to discuss and request assistance." The
to-do list of features for the upcoming 0.2 version is also interesting. "
Looks interesting. Does anyone know from a security standpoint how this compares to OpenBSD or other similar security minded projects?
does it run in runlevel 0 like the "halted firewall"?
I got invaded the other day because my linux FW was running a stupid service (ssh). Considering a true W ever since.
``If a program can't rewrite its own code, what good is it?'' - Mel
We have tried IPCop 0.1.1 at the office, and it has one very big advantage over using a general purpose distribution: it installs and comes up running very quickly. From inserting the CDROM to completion of the install on a typical system (200MHz Pentium with 64MB memory) it took about 14 minutes to having it running.
We use it as a three-way firewall with a DMZ, and that is stone-cold simple to install. Slick, with no problems.
Highly recommended!
Soli Deo Gloria
I have read over IPCop configurations and documentations several times before, and it is definitely a good solution for a simple home office or other small business network. It is fairly simple to use and setup, and fairly robust in operations. However, there is one thing that it lacks, as well as what many other solutions lack: the ability to handle redundant internet access. Although I have not looked at every single software solution for routing and networking on this scale, there still seems to be a lack of redundant-internet-connection support in the field. The ability to use multiple internet connections for backup in a single software solution, as well as to use multiple internet connections to increase overall bandwidth, seems to be missing.
Has anyone run across developing projects (or already developed projects) that are trying to accomplish this sort of feat? I have seen a hardware solution or two that have tried to work this problem, but they are rather impractical for a home office user who needs redundancy (telecommuting, etc) or expansion of their bandwidth (kids playing games while they need to transfer projects around, etc) for their home network. Can anyone comment on this subject?
As author of a similar project (www.dubbele.com) I', glad to see competition. Different people need different solutions, and there's plenty of difference between mine and theirs.
-John
It seems that more and more people are using politics to spur linux distributions. Spinning-off a GPL project is all well and good; but do you have to wish ill on the original project? It doesn't seem like this is different enough from smoothwall yet to indicate a new distribution. On a similar topic, has anyone checked out Sorcerer GNU/Linux lately? Seems this is happenning a bit too much for my taste. I'm all for things like K12LTSP which don't attempt to take anything from there originators, yet add productive/usefull features for anyone in a specialized nitche.
put the what in the where?
looks interesting alright, but why wait?
I'm running my own RedHat 7.2 box with iptables, squid and the whole nine yards. Works perfectly, probably because I had to configure it myself, didn't use a preconfigured firewall distro.
It isn't the firewall's job to do this, that is up to your router. Firewalls shouldn't get in the business of routing or handling routing protocols.
All *nix distributions can handle multiple uplinks, once you've tweaked them properly. Load balancing can be an issue, but if you want pure redundancy, that's not a huge problem. Servers on redundant connections is a whole different ball of wax, though.
You might already know this, but there is a really good one-disk-router/firewall around: Fli4l.
Boycot? Blackout? Subscriptions?
I don't care!
You can find layouts like that , and my special super
Booyah!
I just installed IPCop this afternoon. Coincidentally, I saw this news story show up on slashdot the same time I was burning the CD-ROM.
So far, I am impressed.
The securityfocus review is very lacking, and very disappointing in content to be coming from a "security" site.
The IPCop installation was very simple and straightforward. The only hiccup was getting my ISA NICs to work.. I had to use a setup floppy to set the IO address, and manually load the driver "ne io=0x220".
The DMZ feature is very cool, and it looks like you can run IPSec out of the box.
The web interface is very slick. This interface is what separates it from a stock RedHat distribution with some custom iptables rules. Previously I was running a floppy-based distro for my firewall (BBIagent). I like IPCop better because it has SSH support, an update system, and I can log in to the console and 'do stuff'.
- IPCop lacks Richard Morrell.
- IPCop fixes the long-known USB ADSL bug with Smoothwall -- which cripples upload speed to 3K/s instead of 30K/s.
- No nagware, adverts, requirements to donate to get basic support, etc.
- Smoothwall GPL is treated and referred to as 'trialware' by the Smoothwall development team, and is essentially dead as GPL project.
Smoothwall is in my opinion perhaps the most ungraceful transition from a pure open-source project to a business in recent history.THIS is the problem with open source. Lack of standardization. Fork this, fork that. Suddenly you have a mess that nobody can account for. HOORAY!
There was defiantely a need to fork from smoothwall. The whole reason for it was to keep a good product and get rid of the asshole developer!
