IPCop 0.1.1 Review

Selanit writes "I just found a link on Distrowatch to a SecurityFocus Review of IP Cop 0.1.1. IP Cop is a fork of the GPL version of the Smoothwall Linux firewall distro, which had a review linked by Slashdot. Though it has a slick, easy install. and good features, a number of people had issues with Smoothwall.. IPCop has implemented shadow passwords to fix the security flaw, and their mission statement includes a provision that they will "Provide an enjoyable environment for the Public to discuss and request assistance." The to-do list of features for the upcoming 0.2 version is also interesting. "

IPCop as a quick solution to firewalling

[freeio]

We have tried IPCop 0.1.1 at the office, and it has one very big advantage over using a general purpose distribution: it installs and comes up running very quickly. From inserting the CDROM to completion of the install on a typical system (200MHz Pentium with 64MB memory) it took about 14 minutes to having it running.

We use it as a three-way firewall with a DMZ, and that is stone-cold simple to install. Slick, with no problems.

Highly recommended!

Re:IPCop as a quick solution to firewalling

[paenguin]

I've done a lot of IPCop installs and I can have it installed and configured in 10 minutes pretty much every time. That includes from the time I boot the CD to start the install to doing all the patches, turning on all the services I like and defining the dhcp ranges it will be serving.

This is one nice Linux security distribution. It requires minimal skill to install and there is a huge FAQ on the website.

Highly recommended!

Here's what you get:

- Totally GPL
- Friendly support on mailing list
- All source code available on public CVS
- Installs from bootable CD, or with a floppy to kick it off, installs from CD, http or ftp.
- 2.2.21rc1 Kernel
- EXT3 File System
- IPChains based firewall
- Network Address Translation (NAT)
- Analog/ISDN/ADSL modem support
- Support for almost any connection type
- CheckPoint Soft. SecuRemote Support
- Full DMZ Support
- Web Based GUI Admin & Config System
- Full Status Display
- Full Traffic Graphs
- Full Connections Information
- PPP Settings/Configuration Area
- PPtP ADSL Support
- PPPoE Support
- USB ADSL Firmware Upload Area
- Modem Configuration Area
- SSH server for Remote Access
- Password Control Area
- HTTP/FTP/HTTPS Web Proxy
- DHCP Server
- Caching DNS
- TCP/UDP Port Forwarding
- External Service Access Control
- DMZ Pinholing Capacity
- Dynamic DNS Support
- Intrusion Detection System (SNORT)
- VPN Support (FreeSWAN) with Control Area
- Full System Logs
- Web Proxy Logs
- Firewall Logs
- Intrusion Detection System Logs
- Remote Shutdown/Reboot Area
- Integrated JAVA Based SSH Shell Area
- IPCop Linux Updates Area

Re:Cool, but...

[EllF]

You got cracked whilst running ssh? How?

I'm guessing that you didn't notice that ssh was found vulnerable to an off-by-one compromise recently, and that a new version is out. Check out the advisory on it, and get the latest version while you're there.

The solution to security flaws like this is not running in runlevel0 - it is diligance and administration. Subscribe to bugtraq (here, and keep an eye on what's coming out. Do an occasional nmap scan against yourself. *Know* what ports are open, don't wait to be surpised. ssh is by no means "stupid". Neither are you. Not keeping up to date on what's out there, however, is.

Re:Cool, but...

The off-by-one channel hickup isn't remotely exploitable. He was no doubt running a broken version of SSH v1.

Re:Uprising Politechs...

[TellarHK]

Actually, as a member of the IPCop user mailing list, I'd have to say that any ill-will has been pretty well restrained. The list might occasionally flare with the occasional flame, but the moderators of the list do a pretty good job of keeping it all in check.

IPCop has the goal of planning a large rewrite for the .2 release, and I'm looking forward to seeing where these efforts go. While Smoothwall GPL support seems to have stalled in a few areas (most notably USB Speedtouch modem speeds) IPCop continues with the full effort of the team.

this packet passed through IPCop

[sloop]

I just installed IPCop this afternoon. Coincidentally, I saw this news story show up on slashdot the same time I was burning the CD-ROM.

So far, I am impressed.

The securityfocus review is very lacking, and very disappointing in content to be coming from a "security" site.

The IPCop installation was very simple and straightforward. The only hiccup was getting my ISA NICs to work.. I had to use a setup floppy to set the IO address, and manually load the driver "ne io=0x220".

The DMZ feature is very cool, and it looks like you can run IPSec out of the box.

The web interface is very slick. This interface is what separates it from a stock RedHat distribution with some custom iptables rules. Previously I was running a floppy-based distro for my firewall (BBIagent). I like IPCop better because it has SSH support, an update system, and I can log in to the console and 'do stuff'.

IPCop kicks Smoothwall's ass, for these reasons:

[joebp]

• IPCop lacks Richard Morrell.
• IPCop fixes the long-known USB ADSL bug with Smoothwall -- which cripples upload speed to 3K/s instead of 30K/s.
• No nagware, adverts, requirements to donate to get basic support, etc.
• Smoothwall GPL is treated and referred to as 'trialware' by the Smoothwall development team, and is essentially dead as GPL project.

Smoothwall is in my opinion perhaps the most ungraceful transition from a pure open-source project to a business in recent history.

