Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

IPCop 0.1.1 Review 104

Selanit writes "I just found a link on Distrowatch to a SecurityFocus Review of IP Cop 0.1.1. IP Cop is a fork of the GPL version of the Smoothwall Linux firewall distro, which had a review linked by Slashdot. Though it has a slick, easy install. and good features, a number of people had issues with Smoothwall.. IPCop has implemented shadow passwords to fix the security flaw, and their mission statement includes a provision that they will "Provide an enjoyable environment for the Public to discuss and request assistance." The to-do list of features for the upcoming 0.2 version is also interesting. "
This discussion has been archived. No new comments can be posted.

IPCop 0.1.1 Review

Comments Filter:
  • OpenBSD? (Score:2, Interesting)

    Looks interesting. Does anyone know from a security standpoint how this compares to OpenBSD or other similar security minded projects?
    • OpenBSD is an operating system, designed with security in mind. It is probably as secure as anything BSD-derived can possibly be at this point.

      IPCop, Smoothwall, Freesco, etc. are not operating systems, they are dedicated firewall/router devices built on stripped-down linux kernels. Although they incorporate DHCP servers, DNS relays, and similar network infrastructure schtupfh they are nonetheless strictly single-purpose appliances.

      Morrell and Manning should be applauded for their achievement; Smoothwall broke new ground as an easily configured home firewall with Snort and Squid transparently integrated (no small feat).

      UNfortunately, Smoothwall shares one characteristic with OpenBSD; like OpenBSD guru Theo De Raadt, Richard Morrell has an egotistical, abrasive manner and does not communicate well with end-users or fools. If his commercial venture is to be a success, he's going to have to learn some diplomacy. Or maybe not, Larry Ellison gets away with it.
    • Just a quick note on distro-on-disk BSD's I'd look towards ClosedBSD (freebsd based) or emBSD (openbsd for embedded systems). Both are basically stripped down systems, with closedbsd probably being closer to IPCop since its targetted to easy to setup net access gateways.
  • does it run in runlevel 0 like the "halted firewall"?

    I got invaded the other day because my linux FW was running a stupid service (ssh). Considering a true W ever since.

    • Re:Cool, but... (Score:3, Interesting)

      by NetJunkie ( 56134 )
      SSH isn't stupid. But why was it available to the outside world? You should only do firewall management from inside your network.
    • Re:Cool, but... (Score:3, Informative)

      by EllF ( 205050 )
      You got cracked whilst running ssh? How?

      I'm guessing that you didn't notice that ssh was found vulnerable to an off-by-one compromise recently, and that a new version is out. Check out the advisory [openbsd.org] on it, and get the latest version while you're there.

      The solution to security flaws like this is not running in runlevel0 - it is diligance and administration. Subscribe to bugtraq (here [securityfocus.com], and keep an eye on what's coming out. Do an occasional nmap scan against yourself. *Know* what ports are open, don't wait to be surpised. ssh is by no means "stupid". Neither are you. Not keeping up to date on what's out there, however, is.
      • Re:Cool, but... (Score:1, Informative)

        by Anonymous Coward
        The off-by-one channel hickup isn't remotely exploitable. He was no doubt running a broken version of SSH v1.
        • of course I was ;-)

          the point is, broken or not, I should not be running ssh AT ALL on the firewall, with access from outside.

          But, since it was my home system, nothin really important got compromised. I think the dude just tried to set an account and use my relay to spam a bit. Damn me.

          And nay, it was SSH v2, dunno how they did it.

          • of course I was ;-)

            the point is, broken or not, I should not be running ssh AT ALL on the firewall, with access from outside.

            But, since it was my home system, nothin really important got compromised. I think the dude just tried to set an account and use my relay to spam a bit. Damn me.


            I think you are either making this up or are just simply wrong.

            And why don't you just allow ssh to a few trusted machines anyway?
  • by freeio ( 527954 ) on Sunday March 17, 2002 @02:23PM (#3177432) Homepage
    We have tried IPCop 0.1.1 at the office, and it has one very big advantage over using a general purpose distribution: it installs and comes up running very quickly. From inserting the CDROM to completion of the install on a typical system (200MHz Pentium with 64MB memory) it took about 14 minutes to having it running.

    We use it as a three-way firewall with a DMZ, and that is stone-cold simple to install. Slick, with no problems.

    Highly recommended!
    • by paenguin ( 311404 ) on Sunday March 17, 2002 @03:16PM (#3177584)
      I've done a lot of IPCop installs and I can have it installed and configured in 10 minutes pretty much every time. That includes from the time I boot the CD to start the install to doing all the patches, turning on all the services I like and defining the dhcp ranges it will be serving.

