IPCop 0.1.1 Review

← Back to Stories (view on slashdot.org)

Posted by Hemos on Sunday March 17, 2002 @07:03AM from the lock-down-the-network dept.

Selanit writes "I just found a link on Distrowatch to a SecurityFocus Review of IP Cop 0.1.1. IP Cop is a fork of the GPL version of the Smoothwall Linux firewall distro, which had a review linked by Slashdot. Though it has a slick, easy install. and good features, a number of people had issues with Smoothwall.. IPCop has implemented shadow passwords to fix the security flaw, and their mission statement includes a provision that they will "Provide an enjoyable environment for the Public to discuss and request assistance." The to-do list of features for the upcoming 0.2 version is also interesting. "

21 of 104 comments (clear)

Min score:

Reason:

Sort:

OpenBSD? by daemonslayer · 2002-03-17 07:19 · Score: 2, Interesting

Looks interesting. Does anyone know from a security standpoint how this compares to OpenBSD or other similar security minded projects?
IPCop as a quick solution to firewalling by freeio · 2002-03-17 07:23 · Score: 5, Informative

We have tried IPCop 0.1.1 at the office, and it has one very big advantage over using a general purpose distribution: it installs and comes up running very quickly. From inserting the CDROM to completion of the install on a typical system (200MHz Pentium with 64MB memory) it took about 14 minutes to having it running.

We use it as a three-way firewall with a DMZ, and that is stone-cold simple to install. Slick, with no problems.

Highly recommended!

--
Soli Deo Gloria
1. Re:IPCop as a quick solution to firewalling by paenguin · 2002-03-17 08:16 · Score: 5, Informative
  
  I've done a lot of IPCop installs and I can have it installed and configured in 10 minutes pretty much every time. That includes from the time I boot the CD to start the install to doing all the patches, turning on all the services I like and defining the dhcp ranges it will be serving.
  
  This is one nice Linux security distribution. It requires minimal skill to install and there is a huge FAQ on the website.
  
  Highly recommended!
  
  Here's what you get:
  
  - Totally GPL
  - Friendly support on mailing list
  - All source code available on public CVS
  - Installs from bootable CD, or with a floppy to kick it off, installs from CD, http or ftp.
  - 2.2.21rc1 Kernel
  - EXT3 File System
  - IPChains based firewall
  - Network Address Translation (NAT)
  - Analog/ISDN/ADSL modem support
  - Support for almost any connection type
  - CheckPoint Soft. SecuRemote Support
  - Full DMZ Support
  - Web Based GUI Admin & Config System
  - Full Status Display
  - Full Traffic Graphs
  - Full Connections Information
  - PPP Settings/Configuration Area
  - PPtP ADSL Support
  - PPPoE Support
  - USB ADSL Firmware Upload Area
  - Modem Configuration Area
  - SSH server for Remote Access
  - Password Control Area
  - HTTP/FTP/HTTPS Web Proxy
  - DHCP Server
  - Caching DNS
  - TCP/UDP Port Forwarding
  - External Service Access Control
  - DMZ Pinholing Capacity
  - Dynamic DNS Support
  - Intrusion Detection System (SNORT)
  - VPN Support (FreeSWAN) with Control Area
  - Full System Logs
  - Web Proxy Logs
  - Firewall Logs
  - Intrusion Detection System Logs
  - Remote Shutdown/Reboot Area
  - Integrated JAVA Based SSH Shell Area
  - IPCop Linux Updates Area
  
  --
  We should start referring to processes which run in the background by their correct technical name... paenguins.
Redundant Solutions? by bleckywelcky · 2002-03-17 07:23 · Score: 4, Insightful

I have read over IPCop configurations and documentations several times before, and it is definitely a good solution for a simple home office or other small business network. It is fairly simple to use and setup, and fairly robust in operations. However, there is one thing that it lacks, as well as what many other solutions lack: the ability to handle redundant internet access. Although I have not looked at every single software solution for routing and networking on this scale, there still seems to be a lack of redundant-internet-connection support in the field. The ability to use multiple internet connections for backup in a single software solution, as well as to use multiple internet connections to increase overall bandwidth, seems to be missing.

Has anyone run across developing projects (or already developed projects) that are trying to accomplish this sort of feat? I have seen a hardware solution or two that have tried to work this problem, but they are rather impractical for a home office user who needs redundancy (telecommuting, etc) or expansion of their bandwidth (kids playing games while they need to transfer projects around, etc) for their home network. Can anyone comment on this subject?
Re:Cool, but... by NetJunkie · 2002-03-17 07:32 · Score: 3, Interesting

SSH isn't stupid. But why was it available to the outside world? You should only do firewall management from inside your network.
Choice is good by DreamerFi · 2002-03-17 07:33 · Score: 2, Insightful

As author of a similar project (www.dubbele.com) I', glad to see competition. Different people need different solutions, and there's plenty of difference between mine and theirs.

