Slashdot Mirror
Live-CD Firewall Solutions?
paRcat asks: "My company isn't huge, and up until now has done well enough hosting all of our websites/email/etc. We've done all of this over one T1, but recently added another circuit for that rare instance of a fibercut. So since then I have been researching different options for configuring the existing Linux firewall (debian+iptables) to allow using the second circuit for load-balancing and failover. The issues I'm running into mostly have to do with recompiling the kernel using certain patches and creating semi-elaborate routes. Faced with these options, I'm wondering if there are any open source firewall projects out there that will behave happily with the above scenario. Do any free projects actually give this level of connectivity without being overly difficult in the configuration? I've gone the compile-your-own kernel route in the past, but now I'd just like to drop in a premade solution. A configurable live-CD would be perfect."
You can't be serious.
Try using a secure operating system, then we'll talk.
From what I've read, it's great for a drop-in firewall, and it's on a live cd. ;)
Several LiveCD Firewalls. Check out m0n0wall first.
bonding is better way to go with multilink
/usr/src/linux/Documentation/networking/bonding.tx t
for more information
atleast if the operator on both of the links is same
you'll end up with one ip and both links in use, or you can configure the other to be failover
see
There are no atheists when recovering from tape backup.
What about M0n0wall?
Hosting 20G hd, 1Tb bw! ssh $7.95
If the second circuit is through the same provider, I would think it's likely going through the same physical conduits as the first one, so I am not sure you're protected from the accidental fiber cut.
Sounds to me like you want to use OpenBSD's carp. Nice, open-source, easy to configure firewall fail-over solution.
It's getting time for me to replace my aging slackware 9.0 + Jay's iptables firewall. I am torn between a basic firewall that I can just punch holes in and run services behind, or a full fledged firewall/vpn/ids/proxy/virii-spam-filtering/etc box. The more services running off a cd-based firewall, the more at risk you are when a security issue comes out - you either have to wait for a new cd, make your own, or turn the service off. You can't just patch it. That's why making a standalone firewall makes more sense to me. (Yes, you can always install to the HD, but the point is if someone *does* compromise you, you hit the reset button right? RO filesystem, etc)
Redwall (http://www.redwall-firewall.com/) Looks really good, and really robust. I've tried monowall, ipcop, shorewall, smoothwall..
They were okay, except monowall didn't pick up on the two network cards I was using. It's an old PII 400 mhz with some old pci cards. I figured it'd catch them. Oh well.
I'm also going to consider Astaro security linux. It's for a business, so we'd have to pay the license, but anything is better than a Sonicwall, and I'm trying to ease linux solutions into our corporate environment as best I can without having anybody get mad. So redwall is next up on my list, then Astaro.
-CT / Dallas
if you can live with the shame of having a BSD system, the answer is monowall. It just works. The downside is you can't run seti@home on your firewall.
DistroWatch has everything what you need (not only for firewalls):
http://www.distrowatch.com/
If the backup t1 isn't from the same provider and the primary fails people will not be able to access your websites that you are hosting, unless of course you are running BGP and have a /24 of address space.
I use Devil Linux, Works quite nicely. I hand edit the rules, but it comes with shorewall and is compatible with firewall builder. Comes with a nice config utility too.
"goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
Don't you actually want something like quagga or zebra which can do fallover like you want? My guess would be to just look into this, then see what you can work out of it. Granted.. it isn't a "LiveCD" but then again... why do you want a firewall on a livecd?
Check out Astaro at http://www.astaro.com/. Full featured firewall, competitive with Checkpoint, but not 100% free as in beer. Price is certainly reasonable though, plus it's incredibly easy to install and manage.
Yes, my only tool is a hammer. And you're starting to look like a nail.
yes, I can live with the shame of having a rock-solid, Unix-based operating system such as FreeBSD (m0n0wall is FreeBSD-based). Grow up, boy!
Well....
Netboz is a solution... it runs off a CD and has many of the popular options.
instead of running it off of the CD, I suggest that you use one of the pre-configured firewall options that installs off of your hard drive. These are just as easy to configure, but host a lot more options and mods.
Smoothwall Express - http://www.smoothwall.org/
or even better yet, IPCOP at http://www.ipcop.org/
You might be interested in Wolverine, the more feature-rich, commercial cousin of Coyote Linux (which I have used contentedly for several years).
http://alternatives.rzero.com/
I started there with FreeBSD and have trimmed my cdrom to about 64Meg cdrom, with dhcp, dns, httpd ( to monitor the firewall ) and ssh to make changes when needed ) and it works out well. I can make changes to the system as needed then the next cdupdate I include those changes in the cdrom. Its worked for about 2 years now.
Only 'flamers' flame!
Does slashdot hate my posts?
Check out PfSense, originally based off M0n0wall, I've found it to have the best balance between features, stability and ease of use.
