Captain Crunch's New Boxes, Part II 423
micsaund writes: "It looks like the infamous Captain Crunch has been toiling away for 3 years on a firewall now known as the Crunchbox. It runs OpenBSD and is administered via a web-based interface. Steve Wozniak is quoted as saying it's 'next to un-crackable.' Check it out at ShopIP. The Register also has an article on it. As an aside, since the Linux Router Project (LRP) appears to have been sold-out and GnatBox is a tad expensive, is anyone aware of some kind of 'packaged' firewall with a slick interface available for free?" We mentioned Draper's venture into firewalls last year, but there's been some progress since then.
Free Firewall (Score:3, Informative)
Smoothwall (Score:4, Informative)
Smoothwall [smoothwall.org]
Cheers
LRP "sold out" ? (Score:4, Informative)
The mailing list is active, there are any number of distributions though few on the latest kernels, all appears kosher if not frantically active.
Was there any reason for this possibly very damaging statement?
FreeSCO (Score:4, Informative)
LinuxMandrake SNF (Score:3, Informative)
Single Network Firewall... runs off of a 2.2 kernel, easy to set up, and runs off a "slick web based interface". You can download the ISOs for free off their website.
Some linkage:
slashdotted already?!?? (Score:2, Informative)
Coyote Linux (Score:4, Informative)
Clarkconnect (Score:5, Informative)
Also includes CUPS for printing.Samba for file sharing. OpenSSH and the web based admin uses ModSSL so its all encrypted.
Its frickin awesome! Is built from Redhat 7.2 and accepts all Redhat 7.2 RPMS.
Free Firewall... (Score:1, Informative)
Gnat box has a Free 5-user version (Score:5, Informative)
Download it from here [gnatbox.com]. This is a BSD based firewall, but no shell, nothing for a cracker to get onto it. Uses SSL web access (new in later versions) or a Winblows client for configuration.
Oh and one point that is heavily stressed in their marketing material - it's ICSA certified.
There is a small version for ~$750 street price that gives 25-user version with DMZ, no moving parts, runs off 12VDC.
Astaro Security Linux (Score:4, Informative)
P.S. - I don not work for these guys, I am just impressed by what they offer.
Re:Smoothwall (Score:5, Informative)
But, from what I gather, and I have done some searching, Dick (aka Richard Morrell) seems to have a few screws loose. From all accounts, he is cranky and sometimes more than downright nasty.
His product is FREE though, you should just don your asbestos suit should you go looking for support. (View a few IRC logs etc. to get a feel for how "Dick" seems to view newbies and/or non-paying customers.)
Frankly, I'd rather do some extra work myself, than deal with people who are unsociable.
All standard disclaimers, YMMV etc.
Cheers!
Re:Smoothwall (Score:5, Informative)
Well, I'm glad that you had nice experiences, but the general consensus seems to be that good support is a rare thing from Smoothwall (hence IPCop.org, I guess). They certainly carve bold new diretions for customers service! They'll swear at you, not answer emails, and not rarely answer specific questions (instead, cut-n-pastes are regular).
I'm not willing to post my emails between the developers, I, and other people in the company. I really don't want to be hassled by Smoothwall anymore. The funny thing is that I'm quite sure I'm unidentifable in the masses of people who might say such a thing ;)
(and this comes from a paying customer of Smoothwall Corp. - not a freeloader).
I *strongly* recommend any other distro. I didn't think customer service mattered much until I found a bug in their product and wanted them to fix it.
IPCop (Score:2, Informative)
Re:Smoothwall (Score:3, Informative)
Re:IPCop (Score:2, Informative)
Re:LRP "sold out" ? (Score:5, Informative)
Was there any reason for this possibly very damaging statement?
Yeah, because at the linked site [linuxrouter.org]:
On the other hand, this site [steinkuehler.net] seems quite active. I'm not sure what their relationship is.
Re:Smoothwall (Score:4, Informative)
He's gone so far as to make legal quasi-threats against me and other critics of his treatment of Smoothwall users. He's driven away enough developers that the IPCop project was formed and seems to have done quite a good job at proving themselves to have intentions of being more than just another forked project. IPCop [ipcop.org] has performed just wonderfully for me since my abandonment of Smoothwall.
For the morbidly curious, I have an archive of my emailing back and forth with Richard on this webpage [mac.com].
