Slashdot Mirror
Live-CD Firewall Solutions?
paRcat asks: "My company isn't huge, and up until now has done well enough hosting all of our websites/email/etc. We've done all of this over one T1, but recently added another circuit for that rare instance of a fibercut. So since then I have been researching different options for configuring the existing Linux firewall (debian+iptables) to allow using the second circuit for load-balancing and failover. The issues I'm running into mostly have to do with recompiling the kernel using certain patches and creating semi-elaborate routes. Faced with these options, I'm wondering if there are any open source firewall projects out there that will behave happily with the above scenario. Do any free projects actually give this level of connectivity without being overly difficult in the configuration? I've gone the compile-your-own kernel route in the past, but now I'd just like to drop in a premade solution. A configurable live-CD would be perfect."
From what I've read, it's great for a drop-in firewall, and it's on a live cd. ;)
Several LiveCD Firewalls. Check out m0n0wall first.
bonding is better way to go with multilink
/usr/src/linux/Documentation/networking/bonding.tx t
for more information
atleast if the operator on both of the links is same
you'll end up with one ip and both links in use, or you can configure the other to be failover
see
There are no atheists when recovering from tape backup.
What about M0n0wall?
Hosting 20G hd, 1Tb bw! ssh $7.95
If the second circuit is through the same provider, I would think it's likely going through the same physical conduits as the first one, so I am not sure you're protected from the accidental fiber cut.
Sounds to me like you want to use OpenBSD's carp. Nice, open-source, easy to configure firewall fail-over solution.
if you can live with the shame of having a BSD system, the answer is monowall. It just works. The downside is you can't run seti@home on your firewall.
DistroWatch has everything what you need (not only for firewalls):
http://www.distrowatch.com/
I use Devil Linux, Works quite nicely. I hand edit the rules, but it comes with shorewall and is compatible with firewall builder. Comes with a nice config utility too.
"goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
Don't you actually want something like quagga or zebra which can do fallover like you want? My guess would be to just look into this, then see what you can work out of it. Granted.. it isn't a "LiveCD" but then again... why do you want a firewall on a livecd?
Check out Astaro at http://www.astaro.com/. Full featured firewall, competitive with Checkpoint, but not 100% free as in beer. Price is certainly reasonable though, plus it's incredibly easy to install and manage.
Yes, my only tool is a hammer. And you're starting to look like a nail.
Well....
Netboz is a solution... it runs off a CD and has many of the popular options.
instead of running it off of the CD, I suggest that you use one of the pre-configured firewall options that installs off of your hard drive. These are just as easy to configure, but host a lot more options and mods.
Smoothwall Express - http://www.smoothwall.org/
or even better yet, IPCOP at http://www.ipcop.org/
You might be interested in Wolverine, the more feature-rich, commercial cousin of Coyote Linux (which I have used contentedly for several years).
http://alternatives.rzero.com/
I started there with FreeBSD and have trimmed my cdrom to about 64Meg cdrom, with dhcp, dns, httpd ( to monitor the firewall ) and ssh to make changes when needed ) and it works out well. I can make changes to the system as needed then the next cdupdate I include those changes in the cdrom. Its worked for about 2 years now.
Only 'flamers' flame!
Does slashdot hate my posts?
Check out PfSense, originally based off M0n0wall, I've found it to have the best balance between features, stability and ease of use.
Right now it offers both Live CD or HD install option, and it's nearing a stable (1.0) release, try it...
http://www.pfsense.com/
Will add sig later...
You could use www.ipcop.org
work great with all nice plugins..
Ok,
;-)
I'm going to clock in here with my experience to date with m0n0wall which has been fantastic ( no I don't own shares in anything to do with m0n0wall *grin* - wish I did !! ).
