Slashdot Mirror
IPCop 0.1.1 Review
Selanit writes "I just found a link on Distrowatch to a SecurityFocus Review of IP Cop 0.1.1. IP Cop is a fork of the GPL version of the Smoothwall Linux firewall distro, which had a review linked by Slashdot. Though it has a slick, easy install. and good features, a number of people had issues with Smoothwall.. IPCop has implemented shadow passwords to fix the security flaw, and their mission statement includes a provision that they will "Provide an enjoyable environment for the Public to discuss and request assistance." The
to-do list of features for the upcoming 0.2 version is also interesting. "
Looks interesting. Does anyone know from a security standpoint how this compares to OpenBSD or other similar security minded projects?
does it run in runlevel 0 like the "halted firewall"?
I got invaded the other day because my linux FW was running a stupid service (ssh). Considering a true W ever since.
``If a program can't rewrite its own code, what good is it?'' - Mel
We have tried IPCop 0.1.1 at the office, and it has one very big advantage over using a general purpose distribution: it installs and comes up running very quickly. From inserting the CDROM to completion of the install on a typical system (200MHz Pentium with 64MB memory) it took about 14 minutes to having it running.
We use it as a three-way firewall with a DMZ, and that is stone-cold simple to install. Slick, with no problems.
Highly recommended!
Soli Deo Gloria
I have read over IPCop configurations and documentations several times before, and it is definitely a good solution for a simple home office or other small business network. It is fairly simple to use and setup, and fairly robust in operations. However, there is one thing that it lacks, as well as what many other solutions lack: the ability to handle redundant internet access. Although I have not looked at every single software solution for routing and networking on this scale, there still seems to be a lack of redundant-internet-connection support in the field. The ability to use multiple internet connections for backup in a single software solution, as well as to use multiple internet connections to increase overall bandwidth, seems to be missing.
Has anyone run across developing projects (or already developed projects) that are trying to accomplish this sort of feat? I have seen a hardware solution or two that have tried to work this problem, but they are rather impractical for a home office user who needs redundancy (telecommuting, etc) or expansion of their bandwidth (kids playing games while they need to transfer projects around, etc) for their home network. Can anyone comment on this subject?
As author of a similar project (www.dubbele.com) I', glad to see competition. Different people need different solutions, and there's plenty of difference between mine and theirs.
-John
It seems that more and more people are using politics to spur linux distributions. Spinning-off a GPL project is all well and good; but do you have to wish ill on the original project? It doesn't seem like this is different enough from smoothwall yet to indicate a new distribution. On a similar topic, has anyone checked out Sorcerer GNU/Linux lately? Seems this is happenning a bit too much for my taste. I'm all for things like K12LTSP which don't attempt to take anything from there originators, yet add productive/usefull features for anyone in a specialized nitche.
put the what in the where?
looks interesting alright, but why wait?
I'm running my own RedHat 7.2 box with iptables, squid and the whole nine yards. Works perfectly, probably because I had to configure it myself, didn't use a preconfigured firewall distro.
It isn't the firewall's job to do this, that is up to your router. Firewalls shouldn't get in the business of routing or handling routing protocols.
All *nix distributions can handle multiple uplinks, once you've tweaked them properly. Load balancing can be an issue, but if you want pure redundancy, that's not a huge problem. Servers on redundant connections is a whole different ball of wax, though.
You might already know this, but there is a really good one-disk-router/firewall around: Fli4l.
Boycot? Blackout? Subscriptions?
I don't care!
You can find layouts like that , and my special super
I just installed IPCop this afternoon. Coincidentally, I saw this news story show up on slashdot the same time I was burning the CD-ROM.
So far, I am impressed.
The securityfocus review is very lacking, and very disappointing in content to be coming from a "security" site.
The IPCop installation was very simple and straightforward. The only hiccup was getting my ISA NICs to work.. I had to use a setup floppy to set the IO address, and manually load the driver "ne io=0x220".
The DMZ feature is very cool, and it looks like you can run IPSec out of the box.
The web interface is very slick. This interface is what separates it from a stock RedHat distribution with some custom iptables rules. Previously I was running a floppy-based distro for my firewall (BBIagent). I like IPCop better because it has SSH support, an update system, and I can log in to the console and 'do stuff'.
- IPCop lacks Richard Morrell.
- IPCop fixes the long-known USB ADSL bug with Smoothwall -- which cripples upload speed to 3K/s instead of 30K/s.
- No nagware, adverts, requirements to donate to get basic support, etc.
- Smoothwall GPL is treated and referred to as 'trialware' by the Smoothwall development team, and is essentially dead as GPL project.
Smoothwall is in my opinion perhaps the most ungraceful transition from a pure open-source project to a business in recent history.Don't click on the article link hoping for a review from the fine folks at Security Focus. This is simply an install HowTo; editorializing is kept to a minimum.
