Forgot your password?
typodupeerror
Security

Captain Crunch's New Boxes, Part II 423

Posted by timothy
from the whistle-whistle dept.
micsaund writes: "It looks like the infamous Captain Crunch has been toiling away for 3 years on a firewall now known as the Crunchbox. It runs OpenBSD and is administered via a web-based interface. Steve Wozniak is quoted as saying it's 'next to un-crackable.' Check it out at ShopIP. The Register also has an article on it. As an aside, since the Linux Router Project (LRP) appears to have been sold-out and GnatBox is a tad expensive, is anyone aware of some kind of 'packaged' firewall with a slick interface available for free?" We mentioned Draper's venture into firewalls last year, but there's been some progress since then.
This discussion has been archived. No new comments can be posted.

Captain Crunch's New Boxes, Part II

Comments Filter:
  • by javaaddikt (385701) on Sunday March 03, 2002 @08:51PM (#3103244)
    that you don't have a modem in your crunchbox
    :)
  • Free Firewall (Score:3, Informative)

    by L053R (555186) on Sunday March 03, 2002 @08:53PM (#3103257) Homepage
    Check Out www.bbiagent.com cool, free, easy to use...
  • Smoothwall (Score:4, Informative)

    by ViceClown (39698) on Sunday March 03, 2002 @08:53PM (#3103259) Homepage Journal
    Installs in a snap, free download, stupendous interface, good support. I've used it for months now without a hickup. Just my $0.02

    Smoothwall [smoothwall.org]

    Cheers :-)
    • Re:Smoothwall (Score:5, Informative)

      by GSloop (165220) <networkguru AT sloop DOT net> on Sunday March 03, 2002 @09:03PM (#3103308) Homepage
      I've never used smoothwall, and I haven't gotten any support, so I am giving "hearsay" here...

      But, from what I gather, and I have done some searching, Dick (aka Richard Morrell) seems to have a few screws loose. From all accounts, he is cranky and sometimes more than downright nasty.

      His product is FREE though, you should just don your asbestos suit should you go looking for support. (View a few IRC logs etc. to get a feel for how "Dick" seems to view newbies and/or non-paying customers.)

      Frankly, I'd rather do some extra work myself, than deal with people who are unsociable.

      All standard disclaimers, YMMV etc.

      Cheers!
      • Re:Smoothwall (Score:3, Informative)

        by xtremex (130532)
        Dick Moran is an asshole. I once asked him on IRC how I can upgrade software on the firewall myself, I got flames to no end, and my IP banned from the IRC server.
        • by King_TJ (85913) on Monday March 04, 2002 @01:05AM (#3104092) Journal
          It's always interesting to see people so quick to attack an author of security-related software when they ask how to essentially "de-secure" the product!

          I mean, honestly, it's probably a little "over the top" to ban your IP over the question -- but looking at it from the author's side for a minute; You're basically trying to modify the package to suit your specific needs. If you do this, you run a risk of introducing new code that's untested as to the level of security inherent in it. If the author helps you do these modifications, and then your box gets hacked later, how do you think that reflects on his original product?

          Richard Morrell may have his share of attitude problems, but I don't think this is really a fair one to use against him. Firewalls are *not* supposed to run other services. People keep trying to add ftp, printing and Samba file sharing services to Smoothwall, among other things - and it's just a BAD idea.
          • Why couldn't he say it like YOU did??? I wanted to upgrade a process running on the server. Just a simple question. It didn't have an ftp client, so I asked if there was a way for me to upgrade a package..he didnt even ANSWER the question. He said "*I* made this damn product, and if you don't like how it's made, go fuck yourself", and then kicked me out of the channel and banned me (this was a while ago). I could take a flame if it's deserved, but this just SHOCKED me..it was uncalled for. I still use Smoothwall however.
      • by dpotter (95081) on Sunday March 03, 2002 @11:14PM (#3103726)
        Just took a quick look at the Smoothwall FAQ [smoothwall.org] and I have to say that you appear to be correct about Mr. Morrell's attitude:

        The FAQ devotes 32 of 88 pages to how to correctly interact with the community, with such topics as "On Not Reacting Like a Loser" and "RTFM and STFW: How to tell you've seriously screwed up."

        Furthermore, the remaining 56 pages are liberally sprinkled with the same: "Asking this question on the mailing list or IRC will inevitably result in the verbal equivalent of being hit round the head with a baseball bat. The answer is NO."

        While I appreciate the sentiment of these statements, devoting nearly half of the document to this topic might be a little overboard.

      • by Waffle Iron (339739) on Monday March 04, 2002 @12:12AM (#3103883)
        His product is FREE though, you should just don your asbestos suit should you go looking for support. (View a few IRC logs etc. to get a feel for how "Dick" seems to view newbies and/or non-paying customers.)

        I think this guy has finally found a way to make money on free software: Forget selling licenses; forget selling service and support. Just sell protection from ridicule and verbal abuse.