Right now it offers both Live CD or HD install option, and it's nearing a stable (1.0) release, try it...
http://www.pfsense.com/
Will add sig later...
You could use www.ipcop.org
work great with all nice plugins..
Ok,
;-)
I'm going to clock in here with my experience to date with m0n0wall which has been fantastic ( no I don't own shares in anything to do with m0n0wall *grin* - wish I did !! ).
I have to say that from my experience to date with it, m0n0wall is without a doubt one of, if not THE, leading firewall platforms currently available in the open source world, and it's fair to say that I've had a thing or two to do with firewalls and security in general over the past 20+ odd years.
with years and years of hands on design and implementation using checkpoint on sun, checkpoint on nokia, cisco routers, cisco pix, netscreen, ipf, ipfw, iptables, blah blah.
heck, I had such a hard on for checkpoint that at one stage I've even run up a SOFAware box which has the checkpoint inspection module in it, although it's web interface is crap and you can't actually do anything with the firewall policy other than port mapping and translations.
anyway the bastard thing kept resetting and or just slowing down to the point of being so useless I threw it away - after putting it through a hammer test - hammer won * grin *
so I've played with firewalls ok, and god knows how many other bloody firewall platforms, I've played with as many open source firewalls as I can get my hands on, and m0n0wall in particular really has impressed me. When I say play by the way, I mean I've put it through some horrible lab testing, really pushed till smoke came out of the things!
note: firewall blog with reviews of the various firewalls pending kids
smoothwall in my experience had made some very serious inroads towards what was going to become a very strong contender, but then the group fell into ( from what I could tell from the sidelines ) a political infighting jihad which still effects the project.
add to this that they [in my opinion] seemed to have also very seriously stuffed up with their DSL support in 2.x by only supporting USB models of the more widely used DSL modems, particularly here in Australia where Alcatel Speedtouch modems are used far and wide.
in fact it was during an upgrade attempt from smoothwall 1.x to 2.x, I found this out when I was trying to get my DSL modem to talk to smoothwall etc, and out of sheer frustration I decided it was time to dump smoothwall and have another look around.
for a time I even tried running iptables on linux, using fwbuilder on my mac natively and seriously hardened redhat 7.3 ( lord knows it needed it ), horribly stripped down with just enough of the base os left to support two ethernet cards, iptables, and ssh ( to allow fwbuilder to install it's policy ), and I'm still a very big fan of this model, but the one thing that I found a headache setting up and maintaining using fwbulder in this sort of architecture was vpn connections / clients. Also shaping traffic wasn't really feasible and nobody in their right might these days ( again my personal opinion ) runs anything on a network without some form of shaping! Do they?
so again I went hunting the open source tundra for a new toolset. this was when I re-discovered m0n0wall, which when I first reviewed it, was perhaps at a very early stage in it's life cycle and by no means the magical wonderland that it is todya [as of 1/6/2005 (that's July 1st for you American date centric folk)].
Key strengths that I've had working and under high loads, include:
- base firewall policy made up of some very complex rules
- multiple dmz's ( I hate dmz's - they are lame but so be it )
- nat on wan interface, and one of the dmz interfaces
- multiple static routes
- multiple dynamic routes
- dynamic dns ( had to tinker to get no-ip.com working but hey )
- dns caching / forwarding
- ipsec and pptp vpn connections with many vpn clinets
- traffic shaping with QoS which actually works! yea, it really does!
- address aliases on floating ip's for fail over / redundancy
- dhcp with pool of ip's as well as fixed MAC map's and static ip's
- proxy
--- Dez Blanchfield http://WebSearch.COM.AU "Will work for bandwidth.."
Ok,
;-)
I'm going to clock in here with my experience to date with m0n0wall which has been fantastic ( no I don't own shares in anything to do with m0n0wall *grin* - wish I did !! ).
I have to say that from my experience to date with it, m0n0wall is without a doubt one of, if not THE, leading firewall platforms currently available in the open source world, and it's fair to say that I've had a thing or two to do with firewalls and security in general over the past 20+ odd years.
with years and years of hands on design and implementation using checkpoint on sun, checkpoint on nokia, cisco routers, cisco pix, netscreen, ipf, ipfw, iptables, blah blah.
heck, I had such a hard on for checkpoint that at one stage I've even run up a SOFAware box which has the checkpoint inspection module in it, although it's web interface is crap and you can't actually do anything with the firewall policy other than port mapping and translations.
anyway the bastard thing kept resetting and or just slowing down to the point of being so useless I threw it away - after putting it through a hammer test - hammer won * grin *
so I've played with firewalls ok, and god knows how many other bloody firewall platforms, I've played with as many open source firewalls as I can get my hands on, and m0n0wall in particular really has impressed me. When I say play by the way, I mean I've put it through some horrible lab testing, really pushed till smoke came out of the things!