      This is one nice Linux security distribution. It requires minimal skill to install and there is a huge FAQ on the website.

      Highly recommended!

      Here's what you get:

      - Totally GPL
      - Friendly support on mailing list
      - All source code available on public CVS
      - Installs from bootable CD, or with a floppy to kick it off, installs from CD, http or ftp.
      - 2.2.21rc1 Kernel
      - EXT3 File System
      - IPChains based firewall
      - Network Address Translation (NAT)
      - Analog/ISDN/ADSL modem support
      - Support for almost any connection type
      - CheckPoint Soft. SecuRemote Support
      - Full DMZ Support
      - Web Based GUI Admin & Config System
      - Full Status Display
      - Full Traffic Graphs
      - Full Connections Information
      - PPP Settings/Configuration Area
      - PPtP ADSL Support
      - PPPoE Support
      - USB ADSL Firmware Upload Area
      - Modem Configuration Area
      - SSH server for Remote Access
      - Password Control Area
      - HTTP/FTP/HTTPS Web Proxy
      - DHCP Server
      - Caching DNS
      - TCP/UDP Port Forwarding
      - External Service Access Control
      - DMZ Pinholing Capacity
      - Dynamic DNS Support
      - Intrusion Detection System (SNORT)
      - VPN Support (FreeSWAN) with Control Area
      - Full System Logs
      - Web Proxy Logs
      - Firewall Logs
      - Intrusion Detection System Logs
      - Remote Shutdown/Reboot Area
      - Integrated JAVA Based SSH Shell Area
      - IPCop Linux Updates Area
      • Nice work whoring yourself, Phil. I supose you couldn't resist stooping to a new low. Well, I am damned if I'm staying in the shadows any longer. I think I'm best qualified to comment on the "IPCop feature list", since really IPCop is something I wrote a significant amount of. I thought it might be interesting to see what (if any) progress you've made.

        - Installs from bootable CD, or with a floppy to kick it off, installs from CD, http or ftp.

        So it uses the installer I wrote for SmoothWall then. Ah, you did change the banner along top to remove both mine and Richard Morrell's names.

        - IPChains based firewall, - Analog/ISDN/ADSL modem support
        - Support for almost any connection type

        Yeah. Again, looks just like a SmoothWall feature.

        - Full DMZ Support, - Web Based GUI Admin & Config System

        So lets see. You changed the logo (very nice btw!!!) And did some edits of the header.pl file. Well done! Thanks for the tiny mention in the Credits page. It's nice to credit where it's due. I don't think any member of the IPCop team wrote the DMZ support code, did they?

        - Full Status Display, - Full Traffic Graphs

        Hmm... SmoothWall features, those! Of course, I would never use the word "Full" in describing any feature. It shows that you are unable to think of something better.

        - Full Connections Information

        If you call "netstat -taM" in a CGI 'Full Connections Information', that's up to you. I find it very funny though. You've obviously not used real tools before if you think thats "Full Connections Information". But Jack had to get his "feature" in, didn't he.

        - PPP Settings/Configuration Area

        I wrote that for Smoothie too. This is getting DULL. Where are the improvments, Phil? Where is support for unlimited numbers of profiles, which I will one day get around to writing? Etc etc?

        - PPtP ADSL Support

        You score one point :) It's only not been written for SW because the demand is so small.

        - PPPoE Support Pierre-Yves Paulus wrote that for SW, with some help from me. Ah, that was fun. Wrting scripts to actually connect to the net on a remote box was a memorable experience. Anyway, where do you credit him?

        - USB ADSL Firmware Upload Area

        Dan Goscomb wrote the CGI/scripting support for USB ADSL. Where do you credit him?

        - Modem Configuration Area

        MMM yes, I seem to remember writing that page too.

        - SSH server for Remote Access, Password Control Area, HTTP/FTP/HTTPS Web Proxy, DHCP Server, Caching DNS, TCP/UDP Port Forwarding, External Service Access Control, DMZ Pinholing Capacity

        All standard features of SW, mostly the script work was done by me with some help from other people in the team.

        - Dynamic DNS Support

        CGI and script written by Pierre-Yves Paulus, for SW.

        - Intrusion Detection System (SNORT)

        Conf file tweaked by SW team member Dan Cutherbert. CGI (such that it is) writen by me.

        - VPN Support (FreeSWAN) with Control Area

        CGI and setuid helper writen by me in a bored afternoon.

        - Full System Logs, Web Proxy Logs, Firewall Logs, Intrusion Detection System Logs

        Hmm, wonder who wrote those log viewers? :) It wasn't an IPCop team member, thats for certain.