        Preserving some semblance of self-esteem has clear value in the marketplace. I think this business plan will be successful.

      • by nomadic (141991) <nomadicworld@gma ... inus threevowels> on Monday March 04, 2002 @12:23AM (#3103939) Homepage
        But, from what I gather, and I have done some searching, Dick (aka Richard Morrell) seems to have a few screws loose. From all accounts, he is cranky and sometimes more than downright nasty.

        An ill-mannered, non-social programmer? Impossible!
      • by istartedi (132515)

        View a few IRC logs etc. to get a feel for how "Dick" seems to view newbies and/or non-paying customers

        Now there's a business model I hadn't considered: Give the product away for free, charge people to be nice to them.

    • Re:Smoothwall (Score:5, Informative)

      by Anonymous Coward on Sunday March 03, 2002 @09:12PM (#3103349)

      Well, I'm glad that you had nice experiences, but the general consensus seems to be that good support is a rare thing from Smoothwall (hence IPCop.org, I guess). They certainly carve bold new diretions for customers service! They'll swear at you, not answer emails, and not rarely answer specific questions (instead, cut-n-pastes are regular).

      I'm not willing to post my emails between the developers, I, and other people in the company. I really don't want to be hassled by Smoothwall anymore. The funny thing is that I'm quite sure I'm unidentifable in the masses of people who might say such a thing ;)

      (and this comes from a paying customer of Smoothwall Corp. - not a freeloader).

      I *strongly* recommend any other distro. I didn't think customer service mattered much until I found a bug in their product and wanted them to fix it.

      • Re:Smoothwall (Score:4, Informative)

        by TellarHK (159748) <{tellarhk} {at} {hotmail.com}> on Sunday March 03, 2002 @09:48PM (#3103467) Homepage Journal
        Yep, Morrell is definitely someone to watch out for. He threatens, harasses, and insults practically anyone that doesn't tell him Smoothwall's the greatest thing since using the GPL as a way to fork off to a commercial product after getting overenthusiastic community ego boosting.

        He's gone so far as to make legal quasi-threats against me and other critics of his treatment of Smoothwall users. He's driven away enough developers that the IPCop project was formed and seems to have done quite a good job at proving themselves to have intentions of being more than just another forked project. IPCop [ipcop.org] has performed just wonderfully for me since my abandonment of Smoothwall.

        For the morbidly curious, I have an archive of my emailing back and forth with Richard on this webpage [mac.com].
          • by Watts Martin (3616) <layotl&gmail,com> on Sunday March 03, 2002 @10:52PM (#3103644) Homepage

            You know, after reading the entire thing, I think both you and Dick should be taken out and spanked. :)

            It's obvious Dick is genetically incapable of responding civilly, and he should be physically prevented from responding to users. There are certain people who seem to revel in the Bastard Operator From Hell stereotype. One suspects he started his own company because if he tried to work for anyone else, they'd fire him, ideally with a cannon.

            Having said that, though, it's also clear that you simply weren't willing to take "it's a firewall, and isn't competing with a Linux distribution" for an answer. Dustmite didn't start out irritable--he got that way after explaining the rationale. Then doing it again. Then repeating himself. Over. And over. And over.

            Quite frankly, any engineer would have started sounding irritable by the end of that IRC log. He could have handled it better, but honestly, you didn't come across like you were going to accept any "closure" other than a Smoothwall employee saying, "Yes, it's a great idea to put GCC and a web server on our firewall, and we'll get right on it."

            It's interesting to hear these things about Smoothwall, though, since I work for a company that makes a box that competes with them. (Incidentally, our box does have a web server on its firewall if you want it. Dustmite is right: it's bad security to do that.)

            • Yeah, I'll admit that I understand how that could have looked that way. It wasn't that I had issues with the fact Smoothwall doesn't have those features, but the answer I got was quite rude. People being rude like that honestly tends to bring out the worst in me, a situation I've worked to curb since reviewing that log a few times more than I needed to be somewhat humbled.

              My concern in some areas with Smoothwall is that a good deal of the security they had in place at the time of my conflict with them, was based on a ''They'll never get to root anyhow'' mentality. My main suggestion, GCC, is something that could only be exploited from a root login. Honestly, once a root login is compromised, your firewall is essentially useless as a security tool. And seeing how root is claimed to be the only login id available on a Smoothwall system, it would stand to reason that any access would be catastrophic.

              However, the crux of my entire line of reasoning was that "for my needs" I'd like a system that had those features. Its perfectly understandable, expected, and encouraged that Smoothwall and other projects target whatever userbase they want to. But by giving me the terse response they did, instead of saying "We're not targeting the small home user who wants a web presence, sorry." it just really rubbed me the wrong way. They could even have left out the "sorry".