note: firewall blog with reviews of the various firewalls pending kids
smoothwall in my experience had made some very serious inroads towards what was going to become a very strong contender, but then the group fell into ( from what I could tell from the sidelines ) a political infighting jihad which still effects the project.
add to this that they [in my opinion] seemed to have also very seriously stuffed up with their DSL support in 2.x by only supporting USB models of the more widely used DSL modems, particularly here in Australia where Alcatel Speedtouch modems are used far and wide.
in fact it was during an upgrade attempt from smoothwall 1.x to 2.x, I found this out when I was trying to get my DSL modem to talk to smoothwall etc, and out of sheer frustration I decided it was time to dump smoothwall and have another look around.
for a time I even tried running iptables on linux, using fwbuilder on my mac natively and seriously hardened redhat 7.3 ( lord knows it needed it ), horribly stripped down with just enough of the base os left to support two ethernet cards, iptables, and ssh ( to allow fwbuilder to install it's policy ), and I'm still a very big fan of this model, but the one thing that I found a headache setting up and maintaining using fwbulder in this sort of architecture was vpn connections / clients. Also shaping traffic wasn't really feasible and nobody in their right might these days ( again my personal opinion ) runs anything on a network without some form of shaping! Do they?
so again I went hunting the open source tundra for a new toolset. this was when I re-discovered m0n0wall, which when I first reviewed it, was perhaps at a very early stage in it's life cycle and by no means the magical wonderland that it is todya [as of 1/6/2005 (that's July 1st for you American date centric folk)].
Key strengths that I've had working and under high loads, include:
- base firewall policy made up of some very complex rules
- multiple dmz's ( I hate dmz's - they are lame but so be it )
- nat on wan interface, and one of the dmz interfaces
- multiple static routes
- multiple dynamic routes
- dynamic dns ( had to tinker to get no-ip.com working but hey )
- dns caching / forwarding
- ipsec and pptp vpn connections with many vpn clinets
- traffic shaping with QoS which actually works! yea, it really does!
- address aliases on floating ip's for fail over / redundancy
- dhcp with pool of ip's as well as fixed MAC map's and static ip's
- proxy
--- Dez Blanchfield http://WebSearch.COM.AU "Will work for bandwidth.."
I have a similar scenario. We have a T1 for our primary Internet access and I purchased business-class cable as backup. Both routes come into NICs on the same linux iptables firewall server. I have a VERY simple script that I use to manually switch the gateway when problems happen. It's not automated, and it doesn't address load balancing, but it's quick and it works.
Obviously I have my DNS records set up to use the secondary route if the primary is unavailable. It wouldn't be too hard to add a watchdog script to switch the route when the primary is down for more than a minute or two. Load balancing could probably be addressed in my iptables config, but so far I haven't found the need.
route del default
route add default gw nnn.nnn.nnn.nnn
netstat -rn
You could always try a bootable floppy distro, no CD or hard drive required. They work well, especially for a home, not sure about scaling to business size.
Firewalls and redundancy have traditionally been two different things. My suggestion is to get a real router and to get a BGP feed from both your providers. This can also be done by software on a linux box but it won't be as stable or easy to support. A Cisco 2600 might be good enough for you. If your providers are going to be giving you're a full Internet routing table then you should have 512MB RAM. Also have both of your providers advertise your /24 subnet, anything smaller will be filtered out.
Ideally you will want to advertise your networks to both of your providers so when one of the links goes down they will withdraw it from what they advertise to the Internet. If they put your route into their router to advertise there is a good chance it will not be withdrawn if your link goes down.
Wow, this is about the most detailed and informative post I have seen on Slashdot in quite a while. That's a great description of the features and advantages of m0n0wall.
It sucks that you haven't gotten a mod point yet for this, but I hope it will come your way. Meanwhile, I'll lend this reply with my Karma Bonus to try to draw attention to it. Good luck with that business venture of the firewall servers.
We may experience some slight turbulence and then...explode. -Capt. Mal Reynolds
I fail to understand this. Why would anyone want to do hosting themselves, when there's a gigantic market with good, professional and cheap third parties?
Flexibility? How many times is the website altered? Does this weight against the uptime of a professional data center?
8 of 13 people found this answer helpful. Did you?
I've been using IPCop w/ Cop+ for content filtering. I don't suppose m0n0wall would have an add-on to do the same?
I have not found a firewall distro that can handle dual external interfaces/IP address ranges.
The problem with hosting internally is having two IP addrss ranges. Two MX records cover mail, but unless you use a front end load balancer off site in a seperate IP address range you won't have a clean solution for your weeb site(s).
http://www.jtan.com/jtanoss/cdboot/
This is probably the answer you are looking for.
IPTABLES is shit, really, if you want legible firewall rules, built on a secure OS, try Ipfilter/PF on Open/Net BSD.