        - Remote Shutdown/Reboot Area, Integrated JAVA Based SSH Shell Area

        Richards idea that one. Obvious when you think about it, but his idea none-the-less. Where are your ideas??

        - IPCop Linux Updates Area

        Dan Goscomb wrote the update feature, and associated routines. Again, can't you do anything different?

        Ah well, that was interesting wasn't it? I hope everyone thought so. As to progress, it seems a nice round (fat) 0 would be the best score to give. IPCop is SmoothWall GPL with a different banner along the top, and very little else. They also refuse to give credit where it is due, and this, IMNSHO, is totally unethical. The IPCop team also seems to have a total lack of talent. You've had getting on 5 months, and all you've produced is a clone with a ugly web interface. Anyway, I thought I would stick my head out for once. Personally I don't give a damn what you do with IPCop. The fact that you don't even give us proper credit shows what a sick bunch of people you are, though.

        Lawrence Manning (lawrence@smoothwall.org [mailto])
        Principle Author, SmoothWall

      • > [snip feature list]

        I've said it before [slashdot.org], I'll say it again - ipcop owes a hell of a lot of that to SmoothWall.

        If you (ipcop the project that is) intended to rip up [slashdot.org] the 0.9.9 GPL codebase, which forms the bulk of IPCop 0.1.x, why did you bother using the 0.9.9 codebase at all? Oh, to shout out loud and gather numbers. Just how far away is that fabled 0.2 codebase? All I see are confusing discussions about Perl, Python and Ruby (oh my!</oz>), very basic XML/RPC implementations, and not much else.

        ipcop had the wrong motivation behind it from the start. If you had issues with Richard Morrell, why not confront him about them, instead of slinking off (some ex-SW team members didn't even tell us they'd left!!) to ipcop-land, and muttering amongst yourselves on your own lists and news servers. You were vocal in the worst way, but so be it.

        I personally am sick of all this bollocks. It's a waste of everyone's time and energy. People must think we sit and scheme about ipcop and think up insults and so on - we don't. We just get on with things. There's no point in sitting about going "oh DICK morrell, what a [insert insult]" or "smoothwall is [insert insult]" ... It's utterly juvenile, and just a waste of time. As soon as the ipcop "crowd" realise that, the better.

  • by bleckywelcky ( 518520 ) on Sunday March 17, 2002 @02:23PM (#3177433)

    I have read over IPCop configurations and documentations several times before, and it is definitely a good solution for a simple home office or other small business network. It is fairly simple to use and setup, and fairly robust in operations. However, there is one thing that it lacks, as well as what many other solutions lack: the ability to handle redundant internet access. Although I have not looked at every single software solution for routing and networking on this scale, there still seems to be a lack of redundant-internet-connection support in the field. The ability to use multiple internet connections for backup in a single software solution, as well as to use multiple internet connections to increase overall bandwidth, seems to be missing.

    Has anyone run across developing projects (or already developed projects) that are trying to accomplish this sort of feat? I have seen a hardware solution or two that have tried to work this problem, but they are rather impractical for a home office user who needs redundancy (telecommuting, etc) or expansion of their bandwidth (kids playing games while they need to transfer projects around, etc) for their home network. Can anyone comment on this subject?
    • It isn't the firewall's job to do this, that is up to your router. Firewalls shouldn't get in the business of routing or handling routing protocols.
    • All *nix distributions can handle multiple uplinks, once you've tweaked them properly. Load balancing can be an issue, but if you want pure redundancy, that's not a huge problem. Servers on redundant connections is a whole different ball of wax, though.

      • Well, I was mainly interested in investigating these 'solutions-out-of-the-box' type setups. I actually haven't looked seriously into the specifics and ideas behind piggy-backing, so I'm not sure of what the algorithms for this to work would look like. Although, I would have to assume that the technology could look similar to the processes behind certain download managers, where the specific package is divided and retrieved from different servers. For any given client, the infomation they may request would be split into default chunk sizes. The server controlling the multiple connnections would then attempt to retrieve each chunk along one connection, and allow a certain amount of time before it has determined that the wait is 'too long' and request remaining chunks along an alternate connection until the former connection has caught up.

        Having said that, I have tried to get some connections up and running on various *nix distros before, but could never get them working completely properly. Do you know of any references that explain the process/tweaking behind setting up these multiple connections? As far as running servers on redundant connections - I would think that you would need some client side configuration for that to work (or a new communication protocol to allow server directions in this situation, heh), which seems to be rather impractical right now, heh.
    • ...as well as to use multiple internet connections to increase overall bandwidth...