              That's fine, that's cool, I said as much repeatedly in my correspondence. However, I kept being treated with the same lack of respectable treatment that Richard is increasingly known for. For me, right after the IRC conversation, it became a matter of the lack of courtesy with which I was treated feeding the flames. Pun not intended.

              I'll admit to my faults in that exchange, but don't expect the same from Richard or his team. And that, to be honest, is where Smoothwall really fails.
              • I just read the IRC log and I must say that his first answers were short but not rude at all (later after you have used up all of his patience he indeed gets slight rude...). But IMHO you were quite annoying since you just ignored his answers or haven't understood them.

                I think the whole problem is that you want something like a small, secure operating system based on linux that has dhcpd and a webserver and IRC and ....

                But Smoothwall is no such thing (you can abuse it as such of course, but don't expect support for that) - it's "a firewall". In short: A firewall is something that is inbetween you and the internet. This can be a software package (i.e. an add-on to the OS) that installs on your workstation or a device that sits on your uplink. And to be precise Smoothwall is the software/OS of such a device.

                You really shouldn't run any additional software on the machine that runs Smoothwall, you should run them on machines that are either placed before the firewall or after it, so including GCC in smoothwall doesn't make any sense at all unless you change the purpose of the software from "a firewall" to ... whatever, you know what I mean.

                Your failure was that you haven't understand the goals of Smoothwall and dustmite's failure was that he hasn't noticed that. When you said that you want to replace Suse and RedHat and only have "one machine to work with" and want to install/run this and that he simply should have said "Sorry, Smoothwall is obviously not the right solution for your problem. Use something else, we can't help you".

                Oh, BTW: Do you really except help from someone after you have criticized him for his attitude? This is not a clever tactic.
          • I'm not quite sure why you think people should take your side in that argument. Personally, I think you're as much to blame as the SmoothWall folks.

            You repeatedly ask for a feature in IRC. When you're told that they won't add such a feature because it would compromise their product you repeatedly ask for the feature until you become a nuisance and they ban you.

            Then you email the owner of the company, without the IRC log to back up your claims, and state that a member of the company was mean to you.

            The owner of the company, who has probably looked at the IRC log and noticed that you're not telling the whole story. Asks you to not mail him any more. Maybe he didn't do it in a very civil manner, but he did ask you to not mail him any more.

            How do you respond? You repeatedly mail him, his team, an ISP that has no connection to the problem, and try to make submissions to Slashdot.

            Then you have the audacity to get upset when the SmoothWall owner doesn't honor your request to stop emailing you.

            What gives you the right to expect a certain level of respect that you didn't give to him? In the very first emails from the SmoothWall owner you were asked to never mail him again. You ignored that. Anything that happened after that is pretty much your fault.
            • As a potential user of his software, I have the right to be informed about a product I'm going to use - especially if it's something I'll be trusting my network to. As a businessman (which Richard appears to be, far more than a developer), Richard needs to be more in tune with making himself and his product look good.

              And I didn't repeatedly ask for a feature, what I said was that the feature in question would suit -my- needs. People seem to think that by saying that, I'm making a demand. That's -really- inaccurate. Also, understand that I did not know that dustmite was in any way related to Smoothwall. He was not listed on the website's list of team members and IRC regulars, so I assumed he was just another user. He never identified himself as anyone with anything to do with the company, which is something that didn't become clear until later.

              When I get an email like I did from him not once but -twice-, several hours apart, after sending a rather clear and polite letter about my concerns about the IRC conversation, I get the feeling that this person is -trouble-. So yes, after that I fanned the fires just a bit, and did so intentionally. People like Richard need to be exposed for what they are.

              You say I didn't include the IRC log, but I can see you didn't read my site all the way through. I mention in the site and my letters back and forth to Richard that I had no way of acquiring that log, or I would have sent it. I was using the Java-based client on the Smoothwall website, and that didn't even have a cut and paste feature if I recall correctly.

              I emailed his ISP (Well, tried to) because he was harassing me after a polite request to stop. He wasn't emailing me anything of substance, he was mailing me threats and invectives. Nothing even remotely constructive.

              And anyone who says an argument over -anything- online deserves a false accusation of hacking being called into someone's ISP is nobody I'll be speaking with twice.
        • Re:Smoothwall (Score:2, Insightful)

          by jazman_777 (44742)
          Try OpenBSD. It's rock-solid secure. It'll give you what you want. And, compared to Morrell, Theo de Raadt (sp?) is a model of civility and diplomacy.
      • Yup, I too have been giving IPCop a spin over the last few weeks on an old machine I've got on the floor at home. IPCop is about to take over serving the dialup of our office at work, and I know of a local business that's been plugging it to some of his clients who want to securely share a connection.

        IPCop is a nice piece of work. And, as stated elsewhere, is sans the problems associated with Smoothwall's co-creator.

