Slashdot Mirror
Bootable CDROM-based Firewalls?
DNapalm asks: "I work at a small local ISP that is in desperate need of a firewall. We don't have much of a budget, so a hardware-based solution (which I'd prefer) really isn't an option. I've been searching around the web for firewall distributions, and I know what I am looking for. I'd like a boot CD (no install required, no filesystem hacking, just reboot) that stores the configuration on a floppy (that we can easily write protect). It should have a web interface and be able to log to a hard drive or some other machine. Some distributions I've found that seem close are Sentry Firewall, Devil-Linux, NetBoz, ClosedBSD, and Keeper Linux. Has anyone used these? Can you give recommendations? Any help would be appreciated."
You cant afford $60? Or your want a real router?
Google/Linux router floppy gives Linux router project
I'm using a floppy-based Bering system where I work as a multi-ISP router/firewall, and it works quite well.
Oh, no! You have walked into the slavering fangs of a lurking grue!
The problem is, if you look at the linuxrouter.org main page, you'll find that the site hasn't been updated since May 3, 2001. Most LRP development these days is on the LEAF site.
Oh, no! You have walked into the slavering fangs of a lurking grue!
For those who wish to avoid the ISP that can't be bothered to actually administer a firewall:
Synergy Networking
http://www.synergycorp.com
1780 SW 43 Ave.
Fort Lauderdale, FL 33317
Phone: (954) 792-1866
Fax: (954) 791-4214
E-mail: webmaster@synergycorp.com
Sorry to post anonymously. I'm sick to death of irresponsible ISPs who have no clue how the technology they work with actually works. You're running a goddamned ISP, invest some time into understanding what that firewall is before deploying it.
I shouldn't be surprised. This ISP is proud to have a "less is more" policy for website design. Hell, right below their claim to have secure web pages, they proudly state their FrontPage support.
The buzzword "synergy" kills me. What exactly are they synergizing there anyways? It makes me think of that Simpsons quote:
"Proactive? Paradigm? Aren't these just buzz words that stupid people use to sound smart?"
You should really list your needs before you pick a firewall.
Do you just need a packet filter, to block incoming SYN packets?
Or are looking at an application firewall with anti-virus e-mail scanning, web caches, VPN's, seperate DMZ's for your servers, authentication with OTP's and tokens, etc?
Different needs. Different solutions.
How much staff do you have? Any *nix experts?
http://www.suse.com/us/business/products/suse_busi ness/firewall/index.html
If at first you don't succeed, skydiving is not for you
Gibraltar is pretty much what you just described. It worked very well for me in the past, although it looks like development has slowed down (no updates, at least to the free version, in over a year).
Power corrupts. PowerPoint corrupts absolutely. E. Tufte
is a floppy based solution from http://www.zelow.no/floppyfw
We have a 4Mbit/4Mbit HDSL line, and around 320 nodes. (I am part of a team, that runs a small time volunteer ISP: the whole street I live in, joined together to get good Internet access for a reasonable price; Linux all the way, yaeh!)
floppfw is a quite nice distro, it has loads of add-on packages: VPN(PPTP, Cisco, Intel etc), PPP, ssh etc. It is rock solid and has a high performance (used it for 3-4 years without problems)
There is also a powerfull GUI for configuring it: http://www.fwbuilder.org/
But is very simple to maintain and costumize without. You just mount -o the image, edit, unmount. Rolling and using your own kernel is also quite easy (we use NAT, and some NAT helper modules are outside the kernel).
The downside:
No changing the firewall rules on the fly.
Changing rules or upgrading, means a reboot lasting a minute or so.
We have a spare box (can be used as firewall or proxy, dhcp server if necessary), so by changing the default gateway, we can avoid loss of Internet connectivity, though it means that people cannot access our web-site in the mean time, but we can live with that, other may not).
We also use the spare box, as a testing unit for new firewalls, so we can be confident that it works before it is put into production.
I use LEAF, and have since they forked their code from the original "Cop Killer" Dave at linuxrouter.org. The Bering floppy and CD images are the best, with tools like GRSecurity (enhanced kernel security), Shorewall (great tool for configuring ipchains, for every possible setup), FreeS/WAN (IPSEC/VPN tools), and a 2.4 based kernel that works great on a 486. The best thing is the developers over at LEAF, keep their packages current.
