Live-CD Firewall Solutions?

paRcat asks: "My company isn't huge, and up until now has done well enough hosting all of our websites/email/etc. We've done all of this over one T1, but recently added another circuit for that rare instance of a fibercut. So since then I have been researching different options for configuring the existing Linux firewall (debian+iptables) to allow using the second circuit for load-balancing and failover. The issues I'm running into mostly have to do with recompiling the kernel using certain patches and creating semi-elaborate routes. Faced with these options, I'm wondering if there are any open source firewall projects out there that will behave happily with the above scenario. Do any free projects actually give this level of connectivity without being overly difficult in the configuration? I've gone the compile-your-own kernel route in the past, but now I'd just like to drop in a premade solution. A configurable live-CD would be perfect."

IP Cop

[Jsutton1027w]

From what I've read, it's great for a drop-in firewall, and it's on a live cd. ;)

M0n0wall

[Saiyine]

What about M0n0wall?

is FreeBSD an option?

[josepha48]

FreeBSD includes a utiltiy called cdboot, which makes makeing boot cd's really easy. Then in the ports their is freesbie also which makes a cdrom of a freebsd system.

I started there with FreeBSD and have trimmed my cdrom to about 64Meg cdrom, with dhcp, dns, httpd ( to monitor the firewall ) and ssh to make changes when needed ) and it works out well. I can make changes to the system as needed then the next cdupdate I include those changes in the cdrom. Its worked for about 2 years now.

Re:M0n0wall - you're crazy if you DON'T try it !!

[dezb]

Ok,

I'm going to clock in here with my experience to date with m0n0wall which has been fantastic ( no I don't own shares in anything to do with m0n0wall *grin* - wish I did !! ).

I have to say that from my experience to date with it, m0n0wall is without a doubt one of, if not THE, leading firewall platforms currently available in the open source world, and it's fair to say that I've had a thing or two to do with firewalls and security in general over the past 20+ odd years.

with years and years of hands on design and implementation using checkpoint on sun, checkpoint on nokia, cisco routers, cisco pix, netscreen, ipf, ipfw, iptables, blah blah.

heck, I had such a hard on for checkpoint that at one stage I've even run up a SOFAware box which has the checkpoint inspection module in it, although it's web interface is crap and you can't actually do anything with the firewall policy other than port mapping and translations.

anyway the bastard thing kept resetting and or just slowing down to the point of being so useless I threw it away - after putting it through a hammer test - hammer won * grin *

so I've played with firewalls ok, and god knows how many other bloody firewall platforms, I've played with as many open source firewalls as I can get my hands on, and m0n0wall in particular really has impressed me. When I say play by the way, I mean I've put it through some horrible lab testing, really pushed till smoke came out of the things!

note: firewall blog with reviews of the various firewalls pending kids ;-)

smoothwall in my experience had made some very serious inroads towards what was going to become a very strong contender, but then the group fell into ( from what I could tell from the sidelines ) a political infighting jihad which still effects the project.

add to this that they [in my opinion] seemed to have also very seriously stuffed up with their DSL support in 2.x by only supporting USB models of the more widely used DSL modems, particularly here in Australia where Alcatel Speedtouch modems are used far and wide.

in fact it was during an upgrade attempt from smoothwall 1.x to 2.x, I found this out when I was trying to get my DSL modem to talk to smoothwall etc, and out of sheer frustration I decided it was time to dump smoothwall and have another look around.

for a time I even tried running iptables on linux, using fwbuilder on my mac natively and seriously hardened redhat 7.3 ( lord knows it needed it ), horribly stripped down with just enough of the base os left to support two ethernet cards, iptables, and ssh ( to allow fwbuilder to install it's policy ), and I'm still a very big fan of this model, but the one thing that I found a headache setting up and maintaining using fwbulder in this sort of architecture was vpn connections / clients. Also shaping traffic wasn't really feasible and nobody in their right might these days ( again my personal opinion ) runs anything on a network without some form of shaping! Do they?

so again I went hunting the open source tundra for a new toolset. this was when I re-discovered m0n0wall, which when I first reviewed it, was perhaps at a very early stage in it's life cycle and by no means the magical wonderland that it is todya [as of 1/6/2005 (that's July 1st for you American date centric folk)].

Key strengths that I've had working and under high loads, include:

- base firewall policy made up of some very complex rules
- multiple dmz's ( I hate dmz's - they are lame but so be it )
- nat on wan interface, and one of the dmz interfaces
- multiple static routes
- multiple dynamic routes
- dynamic dns ( had to tinker to get no-ip.com working but hey )
- dns caching / forwarding
- ipsec and pptp vpn connections with many vpn clinets
- traffic shaping with QoS which actually works! yea, it really does!
- address aliases on floating ip's for fail over / redundancy
- dhcp with pool of ip's as well as fixed MAC map's and static ip's
- proxy