-John
Uprising Politechs... by bhsx · 2002-03-17 07:34 · Score: 2, Interesting

It seems that more and more people are using politics to spur linux distributions. Spinning-off a GPL project is all well and good; but do you have to wish ill on the original project? It doesn't seem like this is different enough from smoothwall yet to indicate a new distribution. On a similar topic, has anyone checked out Sorcerer GNU/Linux lately? Seems this is happenning a bit too much for my taste. I'm all for things like K12LTSP which don't attempt to take anything from there originators, yet add productive/usefull features for anyone in a specialized nitche.

--
put the what in the where?
1. Re:Uprising Politechs... by TellarHK · 2002-03-17 08:01 · Score: 4, Informative
  
  Actually, as a member of the IPCop user mailing list, I'd have to say that any ill-will has been pretty well restrained. The list might occasionally flare with the occasional flame, but the moderators of the list do a pretty good job of keeping it all in check.
  
  IPCop has the goal of planning a large rewrite for the .2 release, and I'm looking forward to seeing where these efforts go. While Smoothwall GPL support seems to have stalled in a few areas (most notably USB Speedtouch modem speeds) IPCop continues with the full effort of the team.
  
  --
  My own pointless vanity vintage computing page
2. Re:Uprising Politechs... by Anonymous Coward · 2002-03-17 09:28 · Score: 5, Informative
  
  the reason ipcop doesn't currently appear that technically different from smoothwall is because currently it's not. the 0.1 release was just a stop-gap measure to provide people an immediate alternative to smoothwall; not a technical alternative, but a logistical alternative.
  
  matter-of-fact, phil barnett, who use to run the unofficial smoothwall mailing lists (even before smoothwall.org had an "official" mailing list), says something along those same lines here.
  
  a major rewrite is planned for 0.2, which will clearly differentiate ipcop from smoothwall.
  
  but was the logistical problem really that big, big enough to necessitate a fork? what follows is a repost from the official smoothwall "users" mailing list where all i did was inquire about the GPLed kernel sources and patches used in the distribution. i didn't ask for the smoothwall project to provide them, but only to state what they were so that i could find, download, and rebuild the kernel sources with qos (quality-of-service) capabilities enabled, one that would be as similar as possible to the smoothwall kernel (for a drop-in replacement).
  
  i thought one of the original benefits richard stallman intended for GPLed software is that the user can infinitely customize and tailor the product to suit them and there is no vendor lock-in as the source code can be altered for the customer by third-parties? isn't the GPL about the customer? obviously smoothwall management (richard morrell, "project manager and founder") doesn't have anything (especially ideals) in common with stallman besides a first name.
  
  note: yeah, i've removed the email addresses and phone numbers contained in the following message. as much as i disagree with richard morrell's attitude, i don't wish spambots or people upon him or his email addresses (see "Golden Rule", Matthew 7:12 & Luke 6:31).
  
  From: Richard Morrell
  Sent: Saturday, September 22, 2001 2:58 PM
  To: Wright, Corey
  Cc: users@
  Subject: Re: [users] What kernel source and distro-base?
  
  DONT
  
  If you think you have something to add use your brain
  
  Come talk to the team
  
  QoS is so so so unneeded.
  
  You will get fuck all help from us dude
  
  Richard Morrell, project manager and founder - SmoothWall
  Technical Director - Caveonet Ltd
  
  On Fri, 21 Sep 2001, Wright, Corey wrote:
  