        Shame, because Smoothwall is also a good product, and Lawrence Manning (the nicer co-creator) is a really nice and damn smart guy.
    • Yes, smoothwall is good, and yes, Clark Connect is even better. I haven't tried this Freesco thing, but I'd have to say it may not serve you if you want to have more services than the average router. If you look in the nearly unnoticable corner of the web you'll find the "shop" with the real beauty - the Start-up server [startuplinux.com]. This is a router with a lot of interesting features, including a console menu system called "smat" that lets you do everything you need, and which, I might add, is highly configurable because its written in Bash (you also get webmin). Its also based upon Slackware, so you get to download any of its packages if you need them. The one feature I particularly like about this distro is the fact that it uses the keyboard LEDs (num, caps, and scroll) as status indicators for the network, so you don't have to plug in a monitor to troubleshoot the connection at the source if anything goes wrong.
  • LRP "sold out" ? (Score:4, Informative)

    by maggard (5579) <michael@michaelmaggard.com> on Sunday March 03, 2002 @08:53PM (#3103260) Homepage Journal
    How so? They took offerings from VA Linux?

    The mailing list is active, there are any number of distributions though few on the latest kernels, all appears kosher if not frantically active.

    Was there any reason for this possibly very damaging statement?

    • Re:LRP "sold out" ? (Score:5, Informative)

      by slamb (119285) on Sunday March 03, 2002 @09:45PM (#3103458) Homepage
      The mailing list is active, there are any number of distributions though few on the latest kernels, all appears kosher if not frantically active.

      Was there any reason for this possibly very damaging statement?

      Yeah, because at the linked site [linuxrouter.org]:

      • There have been no releases since 0.9.8 on 12 Sep 2000 (a year and a half).
      • The only news since then has been three seperate sponsers (Cyclades, VA, and Sangoma). It's not clear what the money is being used for.
      • The mailing list archives [linuxrouter.org], give 404s on the -devel list. Only the users list seems to be active.
      • The "unstable" directory on the site contains only (besides the 0.9.8 release) a few kernel patches made to 2.2.19 in July of 2001.

      On the other hand, this site [steinkuehler.net] seems quite active. I'm not sure what their relationship is.

      • Re:LRP "sold out" ? (Score:5, Informative)

        by zsazsa (141679) on Sunday March 03, 2002 @10:22PM (#3103566) Homepage
        linuxrouter.org is no longer the center of "Linux-firewall-on-a-floppy" development. It's been seldom updated for several years now; the only important thing on it being the mailing list. The site even apologizes for its own lack of maintenance: Unfortunately most all of the LRP docs at this site are painfully out of date. The LRP still is the basis of most Linux floppy distros, albiet heavily modified.

        Instead of linuxrouter.org, the real hotbed of development these days is the LEAF site [sourceforge.net], LEAF standing for Linux Embedded Appliance Firewall. The steinkuehler.net [steinkuehler.net] site you mentioned is a part of LEAF, hosting the Eiger/Dachstein distributions. Unfortunately the linuxrouter.org project doesn't point the way to LEAF. I only found out about it by following the mailing lists.

        Ian
        • Re:LRP "sold out" ? (Score:5, Informative)

          by GlobalEcho (26240) on Monday March 04, 2002 @12:34AM (#3103987)
          I wrote what was once widely appreciated as the most useful howto [sourceforge.net] for using LRP. It is now woefully out of date, and I recommend Eigerstein or Dachstein [steinkuehler.net], which are so well-designed that they don't need that kind of detailed documentation.

          I can shed a little more light on the middle-recent history of LRP and LEAF. Two years ago, LRP was indeed the center of all linux floppy firewall/router activity. However, people were starting to innovate, and Dave Cinege (who owns the domain name) never seemed to find the time to update his own work or incorporate that of others. It was a running joke on the mailing list. It would not have been much work for Dave to at least put up links to the sites documenting and extending LRP, but it never seemed to happen.

          For a while, linuxrouter.sourceforge.net (now changed to leaf.sourceforge.net [sourceforge.net]) was a repository of all the extra work. Before that everything had been on a crazy collection of obscure personal websites (like mine).

          Dave promised major updates to LRP, and then gave up on LRP and decided a completely new, cool project was necessary. This was around the time Tim McVeigh was executed, which Dave considered [linuxrouter.org] the murder of a hero or prisoner of war. Without getting into politics or morality, I merely note that it was the last straw [linuxrouter.org] for many people, who made a complete split and formed LEAF. I presume it was the rancor behind this split that keeps Dave from mentioning LEAF on his website.

          Unfortunately, if you type "linux router" into Google, LEAF shows up way down the list -- maybe 20th.