Trying to get support from the smoothwall dev team was a dubious process. When the dev team was slow users resorted to the mailing list for answers, as they should. Users discussed different options and solutions, some of them not knowing exactly what they were talking about. Only to have the main developer post a message saying 'You stupid f*cks don't know what the hell your doing, thats why I am the developer and you are not!'. No answer or nudge in the right direction for it, just childish games. While I understand that supporting a free product is not the best way to make money, getting a 'f*ucking loser nonpaying freaks' reply from the developers is not the answer. Saying nothing at all would have been better. Hence the fork. I needed a solution like smoothwall for work. I still run smoothwall at home because I am to lazy to change it there as it works well. When smoothwall released their enterprise products I stayed away because of the attitude of the main developers. I don't need that kind of crap at work...
Smoothwall is an awful, awful project. Installation is severly lacking, the features are crippled, and the developers are uninterested in taking an user requests. I'm glad to see a useful fork is up and running. This is great!
Redundancy could be difficult depending on what you mean...
It could be.
- You can change the "RED" Interface to be dialup etc and cause it to dial. (Would be fairly easy to implement in one of these distro's I would think...) You could manually do that with IPCOP now by logging in with "setup" I believe.
- The thing autodials if a link goes down. (The problem then is to detect failure if it's beyond the local link...) That would be feasible.
The other problem you have is if you want it available on the same IP address for hosting solutions. (Unlikely for a home machine I guess)Then you have significant routing issues to deal with no matter what you do.
Don't click on the article link hoping for a review from the fine folks at Security Focus. This is simply an install HowTo; editorializing is kept to a minimum.
OpenBSD is an operating system, designed with security in mind. It is probably as secure as anything BSD-derived can possibly be at this point.
IPCop, Smoothwall, Freesco, etc. are not operating systems, they are dedicated firewall/router devices built on stripped-down linux kernels. Although they incorporate DHCP servers, DNS relays, and similar network infrastructure schtupfh they are nonetheless strictly single-purpose appliances.
Morrell and Manning should be applauded for their achievement; Smoothwall broke new ground as an easily configured home firewall with Snort and Squid transparently integrated (no small feat).
UNfortunately, Smoothwall shares one characteristic with OpenBSD; like OpenBSD guru Theo De Raadt, Richard Morrell has an egotistical, abrasive manner and does not communicate well with end-users or fools. If his commercial venture is to be a success, he's going to have to learn some diplomacy. Or maybe not, Larry Ellison gets away with it.
tina yothers was the younger sister on family ties.
I was playing with a number of similar stripped-down version of linux that were intenedd for firewalls. IPCop has a nice interface and is simple to setup, but found that I like Astaro for a better solution. The Hardware requirements are a little higher, but the I think the interface is better and one key feature that changed my mind is that Astaro is a stateful firewall
From Astaro Website
http://www.astaro.com
System
Linux 2.4-based, Change-Root Protection, Kernel-Capability Protection, Web-based Administration (128 Bit SSL encrypted), Updating via Internet (1024 Bit PGP signed), Logging via Syslog/SNMP/ASCII-Files.
Firewall
Stateful Packet Inspection, Portscan Detection, Anti Spoofing.
Virtual Private Networks (VPN)
IPSec and IKE (RFC 2408/RFC 2409), Microsoft PPTP (RFC 2637) Algorithms: Diffie-Hellmann/3DES/MD5/SHA 1.
Proxies
HTTP (Content Filter, Cache, Authentication), HTTPS, SMTP (Virus Protection), DNS, SOCKS 4.0/5.0 (Authentication), Authentication via User Database/Radius/MS Windows NT or 2000.
Networking
Source and Destination NAT, Masquerading, up to 25 Ethernet Interfaces (10/100/1000 MBit), IP Aliasing, Randomized TCP Sequencing, Proxy ARP, Automated Routing.
Performance
Running on a 750 MHz CPU: Up to 64000 concurrent Connections, up to 650 MBit/s Filter Throughput, up to 25 MBit/s VPN Throughput.
Josh
It seems to me that all new linux security packages have web based administration. This is nice is you don't feel like learning how to configure the applications you intend to be using, but I feel part of being secure is knowing your system. Linux was designed to be a command line interface and users of Linux should know their operating system.
Also, it seems to me that the more applications you run the less likely you are to be totally secure. Adding web based administration requires the use of a http server, which is just another application waiting to be exploited. I haven't checked out this distro yet, but I'm going to assume that it uses apache and custom cgi to implicate the web interface. No matter how secure apache seems to be now, there is always a very good chance that it will later become very acceptable to attacks in the near future. If you ask me, security means simplicity. If your looking for total security, run only what you must, and configure the applications you ultimatly decide are critical to your own specific needs. It will be a long time until user friendly is synonamous with secure.