  > What kernel source (plus patches) and distribution (if any) is 0.9.9 based
  > on?
  >
  > I'm wanting to add QoS capabilities to SmoothWall using kernel modules
  > (sch_*), the tc application, and a script borrowed/modified from LRP
  > sec-EtherToEtherFiles.html>.
  >
  > I know from looking at the smoothwall-0.9.9-kit.tar.gz tarball that the
  > kernel config's are included in that and that the kernel was 2.2.19, but
  > what kernel source was used (stock, patches, etc)? If the kernel was
  > patched, is the modified kernel source provided somewhere, or at least the
  > patches to apply to the stock kernel?
  >
  > What distribution was used as the base for the SmoothWall, if any? If all
  > the apps came from a distro, then I can simply see if that distro provides
  > tc (ex. in Red Hat's iproute rpm) instead of having to statically compile tc
  > (or try to match library versions).
  >
  > The "donor" computer I currently use for SmoothWall 0.9.8 had Red Hat 6.2
  > installed on it (just two weeks ago, right before 0.9.9 was released) and I
  > had QoS set up, but with a simpler script. The script I used only provided
  > "Stochastic Fair Queuing" and didn't discriminate between different types of
  > traffic (like the LPR script does), but it really helped make web surfing
  > and chatting tolerable while apt-getting debian packages over a dial-up
  > link. (Instead of one large queue, like the tcp/ip stack has, SFQ creates
  > multiple queues based on origin and destination ip address pairs [and
  > possibly including destination port; can't remember], and pulls a packet off
  > of each queue round-robin style. So even though there may be tons of
  > packets queued, bound for a particular ftp server, packets bound for a
  > [different] web server don't have to wait at the end of the line behind all
  > those backed-up ftp packets, because those http packets have their own
  > line.)
  >
  > I would be happy to document my work (assuming I get it to work) so that
  > this could be incorporated into SmoothWall.
  >
  > Or if the SmoothWall team isn't interested, I'll just have to ask for this
  > same information next time/version around. ;-)
  >
  > Corey
  >
  > PS Thanks for SmoothWall and I look forward to installing and modifying
  > 0.9.9.
  
  i never received any follow-up or further assistance from the smoothwall team (if you even dare to call the above "assistance"), but eventually reached my goal with the helpful detective work of another smoothwall user, who had also received a similar reply from smoothwall management to a similar request.
  
  and this is why i do not recommend nor support smoothwall, and instead point to the ipcop project.
That's what routers are for. by NetJunkie · 2002-03-17 07:37 · Score: 2

It isn't the firewall's job to do this, that is up to your router. Firewalls shouldn't get in the business of routing or handling routing protocols.
1. Re:That's what routers are for. by NetJunkie · 2002-03-17 08:46 · Score: 2
  
  An average home user won't have multiple Internet connections. How many people have DSL and Cable at the same time? There are small NAT routers that do this on the cheap. If your company is paying a couple grand for Internet connections they will already have at least one router and probably more.
  
  Good routing protocols handle congestion as well as downed links. EIGRP takes these in to account. We have two connections to the same Bellsouth POP and use Cisco's CEF for packet level load balancing and redundancy should one circuit fail. You can bundle many links using CEF, but they must all go to the same router. Multiple connections to different POPs would require BGP.
2. Re:That's what routers are for. by NetJunkie · 2002-03-17 09:17 · Score: 3, Interesting
  
  Check out the Nexland ISB Pro800Turbo Firewall/NAT box. It will load balance two broadband connections.
Re:Cool, but... by EllF · 2002-03-17 07:37 · Score: 3, Informative

You got cracked whilst running ssh? How?

I'm guessing that you didn't notice that ssh was found vulnerable to an off-by-one compromise recently, and that a new version is out. Check out the advisory on it, and get the latest version while you're there.

The solution to security flaws like this is not running in runlevel0 - it is diligance and administration. Subscribe to bugtraq (here, and keep an eye on what's coming out. Do an occasional nmap scan against yourself. *Know* what ports are open, don't wait to be surpised. ssh is by no means "stupid". Neither are you. Not keeping up to date on what's out there, however, is.

--
We who were living are now dying
With a little patience
Department of Redundancy Department by TheSHAD0W · 2002-03-17 07:37 · Score: 2

All *nix distributions can handle multiple uplinks, once you've tweaked them properly. Load balancing can be an issue, but if you want pure redundancy, that's not a huge problem. Servers on redundant connections is a whole different ball of wax, though.
this packet passed through IPCop by sloop · 2002-03-17 09:01 · Score: 3, Informative

I just installed IPCop this afternoon. Coincidentally, I saw this news story show up on slashdot the same time I was burning the CD-ROM.

So far, I am impressed.

The securityfocus review is very lacking, and very disappointing in content to be coming from a "security" site.

The IPCop installation was very simple and straightforward. The only hiccup was getting my ISA NICs to work.. I had to use a setup floppy to set the IO address, and manually load the driver "ne io=0x220".

The DMZ feature is very cool, and it looks like you can run IPSec out of the box.

The web interface is very slick. This interface is what separates it from a stock RedHat distribution with some custom iptables rules. Previously I was running a floppy-based distro for my firewall (BBIagent). I like IPCop better because it has SSH support, an update system, and I can log in to the console and 'do stuff'.
IPCop kicks Smoothwall's ass, for these reasons: by joebp · 2002-03-17 09:16 · Score: 5, Informative
- IPCop lacks Richard Morrell.
- IPCop fixes the long-known USB ADSL bug with Smoothwall -- which cripples upload speed to 3K/s instead of 30K/s.
- No nagware, adverts, requirements to donate to get basic support, etc.
- Smoothwall GPL is treated and referred to as 'trialware' by the Smoothwall development team, and is essentially dead as GPL project.
Smoothwall is in my opinion perhaps the most ungraceful transition from a pure open-source project to a business in recent history.
An appliance, not an OS by RevCheswollen · 2002-03-17 11:56 · Score: 2, Informative

OpenBSD is an operating system, designed with security in mind. It is probably as secure as anything BSD-derived can possibly be at this point.