          IMHO, the people working on LEAF are dedicated and impressive. It remains far and away the best floppy-based router/firewall available. It is certainly the most actively maintained.
        • yes, thank you for stating what i was going to say.
          i'm glad your response was modded up. I am quite satisfied with the level of activity on LEAF. We are going to move to a recent version of Oxygen in the near future. And the reason for doing that is to be able to run Seawall as a firewall on our
          'embedded' boxes.
  • FreeSCO (Score:4, Informative)

    by groove10 (266295) on Sunday March 03, 2002 @08:53PM (#3103261) Homepage
    That's what I use on my little NAT/Gateway thing at home. Works like a champ. Web-based config + many other add-ons for this floppy distro. More put together than LRP IMHO. Check it out at: freeSCO.org [freesco.org]. The dicumentation is pretty good, although it may not be as secure as other distros.
  • LinuxMandrake SNF (Score:3, Informative)

    by DCowern (182668) on Sunday March 03, 2002 @08:54PM (#3103264) Homepage

    Single Network Firewall... runs off of a 2.2 kernel, easy to set up, and runs off a "slick web based interface". You can download the ISOs for free off their website.

    Some linkage:

  • by jaavaaguru (261551) on Sunday March 03, 2002 @08:54PM (#3103267) Homepage
    next to un-crackable

    What does Steve Wozniak have against Captain Crunch? we all know what happened to Oracle when they made similar claims.
    • Maybe, except he didn't say that it _IS_ uncrackable, only 'next-to-uncrackable'. I realize that some may consider this nitpicking, but it isn't, really. Any non-trivial piece of software has bugs, and Steve Wozniak knows that just as well as any of us. This sort of comment is likely Woz's way of expressing the high degree of confidence he has in the product without making any sort of claim that could very possibly be proven false next week.
  • by kemster (532022)
    Looks like it's /.'d already, so use the power of the google [google.com].
  • Coyote Linux (Score:4, Informative)

    by servoled (174239) on Sunday March 03, 2002 @08:55PM (#3103270)
    Note sure if this qualifies, but it is a neat little floppy disk distribution that does nat. Check it out at http://www.coyotelinux.com/ [coyotelinux.com].
    • Re:Coyote Linux (Score:5, Insightful)

      by wholesomegrits (155981) <wholesomegritsNO@SPAMmchsi.com> on Sunday March 03, 2002 @10:06PM (#3103522)
      Maybe a few comments from De Raadt, the OpenBSD guy, regarding the intelligence of using a floppy disk [monkey.org] for your firewall are in order. The short and quick: it's a stupid idea. This thread seems to be dominated by the "let's entrust my entire network's security to a $.25 (or cheaper) part that has the highest failure rate of any storage medium ever. This isn't directed at you, servoled, but just a general note for the thread.
      • Eh...

        So you make TWO.

        Once booted, Linux has uptimes of months, so it just isn't a problem...

      • Actually picoBSD [freebsd.org] tries to do just this, though it is based on FreeBSD rather than OpenBSD. Personally , I prefer LEAF [sourceforge.net] in its Dachstein form, which is essentially what happened to LRP.

        Theo (in citing their tendency to go bad) clearly misses the point of floppies, though:

        - Read only media are a true blessing. You are never more than a reboot away from a clean system.

        - Their unreliability makes them more secure, since if they go bad, the router just dies at the next reboot, which is ultimate security, however frustrating.

        - They are only used every couple of months when you upgrade.

        - They are low-power and have no spin noise.

        - They are found on the cheapest hardware.

    • FrazierWall Linux (Score:2, Informative)

      by bkives (536685)
      I like Coyote Linux. I used it for some time. It has one of the easiest installers. It even installs from windows. But if you run it through GRC's Shields Up at: http://grc.com/default.htm you will see closed ports on the default firewall ruleset.

      Might I suggest FrazierWall Linux. It is a fork of Coyote and LRP, but with better default firewall rules, and a built in web server for local firewall status information. And it will even e-mail the firewall logs to you.

      http://www.frazierwall.com/

      Plus it passes both the Shields Up and Sygate Scans : http://scan.sygatetech.com/
      with stealth mode almost everywhere.

      I did have some problems with in initial install. I looked in the config files from Coyote to get things straight with FrazierWall. Other than that, FrazierWall is a well done firewall.
  • Clarkconnect (Score:5, Informative)

    by Anonymous Coward on Sunday March 03, 2002 @08:56PM (#3103276)
    I use clark connect for my firewall. Its linux based wit a web admin, it displays usage reports, bandwidth graphs. Does nslookups and whois on people who try to hack you. Even displays "12.12.12.12 tried to use Code Red 2.0"
    Also includes CUPS for printing.Samba for file sharing. OpenSSH and the web based admin uses ModSSL so its all encrypted.

    Its frickin awesome! Is built from Redhat 7.2 and accepts all Redhat 7.2 RPMS.
    • I looked at Clarkconnect, but I refuse to run it. Why? Because honestly, what kind of serious firewall product also leaves all those other services running? What's the point in protecting your systems and data behind a firewall, when at least some of your important files and servers *are* the firewall? There's no line of defense in front of your print server, file server, etc.
  • by young-earth (560521) <slash-young-earthNO@SPAMbjmoose.com> on Sunday March 03, 2002 @09:00PM (#3103292)
    works great, easy to set up, floppy only, works on >= 486 machines. I've never seen it go below 98% idle on a 100MHz P5 with 5 hard-working machines filling a 768Kbps DSL line. You can pay $50 and get a DMZ added on to the free version, same price for a VPN license.