OpenBSD is an operating system, designed with security in mind. It is probably as secure as anything BSD-derived can possibly be at this point.
IPCop, Smoothwall, Freesco, etc. are not operating systems, they are dedicated firewall/router devices built on stripped-down linux kernels. Although they incorporate DHCP servers, DNS relays, and similar network infrastructure schtupfh they are nonetheless strictly single-purpose appliances.
Morrell and Manning should be applauded for their achievement; Smoothwall broke new ground as an easily configured home firewall with Snort and Squid transparently integrated (no small feat).
UNfortunately, Smoothwall shares one characteristic with OpenBSD; like OpenBSD guru Theo De Raadt, Richard Morrell has an egotistical, abrasive manner and does not communicate well with end-users or fools. If his commercial venture is to be a success, he's going to have to learn some diplomacy. Or maybe not, Larry Ellison gets away with it.
I was playing with a number of similar stripped-down version of linux that were intenedd for firewalls. IPCop has a nice interface and is simple to setup, but found that I like Astaro for a better solution. The Hardware requirements are a little higher, but the I think the interface is better and one key feature that changed my mind is that Astaro is a stateful firewall
From Astaro Website
http://www.astaro.com
System
Linux 2.4-based, Change-Root Protection, Kernel-Capability Protection, Web-based Administration (128 Bit SSL encrypted), Updating via Internet (1024 Bit PGP signed), Logging via Syslog/SNMP/ASCII-Files.
Firewall
Stateful Packet Inspection, Portscan Detection, Anti Spoofing.
Virtual Private Networks (VPN)
IPSec and IKE (RFC 2408/RFC 2409), Microsoft PPTP (RFC 2637) Algorithms: Diffie-Hellmann/3DES/MD5/SHA 1.
Proxies
HTTP (Content Filter, Cache, Authentication), HTTPS, SMTP (Virus Protection), DNS, SOCKS 4.0/5.0 (Authentication), Authentication via User Database/Radius/MS Windows NT or 2000.
Networking
Source and Destination NAT, Masquerading, up to 25 Ethernet Interfaces (10/100/1000 MBit), IP Aliasing, Randomized TCP Sequencing, Proxy ARP, Automated Routing.
Performance
Running on a 750 MHz CPU: Up to 64000 concurrent Connections, up to 650 MBit/s Filter Throughput, up to 25 MBit/s VPN Throughput.
Josh
As the author of the SecurityFocus article in question, I'd just like to answer a few comments:
* Yup, I found this an interesting project for a number of reasons. It was WAY easier to set up than a standard Linux distro, but be aware that's because it has ONE purpose and one only -- to be a firewall. This is good and bad. As a simple, easy to install firewall system, I like it.
* I haven't played with www.dubbelle.com but I'll be sure to check it out shortly. There are lots of other good cut-down distros out there, and I'm sure there is place for all of them. The one advantage that IPCop has over a single floppy distro is a few extra features such as squid and IPSec.
* Sorry, the article really was meant to be a how-to, rather than a review. I'm sorry about those who were dissapointed expecting more of a review article but I prefer to write in the more practical sense. If you want a review, here's a one word one: GOOD. I'd be interested to hear what one poster (sloop) found "lacking" in the article, however.
* I hereby refuse to make any comment concerning Richard Morrell.
* Yup, Astaro is a fine distro too, and no doubt the fine folks at SecurityFocus will probably review it as well. I'm not that familiar with it myself so no doubt they'll get someone else to do the review.
Del
I note that ipcop is only on version 0.1.1 and I wonder if this means that the product is still evolving.
How would a product like Mandrake Server compare, apart from potentially being much bigger? (e-smith was only about 400 MB for the complete package).
- midtoad
Umwelt schützen, Fahrrad benützen
Having just spent a few hours installing ipcop I can say it rocks. We had a problem that it wasn't detecting the USB properly, but this was solved by not having the usb modem plugged in. The real difficulty was that the usb claimed to be "Unset" rather than either of the two options, but when my friend emailed them he got a quick response saying that the installed was being changed to make it more clear.
Once you get the thing working it's a dream, uploaded the file and had USB ADSL (to BTOpenWorld) going in no time at all. Possibly it's just wishful thinking, but response times and pings in general seem better (though it's bto, so they're still pretty crap), and it is just brilliantly easy to admin. Even the non-linuxy guys in the house are loving the new setup (for the record it's a student place with about 8 machines so we fit into the home/small office category).
-- "[The] NSA can eat shit and die until they stop listening to my phone calls" - TastyWheat
GPL fork != Closed-source fork
Having seen a few forks in my time (especially at meal times), I can say that the effect of a GPL fork isn't half as bad as the closed-source forks we've seen.
For a start, diverging GPL projects can always converge later, they can shamelessly copy each other's code. It's more like parallel processing than a dead end splinter.