I have to say that from my experience to date with it, m0n0wall is without a doubt one of, if not THE, leading firewall platforms currently available in the open source world, and it's fair to say that I've had a thing or two to do with firewalls and security in general over the past 20+ odd years.
with years and years of hands on design and implementation using checkpoint on sun, checkpoint on nokia, cisco routers, cisco pix, netscreen, ipf, ipfw, iptables, blah blah.
heck, I had such a hard on for checkpoint that at one stage I've even run up a SOFAware box which has the checkpoint inspection module in it, although it's web interface is crap and you can't actually do anything with the firewall policy other than port mapping and translations.
anyway the bastard thing kept resetting and or just slowing down to the point of being so useless I threw it away - after putting it through a hammer test - hammer won * grin *
so I've played with firewalls ok, and god knows how many other bloody firewall platforms, I've played with as many open source firewalls as I can get my hands on, and m0n0wall in particular really has impressed me. When I say play by the way, I mean I've put it through some horrible lab testing, really pushed till smoke came out of the things!
note: firewall blog with reviews of the various firewalls pending kids
smoothwall in my experience had made some very serious inroads towards what was going to become a very strong contender, but then the group fell into ( from what I could tell from the sidelines ) a political infighting jihad which still effects the project.
add to this that they [in my opinion] seemed to have also very seriously stuffed up with their DSL support in 2.x by only supporting USB models of the more widely used DSL modems, particularly here in Australia where Alcatel Speedtouch modems are used far and wide.
in fact it was during an upgrade attempt from smoothwall 1.x to 2.x, I found this out when I was trying to get my DSL modem to talk to smoothwall etc, and out of sheer frustration I decided it was time to dump smoothwall and have another look around.
for a time I even tried running iptables on linux, using fwbuilder on my mac natively and seriously hardened redhat 7.3 ( lord knows it needed it ), horribly stripped down with just enough of the base os left to support two ethernet cards, iptables, and ssh ( to allow fwbuilder to install it's policy ), and I'm still a very big fan of this model, but the one thing that I found a headache setting up and maintaining using fwbulder in this sort of architecture was vpn connections / clients. Also shaping traffic wasn't really feasible and nobody in their right might these days ( again my personal opinion ) runs anything on a network without some form of shaping! Do they?
so again I went hunting the open source tundra for a new toolset. this was when I re-discovered m0n0wall, which when I first reviewed it, was perhaps at a very early stage in it's life cycle and by no means the magical wonderland that it is todya [as of 1/6/2005 (that's July 1st for you American date centric folk)].
Key strengths that I've had working and under high loads, include:
- base firewall policy made up of some very complex rules
- multiple dmz's ( I hate dmz's - they are lame but so be it )
- nat on wan interface, and one of the dmz interfaces
- multiple static routes
- multiple dynamic routes
- dynamic dns ( had to tinker to get no-ip.com working but hey )
- dns caching / forwarding
- ipsec and pptp vpn connections with many vpn clinets
- traffic shaping with QoS which actually works! yea, it really does!
- address aliases on floating ip's for fail over / redundancy
- dhcp with pool of ip's as well as fixed MAC map's and static ip's
- proxy
--- Dez Blanchfield http://WebSearch.COM.AU "Will work for bandwidth.."
Ok,
;-)
I'm going to clock in here with my experience to date with m0n0wall which has been fantastic ( no I don't own shares in anything to do with m0n0wall *grin* - wish I did !! ).
I have to say that from my experience to date with it, m0n0wall is without a doubt one of, if not THE, leading firewall platforms currently available in the open source world, and it's fair to say that I've had a thing or two to do with firewalls and security in general over the past 20+ odd years.
with years and years of hands on design and implementation using checkpoint on sun, checkpoint on nokia, cisco routers, cisco pix, netscreen, ipf, ipfw, iptables, blah blah.
heck, I had such a hard on for checkpoint that at one stage I've even run up a SOFAware box which has the checkpoint inspection module in it, although it's web interface is crap and you can't actually do anything with the firewall policy other than port mapping and translations.
anyway the bastard thing kept resetting and or just slowing down to the point of being so useless I threw it away - after putting it through a hammer test - hammer won * grin *
so I've played with firewalls ok, and god knows how many other bloody firewall platforms, I've played with as many open source firewalls as I can get my hands on, and m0n0wall in particular really has impressed me. When I say play by the way, I mean I've put it through some horrible lab testing, really pushed till smoke came out of the things!
note: firewall blog with reviews of the various firewalls pending kids
smoothwall in my experience had made some very serious inroads towards what was going to become a very strong contender, but then the group fell into ( from what I could tell from the sidelines ) a political infighting jihad which still effects the project.
add to this that they [in my opinion] seemed to have also very seriously stuffed up with their DSL support in 2.x by only supporting USB models of the more widely used DSL modems, particularly here in Australia where Alcatel Speedtouch modems are used far and wide.