    Download it from here [gnatbox.com]. This is a BSD based firewall, but no shell, nothing for a cracker to get onto it. Uses SSL web access (new in later versions) or a Winblows client for configuration.

    Oh and one point that is heavily stressed in their marketing material - it's ICSA certified.

    There is a small version for ~$750 street price that gives 25-user version with DMZ, no moving parts, runs off 12VDC.
  • by lethalp1mpslapper (238264) on Sunday March 03, 2002 @09:01PM (#3103296)
    This firewall is free for non-commercial use and has a web interface to boot. I've used this for sometime now. It supports VPN, incoming/outgoing email virus scan, IP accounting and routing. It will even update itself on the fly if you want. Here is the link: Astaro Security Linux [astaro.com]

    P.S. - I don not work for these guys, I am just impressed by what they offer.
  • "I'd dare to say, next to uncrackable, is crackable."
    Dr. Nonsense, cofounder of the Nonsense School of Journalism and PR.
  • Not quite GPL'ed, but a nifty single-disk solution. I liked it better than LRP since it has built in support for PPPoE, important to us Verizon lusers.
    • I'll second the recommendation. Been behind coyote since I got DSL 15 months ago. It's a wonderful thing (and I don't have to have a HD making noise & heat in the closet).
    • Coyote Linux is a derivitive of LRP. It *is* GPL (as it is really GNU/Linux (again, it is LRP)).

      The (iirc) non-gpl part is the windows-based installer. But i think it is available gratis.

      Ive built CoyoteGNU/Linux routers for friends, would recommend it.

  • by khuber (5664)
    I blew real hard and couldn't get a tone out of
    the damn thing.

    -Kevin
  • is anyone aware of some kind of 'packaged' firewall with a slick interface available for free?

    Yeah. It's called "stealing a copy of Firewall 1 from work". Sometimes you have to spend money for things.

    - A.P.
  • When friends want to share a cable modem I usually go over to the local computer surplus sale and get 2 PCs that have NICs in them and a HDD and intall freesco [freesco.org].

    It is based on an old kernel, and doesn't have socks so not everything will work, but it's easy to set up and even an idiot can use the web-based panel.

    For a super low hassle setup I'd recommend it. It goes right onto an ex DOS PC, no re-formatting or anything.

  • IPCop (Score:2, Informative)

    by cyroth (103888)
    Give IPCop [ipcop.org] a go. Very similar to Smoothwall without the "attitude" that some people suffer from.
    • Re:IPCop (Score:2, Informative)

      by freeio (527954)
      IPCop is excellent for probably 90% of the firewall needs for individuals and small businesses. It is based on linux kernel 2.2.20 and ipchains. It is GPLed, has a quality web interface, and installs fast and easy. Furthermore, the user list is friendly and helpful. I downloaded the iso for it, wrote it to a cd, and then took about 15 minutes start to finish with the initial installation. After that, the fine tuning was handled over a very intuitive web interface. I would rate it a 9.5/10.
  • by kir (583) on Sunday March 03, 2002 @09:21PM (#3103372) Homepage

    Fast, reliable, application level proxies - with the ability to log at different levels (and run on linux).

    Where can these be found?

    Both generic tcp/udp proxies and application aware "smart" proxies (i.e. H.323, NetMeeting, RealAudio, etc.). I know a lot of this funationality exists in the kernel, but I'd love to have proxies for those pesky protocols that decide on random high ports. If it could see and understand the "conversation", it could then, on the fly, proxy the appropriate (randomly selected) ports.

    If I am completely missing something here (i.e. I'm a moron?!), let me know. I can take it. I think??

    • OK... apparently, I am a moron... well, maybe not a moron, but LAZY. I got off my arse and did some poking around. Look what I found.

      I found a few application level proxies -

      OpenGateKeeper H.323 Proxy [sourceforge.net]

      ftp.proxy [ftpproxy.org] - This looks very well done.

      smtp.proxy [quietsche-entchen.de] - done by the same guy as tcpproxy below.

      For the generic tcp proxy -

      nportredird [asymmetrica.com] - This looks very promising.

      aproxy [dilledabb.de] - looks a little too simple, but it's perl! (English can be found via babelfish [altavista.com].)

      tcpproxy [quietsche-entchen.de] - This one seems the most complete and designed for a firewalling environment.

      I found a whole slew of different app "level" proxies (Quake, POP3, etc.), but most seemed a bit basic. Some of the POP3 ones were cool (proxy auth support).