Re:Uprising Politechs...

the reason ipcop doesn't currently appear that technically different from smoothwall is because currently it's not. the 0.1 release was just a stop-gap measure to provide people an immediate alternative to smoothwall; not a technical alternative, but a logistical alternative.

matter-of-fact, phil barnett, who use to run the unofficial smoothwall mailing lists (even before smoothwall.org had an "official" mailing list), says something along those same lines here.

a major rewrite is planned for 0.2, which will clearly differentiate ipcop from smoothwall.

but was the logistical problem really that big, big enough to necessitate a fork? what follows is a repost from the official smoothwall "users" mailing list where all i did was inquire about the GPLed kernel sources and patches used in the distribution. i didn't ask for the smoothwall project to provide them, but only to state what they were so that i could find, download, and rebuild the kernel sources with qos (quality-of-service) capabilities enabled, one that would be as similar as possible to the smoothwall kernel (for a drop-in replacement).

i thought one of the original benefits richard stallman intended for GPLed software is that the user can infinitely customize and tailor the product to suit them and there is no vendor lock-in as the source code can be altered for the customer by third-parties? isn't the GPL about the customer? obviously smoothwall management (richard morrell, "project manager and founder") doesn't have anything (especially ideals) in common with stallman besides a first name.

note: yeah, i've removed the email addresses and phone numbers contained in the following message. as much as i disagree with richard morrell's attitude, i don't wish spambots or people upon him or his email addresses (see "Golden Rule", Matthew 7:12 & Luke 6:31).

From: Richard Morrell
Sent: Saturday, September 22, 2001 2:58 PM
To: Wright, Corey
Cc: users@
Subject: Re: [users] What kernel source and distro-base?

DONT

If you think you have something to add use your brain

Come talk to the team

QoS is so so so unneeded.

You will get fuck all help from us dude

Richard Morrell, project manager and founder - SmoothWall
Technical Director - Caveonet Ltd

On Fri, 21 Sep 2001, Wright, Corey wrote:

> What kernel source (plus patches) and distribution (if any) is 0.9.9 based
> on?
>
> I'm wanting to add QoS capabilities to SmoothWall using kernel modules
> (sch_*), the tc application, and a script borrowed/modified from LRP
> sec-EtherToEtherFiles.html>.
>
> I know from looking at the smoothwall-0.9.9-kit.tar.gz tarball that the
> kernel config's are included in that and that the kernel was 2.2.19, but
> what kernel source was used (stock, patches, etc)? If the kernel was
> patched, is the modified kernel source provided somewhere, or at least the
> patches to apply to the stock kernel?
>
> What distribution was used as the base for the SmoothWall, if any? If all
> the apps came from a distro, then I can simply see if that distro provides
> tc (ex. in Red Hat's iproute rpm) instead of having to statically compile tc
> (or try to match library versions).
>
> The "donor" computer I currently use for SmoothWall 0.9.8 had Red Hat 6.2
> installed on it (just two weeks ago, right before 0.9.9 was released) and I
> had QoS set up, but with a simpler script. The script I used only provided
> "Stochastic Fair Queuing" and didn't discriminate between different types of
> traffic (like the LPR script does), but it really helped make web surfing
> and chatting tolerable while apt-getting debian packages over a dial-up
> link. (Instead of one large queue, like the tcp/ip stack has, SFQ creates
> multiple queues based on origin and destination ip address pairs [and
> possibly including destination port; can't remember], and pulls a packet off
> of each queue round-robin style. So even though there may be tons of
> packets queued, bound for a particular ftp server, packets bound for a
> [different] web server don't have to wait at the end of the line behind all
> those backed-up ftp packets, because those http packets have their own
> line.)
>
> I would be happy to document my work (assuming I get it to work) so that
> this could be incorporated into SmoothWall.
>
> Or if the SmoothWall team isn't interested, I'll just have to ask for this
> same information next time/version around. ;-)
>
> Corey
>
> PS Thanks for SmoothWall and I look forward to installing and modifying
> 0.9.9.

i never received any follow-up or further assistance from the smoothwall team (if you even dare to call the above "assistance"), but eventually reached my goal with the helpful detective work of another smoothwall user, who had also received a similar reply from smoothwall management to a similar request.

and this is why i do not recommend nor support smoothwall, and instead point to the ipcop project.

An appliance, not an OS

[RevCheswollen]

OpenBSD is an operating system, designed with security in mind. It is probably as secure as anything BSD-derived can possibly be at this point.

IPCop, Smoothwall, Freesco, etc. are not operating systems, they are dedicated firewall/router devices built on stripped-down linux kernels. Although they incorporate DHCP servers, DNS relays, and similar network infrastructure schtupfh they are nonetheless strictly single-purpose appliances.

Morrell and Manning should be applauded for their achievement; Smoothwall broke new ground as an easily configured home firewall with Snort and Squid transparently integrated (no small feat).

UNfortunately, Smoothwall shares one characteristic with OpenBSD; like OpenBSD guru Theo De Raadt, Richard Morrell has an egotistical, abrasive manner and does not communicate well with end-users or fools. If his commercial venture is to be a success, he's going to have to learn some diplomacy. Or maybe not, Larry Ellison gets away with it.