ClarkConnect is Easy and Free... (Score:2, Informative)
Re:Wozniak? (Score:2, Informative)
A few firewall linux based distros (Score:4, Informative)
Re:LRP "sold out" ? (Score:5, Informative)
Instead of linuxrouter.org, the real hotbed of development these days is the LEAF site [sourceforge.net], LEAF standing for Linux Embedded Appliance Firewall. The steinkuehler.net [steinkuehler.net] site you mentioned is a part of LEAF, hosting the Eiger/Dachstein distributions. Unfortunately the linuxrouter.org project doesn't point the way to LEAF. I only found out about it by following the mailing lists.
Ian
astaro firewall (Score:2, Informative)
it is a linux based firewall solution with vpn & virus scanning support. it's the most comprehensive firewall package that i have seen (and that is freely downloadable).
astaro includes implementations of other security related products (swan, etc) all in one package. definately worth a try.
Re:Is a remotely updatable firewall a good thing? (Score:2, Informative)
If you wanted to fake an update, you'd need iShop/Crunchbox's secret key to sign your little bundle of destruction.
I have no idea if this is how they take care of it, but it seems like a good idea to me.
Re:SINCE WE'RE ON THE SUBJECT... (Score:3, Informative)
OK... apparently, I am a moron... well, maybe not a moron, but LAZY. I got off my arse and did some poking around. Look what I found.
I found a few application level proxies -
OpenGateKeeper H.323 Proxy [sourceforge.net]
ftp.proxy [ftpproxy.org] - This looks very well done.
smtp.proxy [quietsche-entchen.de] - done by the same guy as tcpproxy below.
For the generic tcp proxy -
nportredird [asymmetrica.com] - This looks very promising.
aproxy [dilledabb.de] - looks a little too simple, but it's perl! (English can be found via babelfish [altavista.com].)
tcpproxy [quietsche-entchen.de] - This one seems the most complete and designed for a firewalling environment.
I found a whole slew of different app "level" proxies (Quake, POP3, etc.), but most seemed a bit basic. Some of the POP3 ones were cool (proxy auth support).
I was not able to find a good udp proxy - with multi-source/multi-destination (proxy with an ACL). I've a small local port udp redirector (I have no idea where I got it) that I use on my home network, but it's not something I could use at work. So... there ya go.
Summary of mentioned firewalls, and a question (Score:5, Informative)
Firewalls using iptables with 2.4.x kernel:
Firewalls using ipchains with 2.2.x kernel:
Firewalls using ipfwadm with 2.0.x kernel:
My question is, isn't it best to use an iptables-based firewall on a 2.4.x kernel instead of an ipchains- or ipfwadm-based firewall on a 2.2.x or 2.0.x kernel? I definetely want the connection tracking capabilities in the 2.4.x kernel, especially for screwy things like FTP, IRC, etc. (Yes, I know there is an IRC connection tracking patch out now for 2.4 kernels...) Is a kernel that doesn't support connection tracking for firewalls a reasonable option these days?
Another OpenBSD based minimal Firewall (Score:2, Informative)
The emBSD [suspicious.org] Firewall seems to be right on track, and you can download it right now. I've not tried it, but it runs off a 32MB Compact Flash.
Re:Smoothwall Attitude Problems (was: Smoothwall) (Score:2, Informative)
dp
FrazierWall Linux (Score:2, Informative)
Might I suggest FrazierWall Linux. It is a fork of Coyote and LRP, but with better default firewall rules, and a built in web server for local firewall status information. And it will even e-mail the firewall logs to you.
http://www.frazierwall.com/
Plus it passes both the Shields Up and Sygate Scans : http://scan.sygatetech.com/
with stealth mode almost everywhere.
I did have some problems with in initial install. I looked in the config files from Coyote to get things straight with FrazierWall. Other than that, FrazierWall is a well done firewall.
Re:Smoothwall (Score:2, Informative)
Re:Correct Smoothwall Archive URL (Score:2, Informative)
I think the whole problem is that you want something like a small, secure operating system based on linux that has dhcpd and a webserver and IRC and
But Smoothwall is no such thing (you can abuse it as such of course, but don't expect support for that) - it's "a firewall". In short: A firewall is something that is inbetween you and the internet. This can be a software package (i.e. an add-on to the OS) that installs on your workstation or a device that sits on your uplink. And to be precise Smoothwall is the software/OS of such a device.
