Discussion on:

Deploy a robust firewall at minimal cost with IPCop

Great article, can I set up a linux box on my Windows2000 network and use this? How hard would this be if I have no base experience in Linux and can anyone suggest any sites/tutorials to get me started?

Yes this can and should be done. The mixing of platforms is of no concern.

Hard? Well, the new Red Hat distrobutions (currently using 8, 9 available) are as easy as windows to install. The IPCop manual shows you the steps in simple fashion. Witha couple of hours work you should be up and running.

If you have common hardware, you should have your Ipcop box up and running in 15 minutes. It really is that easy even for a person unfamiliar with linux.

Darren

Some interesting distro's that can do the same or even more are: FreeSCo and e-smith SME server.

FreeSCo can run from floppy and can be upgraded with many packages.

SME server has it all. Including mail server, windows workgroup or domain server, webmail, ftp server and printer server.

e-smith has samba and a pile of other crap on it that takes away from the security. Ipcop does what it is supposed to - protect your network. If you want a file and print server then e-smith is a fine choice behind ipcop.

Darren

I have exactly this setup.
IPCop as my business's firewall on our ADSL line with E-smith setup in the DMZ (behind IPCop) as the email, web and ftp server.
It all works brillantly.

PS I also find IPCop easier to setup then E-Smith.

as long as your Win2k network is utilizing tcp/ip. no problem.

They've really nailed the installation. it's a wizard type installation.

It will ask you for your red interface (untrust or wan side) Green interface (trust or lan side) and yellow interface (DMZ)

Put the proper IP addresses in, and it pretty much takes care of the rest.

If you have an old 486 around, and you don't need the hard drive, install it on that..



http://www.netintegrity.com.au/webipcop13.html

A great alternative is Astaro Security Linux (ASL) found at www.astaro.com. It's free for personal, home use. Slicker interface than IPcop, similar features for home use. Easy install, GREAT manual, capable of auto-updating, can automatically email/page you regarding significant events (portscans, reboots, updates, etc). Can't recommend this highly enough.

It's also quite inexpensive for SME usage ($400 range). Much better feature/function than firewalls costing 3-5 times more.

And no, I'm not affiliated with the company in any way.

I have done more than a dozen installs of IPCop. Starting from some beta releases to the 1.2.0

The setup is very simple and painless as long as you have the necessary information handy with you, depending on your WAN link.

Read their FAQ and of course documentation before starting out.

To get a smooth install, use a known Ethernet card and IPCop will pick it up without any fuss. A DHCP server is also builtin, if you dont need it, dont forget to disable it.

Dont forget to mark the Green and RED interface on the back of the machine, to save headaches later on if things dont seem to work.

Good Luck

Ej

If you are referring to setting up Ipcop on your network to protect your windows network, it is very easy.
All you really need is an old computer 486 class or better with 32 megs of Ram. Ideally you should try to find a pentium class with 64 megs. You will need tow network cards installed (preferrably PCI as ISA involves a little too much tinkering). If you want a DMZ you will need a third card.
The reason I mention PCI cards is that Ipcop will most likely find those and configure them, wherethe ISA cards you need to specify IRQ's and the likes.

Anyways if your machine has a CD rom and can boot from it great, just pop it in and follow the instructions.

If not, there is a tool called winrawrite in the utils directory, create a bookdisk and a driver disk, and you can boot that way.

Note: Full instructions can be found on the CD in PDF format - they are very easy to follow.

Support from the open source community on the project can be found at www.ipcop.org

Darren

As others have mentioned, IPcop will work dandy with Windows based clients. As far as needing Linux knowledge, from what I've seen on the mailling lists its more important if you have some understanding of basic IP networking rather than Linux. For the standard functionality you really dont need to know anything about Linux as long as you understand stuff like whats a gateway, IP subnets needing to be different on each interface, etc.

The authors claims no one has successfully hacked their VA Linux Distro with Smoothwall running on it. I from personal experience have been using it at home over a year now, it's great. I tossed the Linksys, which is junk in the trash, not a reliable "firewall" solution.
No frills, or unneeded extra services, suspectible to hacking on their firewall, but pretty easy to use once you read the Manual.

Check it out at: smoothwall.org

Aaron

... and web site, SmoothWall can never be the best.

IPCop has the best user support and a complete
online history of all support emails. Also an active
public support forum.

Smoothwall user support operates in the dark. No
searchablepages exist. The FAQ is bleak. Shine a
light on it and the cockroaches scatter.

there has been a mailing list archive for the SmoothWall GPL project for some time, we just opened up user forums last week, the FAQ is being rewritten. No need for such words.

Here's what you will need to know for a base
install:

Will the CD boot? (if not, create the boot floppy)

Are the NIC's PCI based? (if not, you'll need to set
them up first)

Boot the CD.

Let it format the HD and install itself.

Let it find the NIC's or Modem/NIC.

Configure the GREEN NIC, ie: What private subnet
will you be using. A common one would be
192.168.1.1.

Configure the RED Nic with a style, ie: does it get
it's address via DHCP, Hard Coded, etc?

Set up your internal DHCP address range. A
common range would be 192.168.1.200 -
192.168.1.239

Set up all of your passwords for different access
types, ie: Admin, Setup, Root.