IPCop, Smoothwall, Freesco, etc. are not operating systems, they are dedicated firewall/router devices built on stripped-down linux kernels. Although they incorporate DHCP servers, DNS relays, and similar network infrastructure schtupfh they are nonetheless strictly single-purpose appliances.

Morrell and Manning should be applauded for their achievement; Smoothwall broke new ground as an easily configured home firewall with Snort and Squid transparently integrated (no small feat).

UNfortunately, Smoothwall shares one characteristic with OpenBSD; like OpenBSD guru Theo De Raadt, Richard Morrell has an egotistical, abrasive manner and does not communicate well with end-users or fools. If his commercial venture is to be a success, he's going to have to learn some diplomacy. Or maybe not, Larry Ellison gets away with it.
Better Solution? by PJPorch · 2002-03-17 12:54 · Score: 2, Interesting

I was playing with a number of similar stripped-down version of linux that were intenedd for firewalls. IPCop has a nice interface and is simple to setup, but found that I like Astaro for a better solution. The Hardware requirements are a little higher, but the I think the interface is better and one key feature that changed my mind is that Astaro is a stateful firewall
From Astaro Website

http://www.astaro.com

System
Linux 2.4-based, Change-Root Protection, Kernel-Capability Protection, Web-based Administration (128 Bit SSL encrypted), Updating via Internet (1024 Bit PGP signed), Logging via Syslog/SNMP/ASCII-Files.

Firewall
Stateful Packet Inspection, Portscan Detection, Anti Spoofing.

Virtual Private Networks (VPN)
IPSec and IKE (RFC 2408/RFC 2409), Microsoft PPTP (RFC 2637) Algorithms: Diffie-Hellmann/3DES/MD5/SHA 1.

Proxies
HTTP (Content Filter, Cache, Authentication), HTTPS, SMTP (Virus Protection), DNS, SOCKS 4.0/5.0 (Authentication), Authentication via User Database/Radius/MS Windows NT or 2000.

Networking
Source and Destination NAT, Masquerading, up to 25 Ethernet Interfaces (10/100/1000 MBit), IP Aliasing, Randomized TCP Sequencing, Proxy ARP, Automated Routing.

Performance
Running on a 750 MHz CPU: Up to 64000 concurrent Connections, up to 650 MBit/s Filter Throughput, up to 25 MBit/s VPN Throughput.

Josh
Author speaks out. by Babel · 2002-03-17 15:19 · Score: 3, Interesting

As the author of the SecurityFocus article in question, I'd just like to answer a few comments:

* Yup, I found this an interesting project for a number of reasons. It was WAY easier to set up than a standard Linux distro, but be aware that's because it has ONE purpose and one only -- to be a firewall. This is good and bad. As a simple, easy to install firewall system, I like it.

* I haven't played with www.dubbelle.com but I'll be sure to check it out shortly. There are lots of other good cut-down distros out there, and I'm sure there is place for all of them. The one advantage that IPCop has over a single floppy distro is a few extra features such as squid and IPSec.

* Sorry, the article really was meant to be a how-to, rather than a review. I'm sorry about those who were dissapointed expecting more of a review article but I prefer to write in the more practical sense. If you want a review, here's a one word one: GOOD. I'd be interested to hear what one poster (sloop) found "lacking" in the article, however.

* I hereby refuse to make any comment concerning Richard Morrell.

* Yup, Astaro is a fine distro too, and no doubt the fine folks at SecurityFocus will probably review it as well. I'm not that familiar with it myself so no doubt they'll get someone else to do the review.

Del
1. Re:Author speaks out. by DreamerFi · 2002-03-17 20:10 · Score: 2
  
  Del,
  
  feel free to contact me once you've looked at dubbele.com, I'd be happy to talk about your impression..
  
  -John
Re:Cool, but... by nihilogos · 2002-03-17 18:40 · Score: 2

of course I was ;-)

the point is, broken or not, I should not be running ssh AT ALL on the firewall, with access from outside.

But, since it was my home system, nothin really important got compromised. I think the dude just tried to set an account and use my relay to spam a bit. Damn me.

I think you are either making this up or are just simply wrong.

And why don't you just allow ssh to a few trusted machines anyway?

--
:wq