in fact it was during an upgrade attempt from smoothwall 1.x to 2.x, I found this out when I was trying to get my DSL modem to talk to smoothwall etc, and out of sheer frustration I decided it was time to dump smoothwall and have another look around.
for a time I even tried running iptables on linux, using fwbuilder on my mac natively and seriously hardened redhat 7.3 ( lord knows it needed it ), horribly stripped down with just enough of the base os left to support two ethernet cards, iptables, and ssh ( to allow fwbuilder to install it's policy ), and I'm still a very big fan of this model, but the one thing that I found a headache setting up and maintaining using fwbulder in this sort of architecture was vpn connections / clients. Also shaping traffic wasn't really feasible and nobody in their right might these days ( again my personal opinion ) runs anything on a network without some form of shaping! Do they?
so again I went hunting the open source tundra for a new toolset. this was when I re-discovered m0n0wall, which when I first reviewed it, was perhaps at a very early stage in it's life cycle and by no means the magical wonderland that it is todya [as of 1/6/2005 (that's July 1st for you American date centric folk)].
Key strengths that I've had working and under high loads, include:
- base firewall policy made up of some very complex rules
- multiple dmz's ( I hate dmz's - they are lame but so be it )
- nat on wan interface, and one of the dmz interfaces
- multiple static routes
- multiple dynamic routes
- dynamic dns ( had to tinker to get no-ip.com working but hey )
- dns caching / forwarding
- ipsec and pptp vpn connections with many vpn clinets
- traffic shaping with QoS which actually works! yea, it really does!
- address aliases on floating ip's for fail over / redundancy
- dhcp with pool of ip's as well as fixed MAC map's and static ip's
- proxy
--- Dez Blanchfield http://WebSearch.COM.AU "Will work for bandwidth.."
I have a similar scenario. We have a T1 for our primary Internet access and I purchased business-class cable as backup. Both routes come into NICs on the same linux iptables firewall server. I have a VERY simple script that I use to manually switch the gateway when problems happen. It's not automated, and it doesn't address load balancing, but it's quick and it works.
Obviously I have my DNS records set up to use the secondary route if the primary is unavailable. It wouldn't be too hard to add a watchdog script to switch the route when the primary is down for more than a minute or two. Load balancing could probably be addressed in my iptables config, but so far I haven't found the need.
route del default
route add default gw nnn.nnn.nnn.nnn
netstat -rn
Firewalls and redundancy have traditionally been two different things. My suggestion is to get a real router and to get a BGP feed from both your providers. This can also be done by software on a linux box but it won't be as stable or easy to support. A Cisco 2600 might be good enough for you. If your providers are going to be giving you're a full Internet routing table then you should have 512MB RAM. Also have both of your providers advertise your /24 subnet, anything smaller will be filtered out.
Ideally you will want to advertise your networks to both of your providers so when one of the links goes down they will withdraw it from what they advertise to the Internet. If they put your route into their router to advertise there is a good chance it will not be withdrawn if your link goes down.
yes, I can live with the shame of having a rock-solid, Unix-based operating system such as FreeBSD (m0n0wall is FreeBSD-based). Grow up, boy!
I think he was probably referring to the shame caused by the inevitable accusations of necrophilia that afflict anyone who dabbles in "BSD".
Or maybe the total loss of a sense of humour.
Wow, this is about the most detailed and informative post I have seen on Slashdot in quite a while. That's a great description of the features and advantages of m0n0wall.
It sucks that you haven't gotten a mod point yet for this, but I hope it will come your way. Meanwhile, I'll lend this reply with my Karma Bonus to try to draw attention to it. Good luck with that business venture of the firewall servers.
We may experience some slight turbulence and then...explode. -Capt. Mal Reynolds
I fail to understand this. Why would anyone want to do hosting themselves, when there's a gigantic market with good, professional and cheap third parties?
Flexibility? How many times is the website altered? Does this weight against the uptime of a professional data center?
8 of 13 people found this answer helpful. Did you?
I've been using IPCop w/ Cop+ for content filtering. I don't suppose m0n0wall would have an add-on to do the same?
http://www.jtan.com/jtanoss/cdboot/
This is probably the answer you are looking for.
IPTABLES is shit, really, if you want legible firewall rules, built on a secure OS, try Ipfilter/PF on Open/Net BSD.