      I was not able to find a good udp proxy - with multi-source/multi-destination (proxy with an ACL). I've a small local port udp redirector (I have no idea where I got it) that I use on my home network, but it's not something I could use at work. So... there ya go.

  • by gwernol (167574) on Sunday March 03, 2002 @09:32PM (#3103406)
    From the page at iShop.com:

    The latest attack signature libraries can be automatically updated from a centralized source of the computer security community.

    I am certainly not a security expert, but this seems like a potential weak point. If they can automatically change the rules the firewall uses, then in theory someone else could as well, if they cracked the update protocol.

    Does anyone know how they protect these updates so that they can't be intercepted and broken?
    • I am certainly not a security expert, but this seems like a potential weak point. If they can automatically change the rules the firewall uses, then in theory someone else could as well, if they cracked the update protocol.

      It all depends upon the security posture of your company. The same question can be made of outsourcing security services in general. Some companies are too small and/or do not have the internal expertise to property manage an integrated solution, and rely on services and solutions from third party companies. In essense, you are putting you the family jewels in someone else's hands.

      So, allowing your firewall/ids to go out and fetch the latest ruleset may be OK if you're already willing to trust as it is.

      Not saying that I don't consider it a problem--it's just something that has to be taken in check with your needs and resources.

    • The crunchbox could ship with the public key of the Crunchbox team, and then the iShop people could digitally sign updates.

      If you wanted to fake an update, you'd need iShop/Crunchbox's secret key to sign your little bundle of destruction.

      I have no idea if this is how they take care of it, but it seems like a good idea to me.
  • h4x0r3d? (Score:2, Funny)

    by EchoMirage (29419)
    Steve Wozniak is quoted as saying it's 'next to un-crackable.'

    ...and as soon as the story was posted, the screen read "j00've b33n h4x0r3d" and nature once again revealed its irony.
  • Used it, like it. Typical "on a floppy" distro... check it out here [coyotelinux.com]. Comes w/SSH for remote support. Dunno about "Slick Interface" but for a CLI junkie like myself, it's cool.

    It's a great way to make that ole' Packard Bell 486 come back to life!

  • I hate to be a prat, but what's the point on adding a web-based interface to OpenBSD. The whole OS is damn easy to setup - the man pages are idiot proof and the documentation on installation are wonderfull. There are some rough spots that look a bit difficult if you don't have OpenBSD's documentation on hand - so keep another computer nearby to browse the web and man pages.

    Hints:
    Buy the OpenBSD CD - they are bootable and support the project.
    Learn a bit of VI beforehand for editing those text files - of course other editors are available but VI comes built in.

    Other hints:
    Trust Theo and his friends to get the operating system secure - not a has-been cracker cashing in on name recognition.

  • by Beowulf_Boy (239340) on Sunday March 03, 2002 @09:44PM (#3103450)
    I've tried several different types of Firewall distros. Coyote, Smoothwall, that Mandrake one, etc. I finally settled on Freesco, because it runs off the fat32 filesystem. All of the other ones are basesed on non-journaling Filesystems (Ext2). And my electric goes out quite frequently.
  • Please check out ClarkConnect [clarkconnect.org]... it's a great little firewall based on RedHat 7.2. It gets regular updates, and has an active user community.
  • by tkrotchko (124118) on Sunday March 03, 2002 @09:55PM (#3103492) Homepage
    ...but a solid firewall.

    http://www.fwtk.org/main.html

    There's still a lot of support and I believe an active mailing list.

    I put one together 5 years ago, and the company I work for still uses it for their mailing host.

    Interface? There is none. But it works pretty damned good if you're willing to spend 1 day understanding how it works.

    Not a bad deal.
  • by Dacmot (266348) on Sunday March 03, 2002 @10:18PM (#3103556)
    1. Freesco [freesco.org] which I personnally use on a 486/dx2 with 8mb of ram. It has many functionalities like remote access, dhcp, dns, print server, firewalling, masquerading, bridging, support for many ethernet cards and best of all fits on a floppy (no HD required, but possible to do a HD install) Works like a charm and very easy to setup... almost plug and play (although not like windoze's plug and pray)
    2. Coyote Linux [coyotelinux.com] which seems to offer a few more features than freesco, but requires 12mb of ram. Again, fits on a floppy.
    3. SmoothWall [smoothwall.org] which seems to be more of a feature complete firewalling solution includes web-based admin, proxy server and much more. It's larger (30MB or so) but seems fairly easy to use.
  • by gmhowell (26755) <gmhowell@gmail.com> on Sunday March 03, 2002 @10:20PM (#3103558) Homepage Journal
    I was grocery shopping today. I noticed that the elephant is no longer on the peanut butter cap'n crunch. And that 'thing' is no longer on the crunch berry box. I figured the first link in this story would go here [capncrunch.com]. Nope. Just some boring hacker crap.