You really shouldn't run any additional software on the machine that runs Smoothwall, you should run them on machines that are either placed before the firewall or after it, so including GCC in smoothwall doesn't make any sense at all unless you change the purpose of the software from "a firewall" to
Your failure was that you haven't understand the goals of Smoothwall and dustmite's failure was that he hasn't noticed that. When you said that you want to replace Suse and RedHat and only have "one machine to work with" and want to install/run this and that he simply should have said "Sorry, Smoothwall is obviously not the right solution for your problem. Use something else, we can't help you".
Oh, BTW: Do you really except help from someone after you have criticized him for his attitude? This is not a clever tactic.
Re:LRP "sold out" ? (Score:5, Informative)
I can shed a little more light on the middle-recent history of LRP and LEAF. Two years ago, LRP was indeed the center of all linux floppy firewall/router activity. However, people were starting to innovate, and Dave Cinege (who owns the domain name) never seemed to find the time to update his own work or incorporate that of others. It was a running joke on the mailing list. It would not have been much work for Dave to at least put up links to the sites documenting and extending LRP, but it never seemed to happen.
For a while, linuxrouter.sourceforge.net (now changed to leaf.sourceforge.net [sourceforge.net]) was a repository of all the extra work. Before that everything had been on a crazy collection of obscure personal websites (like mine).
Dave promised major updates to LRP, and then gave up on LRP and decided a completely new, cool project was necessary. This was around the time Tim McVeigh was executed, which Dave considered [linuxrouter.org] the murder of a hero or prisoner of war. Without getting into politics or morality, I merely note that it was the last straw [linuxrouter.org] for many people, who made a complete split and formed LEAF. I presume it was the rancor behind this split that keeps Dave from mentioning LEAF on his website.
Unfortunately, if you type "linux router" into Google, LEAF shows up way down the list -- maybe 20th.
IMHO, the people working on LEAF are dedicated and impressive. It remains far and away the best floppy-based router/firewall available. It is certainly the most actively maintained.
Re:LRP "sold out" ? --- LEAF (Score:2, Informative)
i'm glad your response was modded up. I am quite satisfied with the level of activity on LEAF. We are going to move to a recent version of Oxygen in the near future. And the reason for doing that is to be able to run Seawall as a firewall on our
'embedded' boxes.
Re:Summary of mentioned firewalls, and a question (Score:4, Informative)
LEAF/LRP/Dachstein [steinkuehler.net] do so automatically. I assume most if not all of the others you cite do so as well.
So, to answer your question, the answer is "no". Lack of support for connection tracking is indeed unacceptable. But 2.0.x and 2.2.x have tracking after all, at least where it matters.
Bifrost (Score:2, Informative)
There is a real nice, stripped clean and naturally free linux distro for firewalls/routers called bifrost [bifrost.slu.se]. The latest few versions use 2.4-kernels, but they keep a nice annotated back-log of their old distros since 1997. The distro has a fairly clever system for dealing with mobile users (called nomad). It lacks a "click-and-go" wui by design, due to the risk of unneccesary security breaches - in my translation from the swedish pages [robur.slu.se] - Correct filterrules are preferentially constructed "offline", and transfered by scp. For those who want clickability and colors, we recommend Xemacs for suitable coziness. Imho, thats the way to go (although I zealously use emacs instead).
The guys who maintain bifrost/nomad spend a lot of time on fairly advanced network performance testing with different hardware/driver combinations, so you maight want to consider their hardware recommendations as well. For the machines they put together for the Swedish university network, they go with flash-drives for safe (and fast) storage.
If you are curios about the name of the distro, the following helps:
The name Bifrost comes from the nordic mythology, where Bifrost is the bridge between Midgård (The Earth) and Asgård (the home of gods) and is called The Rainbow by humans. It's so strong that it will not be destroyed until Ragnarök - the end of the world. Bifrost is guarded by Heimdall and the red color one can see in it, is a flaming fire that prevents the giants to climb up to Asgård.
Homemade Linux Floppy (Score:2, Informative)
I had not found any good linux floppy firewall distributions running 2.4 the kernel so I figured out how to do it myself. This document doesn't include the instructions on how to include iptables but I will be adding that soon (it isn't too difficult).