Take out the CD and Reboot.

Now, go to one of your internal machines and
reboot it. Assuming it is using DHCP, it will pick up
an address from the new IPCop created subnet
automatically. Run either ipconfig in DOS or
winipcfg, depending on your windows version to
see if you got an address in the DHCP range you
assigned above. If so, your internal subnet is ready.

If you're on a cable modem, you may already be on
the internet, but if you have ADSL or a modem,
there is a little more setup.

Aim your windows web browser to the ipcop
address at: http://192.168.1.1:81

You should see the IPCop admin page. Press the
Dialup tab on the left. It's going to ask you for your
admin login. The user id is admin and the password
is whatever you set up in the install step 5 minutes
ago. Select the correct COM port, or PPPOE for
ADSL (probably). Set up the user id's and
passwords. Press the SAVE button at the bottom of
the screen.

Click the Home button on the left. Press the Dial
button.

There ya go. I've installed IPCop in 6 minutes from
the time I booted the CD to being on the internet on
a cable modem.

Great FW. Great logging mods and very quick to set up.

There are other great alternatives to IPcop:

m0n0wall:
http://m0n0.ch/wall/
It's small, 5 megabytes or so and will run on Soekris embedded systems:
http://www.soekris.com/
It's based on FreeBSD, supports VPN, traffic shaping, multiple interfaces (I'm using 6), wireless and more.

SmoothWall 2.0:
http://www.smoothwall.org/
This is what IPcop was based off, they now have a commercial product and the free version is more of a stripped down version of the commercial version.

Astaro Security Linux:
http://www.astaro.com/
It's a commercial product but has a home-use license for 10 or less systems. Quite a few features, based on Linux & IPTABLES.

NetBoz:
http://www.netboz.net/
Based on FreeBSD, live CD-ROM based firewall, haven't played with it myself yet.

CensorNet:
http://www.censornet.com/
It's meant more as a content filter, haven't tried this one yet.

So, there are a number of solutions out there. From my testing here are my feelings:

m0n0wall: This is the one I'm using now, it's tiny, light, simple, works! No hard drive needed, configs are written out to floppy or compact flash, boots off CD. Works on embedded hardware so you can make your own appliance pretty easily.

IPcop 1.4a9: This is looking pretty nice. I sorta like the interface on this better than SmoothWall 2.0. Squid cache is nice to have but it doesn't have the protocol classification granularity that m0n0wall has (Only TCP or UDP) and there are a few quirks (It IS an alpha..)

SmoothWall 2.0: Easy setup, some funky timezone issues, feels a bit light in features but it does the job. If you want something simple that has Squid this might be a choice until 1.4 IPcop comes out. Since they have a commercial product, don't expect all features to show up in the GPL version.

Astaro: Lots of features but the layout and admin interface didn't grow on me yet. I'm going to revisit this one soon and see if I can nail down the interface in my brain.

Hi I am one of the developers that works on Ipcop from time to time, and I thought you should know the 1.3.1 Alpha3 version of Ipcop does have bandwidth throttling using the wondershaper - this will be released in Beta probably around August if not sooner.
As for the content filtering - the obvious choice would be DansGuardian, but the licencing on that product would make Ipcop illegal to use in a business, therefore there is no content filter. (The dansguardian product is released under GPL, if it is used for personal or educational purposes, you need to pay a fee to use in business)
But it can be added quite easily by going to http://www.dageek.co.uk/ipcop/addonz/ this is one of the many unofficial add on sites for Ipcop. This particular one has a small module that allows more modules to be added. Dans Guardian and a GUI to go with it is one of them.

I just though I should set the record straight.

Darren Critchley

You can use Content Filterning with IPCOP 1.30 with fixes 1 and 2 installed. There are some add ons to IPCOP which makes use of Dansguardian. I use this in a windows network of about 300 machines and it runs perfect . Best part it is FREE!!!

I work for a non-profit agency which will be installing a "new" Novell-based network which will start out around 50-75 users and scale to 100-250 users.

Can IpCop be used with a Novell LAN??

What kind of hardware should be used to accommodate 100-250 users??

Is it absolutely necessary to install content filtering??

Thank you,
Tom

You can use IPCop with a Novell LAN with one caveat -- you need to be using IP (most modern Novell LANs) and not IPX for the firewall connection. For the most part, a firewall really doesn't care what kind of LAN is behind it. A PIII 1GHz with 512MB of RAM works here (more loafs than works).

Content filtering is not used here so can't comment on that part of your question.

I use IPCOP at home with a Novell 4.11 server and several Windows clients. I also have dialup. When I first installed the system I had an internal modem (hardware controller, plug and play), I couldn't get the modem to work. Once I switched to an external modem, the system started working pretty much flawlessly. It seems the plug and play modems will sometimes want to use a com port above 4 and IPCop has trouble with that unless the configuration is modified.

Using the web cache, when loading pages that are already in the cache, it feels like broadband or better. Obviously, that's only if the page has been cached already. My IPCop machine has a 166MHz Pentium, 64MB ram, and a 8 GB hd. I love it, and highly recommend it to anyone that will listen.

GPL is great and it is great that you provide this technical insight to using it.

Thanks