      That really requires BGP to do right.. and BGP means you have an ASN [arin.net], which costs money now and you wouldn't be able to get your braodband provider to peer with you anyway.

    • For connecting a large (300+ seats) internal network at our LAN parties to the Internet via a combination of ADSL and cablemodem lines, I use the Squid Proxy Cache [squid-cache.org] to bundle the lines. This provides us with fault-tolerance, nice load-balancing of the outgoing connections, and a solid cache pool. There's one primary cache (high-end box with fast disks) that is visible to the users, and for each outgoing line a small PC (Pentium 233 will do fine) that acts as a parent (see round-robin [visolve.com] option).

      We've experimented with load-balancing on a layer below, and I've found it much more difficult to maintain and debug... you know, squid offers beautiful logs and has many cool tuning parameters (I can even put weights on the lines!).

  • Choice is good (Score:2, Insightful)

    by DreamerFi ( 78710 )
    As author of a similar project (www.dubbele.com) I', glad to see competition. Different people need different solutions, and there's plenty of difference between mine and theirs.

    -John
  • by bhsx ( 458600 )
    It seems that more and more people are using politics to spur linux distributions. Spinning-off a GPL project is all well and good; but do you have to wish ill on the original project? It doesn't seem like this is different enough from smoothwall yet to indicate a new distribution. On a similar topic, has anyone checked out Sorcerer GNU/Linux [wox.org] lately? Seems this is happenning a bit too much for my taste. I'm all for things like K12LTSP [k12os.org] which don't attempt to take anything from there originators, yet add productive/usefull features for anyone in a specialized nitche.
    • by TellarHK ( 159748 ) <tellarhk@hotmaiC ... minus physicist> on Sunday March 17, 2002 @03:01PM (#3177546) Homepage Journal
      Actually, as a member of the IPCop user mailing list, I'd have to say that any ill-will has been pretty well restrained. The list might occasionally flare with the occasional flame, but the moderators of the list do a pretty good job of keeping it all in check.

      IPCop has the goal of planning a large rewrite for the .2 release, and I'm looking forward to seeing where these efforts go. While Smoothwall GPL support seems to have stalled in a few areas (most notably USB Speedtouch modem speeds) IPCop continues with the full effort of the team.
    • by Anonymous Coward on Sunday March 17, 2002 @04:28PM (#3177897)
      the reason ipcop doesn't currently appear that technically different from smoothwall is because currently it's not. the 0.1 release was just a stop-gap measure to provide people an immediate alternative to smoothwall; not a technical alternative, but a logistical alternative.

      matter-of-fact, phil barnett, who use to run the unofficial smoothwall mailing lists (even before smoothwall.org had an "official" mailing list), says something along those same lines here [matrixlist.com].

      a major rewrite is planned for 0.2, which will clearly differentiate ipcop from smoothwall.

      but was the logistical problem really that big, big enough to necessitate a fork? what follows is a repost from the official smoothwall "users" mailing list where all i did was inquire about the GPLed kernel sources and patches used in the distribution. i didn't ask for the smoothwall project to provide them, but only to state what they were so that i could find, download, and rebuild the kernel sources with qos (quality-of-service) capabilities enabled, one that would be as similar as possible to the smoothwall kernel (for a drop-in replacement).

      i thought one of the original benefits richard stallman intended for GPLed software is that the user can infinitely customize and tailor the product to suit them and there is no vendor lock-in as the source code can be altered for the customer by third-parties? isn't the GPL about the customer? obviously smoothwall management (richard morrell, "project manager and founder") doesn't have anything (especially ideals) in common with stallman besides a first name.

      note: yeah, i've removed the email addresses and phone numbers contained in the following message. as much as i disagree with richard morrell's attitude, i don't wish spambots or people upon him or his email addresses (see "Golden Rule", Matthew 7:12 & Luke 6:31).


      From: Richard Morrell
      Sent: Saturday, September 22, 2001 2:58 PM
      To: Wright, Corey
      Cc: users@
      Subject: Re: [users] What kernel source and distro-base?

      DONT

      If you think you have something to add use your brain

      Come talk to the team

      QoS is so so so unneeded.