For useful fork read: copy with some clipart and less talented support and developers - I notice that the SmoothWall crew dont even post in defence to the crap posted about them.
This isnt a fork - its just embarressing that I stopped using OpenSource stuff because you guys couldnt learn to talk. I thought the "ethos" thing was learning. IPCop isnt a fork, a fork has "features" - you've just ripped it off and tried to implement CVS badly.
watching his job slowly dissolving as he talks.
As the author of the SecurityFocus article in question, I'd just like to answer a few comments:
* Yup, I found this an interesting project for a number of reasons. It was WAY easier to set up than a standard Linux distro, but be aware that's because it has ONE purpose and one only -- to be a firewall. This is good and bad. As a simple, easy to install firewall system, I like it.
* I haven't played with www.dubbelle.com but I'll be sure to check it out shortly. There are lots of other good cut-down distros out there, and I'm sure there is place for all of them. The one advantage that IPCop has over a single floppy distro is a few extra features such as squid and IPSec.
* Sorry, the article really was meant to be a how-to, rather than a review. I'm sorry about those who were dissapointed expecting more of a review article but I prefer to write in the more practical sense. If you want a review, here's a one word one: GOOD. I'd be interested to hear what one poster (sloop) found "lacking" in the article, however.
* I hereby refuse to make any comment concerning Richard Morrell.
* Yup, Astaro is a fine distro too, and no doubt the fine folks at SecurityFocus will probably review it as well. I'm not that familiar with it myself so no doubt they'll get someone else to do the review.
Del
Consider it like Mandrake when it was just a Redhat ripoff. Of course they haven't got a release that's different yet. This is to be expected. Try the betas and you'll see something better and distinct from Smoothwall.
--Giving to trolls for the benefit of us all
I note that ipcop is only on version 0.1.1 and I wonder if this means that the product is still evolving.
How would a product like Mandrake Server compare, apart from potentially being much bigger? (e-smith was only about 400 MB for the complete package).
- midtoad
Umwelt schützen, Fahrrad benützen
Having just spent a few hours installing ipcop I can say it rocks. We had a problem that it wasn't detecting the USB properly, but this was solved by not having the usb modem plugged in. The real difficulty was that the usb claimed to be "Unset" rather than either of the two options, but when my friend emailed them he got a quick response saying that the installed was being changed to make it more clear.
Once you get the thing working it's a dream, uploaded the file and had USB ADSL (to BTOpenWorld) going in no time at all. Possibly it's just wishful thinking, but response times and pings in general seem better (though it's bto, so they're still pretty crap), and it is just brilliantly easy to admin. Even the non-linuxy guys in the house are loving the new setup (for the record it's a student place with about 8 machines so we fit into the home/small office category).
-- "[The] NSA can eat shit and die until they stop listening to my phone calls" - TastyWheat
If I understand correctly, the DMZ feature won't be so useful until multiple IPs are allowed on RED.
Currently you may only use one "official" IP address (that is the IP address of the RED interface) to "pinhole" the DMZ. That means you may have just one web server on port 80, or just one mail server on port 25 and so on.
Of course you still may be able to serve multiple domains with name-based virtual hosts and such, but I think that multiple IPs on RED is a very desirable feature indeed (planned for 0.2 - yuck!). This is a strong limitation for anything a little bigger than a SOHO.
It shouldn't be hard to implement either, just allow interface aliases for the RED interface. Astaro does that very nicely. And that may also overcome the three interfaces limit...
What I REALLY would like to see in the future is some "security level" setting a-la Cisco PIX. Each interface is assigned a security level, with 100 being the internal LAN (GREEN in SmoothWall/IPCop speak) and 0 the external link to the Internet (RED). Each additional interface is given a security level inbetween. Each interface is allowed by default to talk to an interface having a lesser security level. Interfaces having the same security level may NEVER talk to each other. All of this, of course, unless otherwise stated. I think this is quite smart and simplifies policy design, it may be good to have at least as an option.
13-4=54/6
SmoothWall has shadow passwords if you install the correct updates. So the little article is a little wrong
Did anyone remember to mention that IPCop developers are a bunch of vindictive twats?
I've heard from various people that they have been launching DDoS attacks on people with spoofed IPs of the SmoothWall developers and servers.
Wankers
The latest version of SW/GPL is missing the nagware and only has adverts for the commercial versions. I see nothing wrong with that.
I tried IPCop the other week. Immediately it seemed less polished, was missing all the useful context help links and actually crashed on me.
I immediately put SW back and all was fine.
After burning my fingers with IPCop I will be more careful in future before I try it again.