At present, I have 6 offices, hanging off this setup, with each one running the VPN daemon as well. There are plans in place (installation stage) to get 6 more internet circuits for the rest of our offices, making making for a total of 12 offices running off this code. It's excellent code, with a very well integrated setup, using standard tools, and gobs of documentation.
The best thing; except for the main office (which uses a P166), everyone else will be running their firewall and VPNs on pentium 100's or 120's, with 24 or 32 megs of ram.
I'm really surprised - there are posts here mentioning some truly obscure solutions, but no one's mentioned one of the most popular: Smoothwall is all-CD-based, and is certainly one of the most widely used CD-based firewall distros on the net. The link above is to Smoothwall's corporate, supported version, but a less featureful free version is available. It used to integrate well with the Dan's Guardian content filter, until Dan joined Smoothwall, so they no longer tell you how to mke the two work together, since that would compete with their commercial offering. Still, their pricing seems reasonable, and while not a state-of-the-art firewall, it's no worse than all the other stateful packet filters out there. (Ultimately, that's just not a very good way to provide security, which is why SPFs are no longer permitted by the military.)
If you don't have to have it run from CD, you should probably check out T-Rex (NOT a stateful packet filter, but the free version is lagging a bit), or, if you need a firewall combined with other functions (such as serving files, mail, web, etc.) then check out e-smith or ClarkConnect.
"The future's good and the present is nothing to sneeze at." - Roblimo's last
Floppyfw is actually a (surprise!!) floppy based distro. But there is also an ISO image. I use it at home. I have friends that also use it for their networks. Works good. Easy to setup. From the webpage, the author claims he has used it for networks with thousands of computers. I wouldn't doubt it.
I use Devil Linux on one network that I administer. The docs are a bit scant and mostly point you to the docs for each service you install but overall I think the firewall is excellent. It's built from Linux From Scratch. All but the config files are on the CD. The config files are on a write protected floppy. There is support for most common services for those shops that can't afford a firewall and mail server for example. I know this isn't the best idea but it is a practical reality for many. At least Devil Linux offers chroot jails and since a reboot sets the server back to the original install state (except for any mail spool that is saved on a disk) the exposure is fairly low. There is also support for FirewallBuilder scipts and most common services . I think Devil Linux is at least worth consideration. It's actively developed and GPL'ed.
http://www.gta.com
Simple floppy based firewall, with GUI for those who want it. Easily configured, and rated highly by several publications. Logs via syslog to another system. Can do email and dns proxying if you need it. Doesn't do CDROM, but you can do flash memory.
Basically, a BSD derived firewall that was split from the tree a few years ago. They have an active development effort, and sell commercial products just for your situation. Commercial versions of Gnatbox are not cheap, but there is a good installed base, and a good mailing list that will help with stuff.
He hosts my website and email. Its a one-man consulting business.
Does he know what synergy means?
synergy: Cooperative interaction among groups, especially among the acquired subsidiaries or merged parts of a corporation, that creates an enhanced combined effect.
I don't know about you, but I wouldn't trust a business whose very name lies about the structure of their organization.
The theory of relativity doesn't work right in Arkansas.
Me: I don't know about you, but I wouldn't trust a business whose very name lies about the structure of their organization.
You: It's a consulting business that does system integration work. Does he have to have internal synergy? Does anyone hold Microsoft to the "micro" part?
Given that he also refers to himself as "we" (see the web page: "Try Synergy, and find out why we're proud to be the best at what we do. "), I'm more inclined to believe that he's a liar, and is abusing a hackneyed buzzword in an attempt to seem much larger and more established than he actually is.
And that's worse than lying to the client through your name. If he's so good at what he does, why can't he just say "I", and let his great reputation in his field do the talking? What kind of business relationship can one expect with an organization that's dishonest from square one?
The theory of relativity doesn't work right in Arkansas.
It's a consulting business that does system integration work.
... Our game-hosting rates start at $100/month.
Really? Judging by this portion of their website, I'd say it's more likely a fifteen-year-old trying to parlay his limited linux experience into a business, so he can avoid having to go to college, like regular people:
We've hosted servers for interactive games such as Starsiege Tribes for years. We've been following role-playing games with more in-depth interaction for some time, and now host Sphere servers
The theory of relativity doesn't work right in Arkansas.