    (and for those keeping score, I am in fact blocking timothy's articles from the front page. I came here after seeing the headline on another site.)
  • LRP is now LEAF... (Score:5, Insightful)

    by phraktyl (92649) <.moc.ooggard. .ta. .ttayw.> on Sunday March 03, 2002 @10:23PM (#3103569) Homepage Journal

    LRP has been superceded by the LEAF project at http://leaf.sourceforge.net [sourceforge.net]. I'm running a current LEAF distro (Oxygen) and it's rock solid. There are quite a few different flavors, depending on your needs and experience level.

    From the LEAF site:

    An easy to use embedded Linux network appliance for use in small office, home office, and home automation environments. Although it can be used in other ways, it's primarily used as a gateway/router/firewall for Internet leaf sites.
    Last Oxygen release was about 2 weeks ago.
  • I bet some enterprising 15 year-old nicknamed "Captain Furby" will find that the 8156khz sound of a Furby's voice produces the perfect pitch to crack the "Crunch Box".

  • If you can read Japanese (and if you can't just look at the pictures), how about OpenBlockS [plathome.co.jp]?

    It's tiny (look at the picture about halfway down the page to get an idea of how small it really is - those are RJ-45 ports), runs Linux, and you can fit it with a HD if you really want to (although I don't see why you would).
  • astaro firewall (Score:2, Informative)

    by Pika (49094)
    check out astaro firewall at www.astaro.com.

    it is a linux based firewall solution with vpn & virus scanning support. it's the most comprehensive firewall package that i have seen (and that is freely downloadable).

    astaro includes implementations of other security related products (swan, etc) all in one package. definately worth a try.
  • Can someone explain? I must have missed something.

    (this post isn't worth modding so don't)

  • by Anonymous Coward on Sunday March 03, 2002 @11:23PM (#3103752)
    It looks like a lot of the Linux-based firewalls I've seen recommended here use ipchains with the 2.2 kernel instead of iptables with the 2.4 kernel. As far as I understand, this would mean they can't do connection tracking for things like FTP and IRC. Here's what I'm able to figure out so far...

    Firewalls using iptables with 2.4.x kernel:

    Firewalls using ipchains with 2.2.x kernel:

    Firewalls using ipfwadm with 2.0.x kernel:
    • Freesco [freesco.org]: ipfwadm, 2.0.38 (!)
    • FWTK [fwtk.org]: Dunno, looks old, mentions ipfwadm

    My question is, isn't it best to use an iptables-based firewall on a 2.4.x kernel instead of an ipchains- or ipfwadm-based firewall on a 2.2.x or 2.0.x kernel? I definetely want the connection tracking capabilities in the 2.4.x kernel, especially for screwy things like FTP, IRC, etc. (Yes, I know there is an IRC connection tracking patch out now for 2.4 kernels...) Is a kernel that doesn't support connection tracking for firewalls a reasonable option these days?
    • by GlobalEcho (26240) on Monday March 04, 2002 @12:59AM (#3104071)
      Linux firewalls and NAT routers were able to handle FTP and IRC at least as far back as the 2.0.x series kernels, using kernel modules that I assume basically forced state tracking on these types of connections. Other modules handle all the other major protocols like this (e.g. RealAudio).

      LEAF/LRP/Dachstein [steinkuehler.net] do so automatically. I assume most if not all of the others you cite do so as well.

      So, to answer your question, the answer is "no". Lack of support for connection tracking is indeed unacceptable. But 2.0.x and 2.2.x have tracking after all, at least where it matters.

  • The emBSD [suspicious.org] Firewall seems to be right on track, and you can download it right now. I've not tried it, but it runs off a 32MB Compact Flash.
  • Their webpage says:

    "Evaluate our demo at:
    https://demo.shopip.com"

    But I don't get a connect, has it been cracked already?

    ttyl
    Farrell
  • How hard is it to use a general purpose distrobution for a firewall? It seems like it might be nice to be able to add a web server, file server, print server, or whatever to your firewall -- especially if the firewall is more to provide NAT than to provide security. A general purpose distro makes this sort of thing easy, and any vaguely modern machine is going to have power to spare to provide other services.

    Are there any packages for Debian or RedHat that provide firewall functionality easily?

  • Well dude, I guess you got the publicity you were looking for ;-)

    -jcr

  • by krokodil (110356) on Monday March 04, 2002 @12:25AM (#3103950) Homepage
    It may be unbreakabale but looks like it is
    slashdottable.

  • ...No more Soggies!
  • That Woz quote got me thinking...

    Let's say you have a good product and you want to get it endorsed. Bring it to a business guy, and he'll say: "This box is uncrackable. It's totally secure and cannot be comprimised."

    Bring the same thing to a well-respected engineer and he might say: "It's darn, near impossible to crack. Hey, nothing is impossible, and there's always a risk, but this product is as good as it gets."

    Too bad only the first endorsement would ever help sell the product.

"From there to here, from here to there, funny things are everywhere." -- Dr. Seuss

Working...