      You will get fuck all help from us dude

      Richard Morrell, project manager and founder - SmoothWall
      Technical Director - Caveonet Ltd

      On Fri, 21 Sep 2001, Wright, Corey wrote:

      > What kernel source (plus patches) and distribution (if any) is 0.9.9 based
      > on?
      >
      > I'm wanting to add QoS capabilities to SmoothWall using kernel modules
      > (sch_*), the tc application, and a script borrowed/modified from LRP
      > sec-EtherToEtherFiles.html>.
      >
      > I know from looking at the smoothwall-0.9.9-kit.tar.gz tarball that the
      > kernel config's are included in that and that the kernel was 2.2.19, but
      > what kernel source was used (stock, patches, etc)? If the kernel was
      > patched, is the modified kernel source provided somewhere, or at least the
      > patches to apply to the stock kernel?
      >
      > What distribution was used as the base for the SmoothWall, if any? If all
      > the apps came from a distro, then I can simply see if that distro provides
      > tc (ex. in Red Hat's iproute rpm) instead of having to statically compile tc
      > (or try to match library versions).
      >
      > The "donor" computer I currently use for SmoothWall 0.9.8 had Red Hat 6.2
      > installed on it (just two weeks ago, right before 0.9.9 was released) and I
      > had QoS set up, but with a simpler script. The script I used only provided
      > "Stochastic Fair Queuing" and didn't discriminate between different types of
      > traffic (like the LPR script does), but it really helped make web surfing
      > and chatting tolerable while apt-getting debian packages over a dial-up
      > link. (Instead of one large queue, like the tcp/ip stack has, SFQ creates
      > multiple queues based on origin and destination ip address pairs [and
      > possibly including destination port; can't remember], and pulls a packet off
      > of each queue round-robin style. So even though there may be tons of
      > packets queued, bound for a particular ftp server, packets bound for a
      > [different] web server don't have to wait at the end of the line behind all
      > those backed-up ftp packets, because those http packets have their own
      > line.)
      >
      > I would be happy to document my work (assuming I get it to work) so that
      > this could be incorporated into SmoothWall.
      >
      > Or if the SmoothWall team isn't interested, I'll just have to ask for this
      > same information next time/version around. ;-)
      >
      > Corey
      >
      > PS Thanks for SmoothWall and I look forward to installing and modifying
      > 0.9.9.


      i never received any follow-up or further assistance from the smoothwall team (if you even dare to call the above "assistance"), but eventually reached my goal with the helpful detective work of another smoothwall user, who had also received a similar reply from smoothwall management to a similar request.

      and this is why i do not recommend nor support smoothwall, and instead point to the ipcop project.
    • As an active user of Sorcerer GNU/Linux, I would like to point out that no one went out of their way to antagonize Kyle Sallee, the original creator of Sorcerer. Following the two Slashdot articles about Sorcerer, interest in the distro skyrocketed, and suddenly Kyle found that there was far more work than he could handle alone. Several people offered to help him manage the project, notably Ryan (whose last name I don't know) who later founded sorcerylinux.org.

      Kyle refused help, and eventually (for reasons that are unclear) dropped the project. He announced it was all over, pointed sorcerer.wox.org to a fork called lunar-penguin which had already been established, and disclaimed any further interest. Later, he added a link to the sorcerylinux.org [sorcerylinux.org] project. Then, inexplicably, those were taken down and replaced with a long diatribe ( mirrored here [sagelikefool.net]) dissing both projects, followed a few days later by an apparent attempt to revoke the GPL license Sorcerer was released under. (That article is still up at sorcerer.wox.org, as reported in the parent comment, at the time of this writing.)

      (Please note that the authorship of the last two documents mentioned above is not 100% certain. The consenus on the Sorcerer mailing lists, however, is that Kyle did in fact write them.)

      The leader pro tem of rhe current Sorcerer project wrote a rebuttal of the first article [sorcerylinux.org] and when the new one came out another one. [sorcerylinux.org]

      The whole mess is puzzling, but one thing is clear: this was NOT a hostile takeover of the Sorcerer project. This was a group of people just trying to save a cool project after its creator dumped it and tried his best to kill it.
      1) Nobody forced Kyle to drop it.
      2) Nobody forced him to link to the two "child" projects, Sorcerylinux.org and lunar-penguin.org
      3) Nobody forced him to put up the article attacking both projects, or to try and remove the GPL.

      If Kyle has become alienated from the Sorcerer community, it is no one's fault but his own.
  • looks interesting alright, but why wait?
    I'm running my own RedHat 7.2 box with iptables, squid and the whole nine yards. Works perfectly, probably because I had to configure it myself, didn't use a preconfigured firewall distro.
  • by XRayX ( 325543 )
    You might already know this, but there is a really good one-disk-router/firewall around: Fli4l [fli4l.de].
  • You can find layouts like that , and my special super [oswd.org]
  • by sloop ( 135178 ) on Sunday March 17, 2002 @04:01PM (#3177770) Homepage Journal
    I just installed IPCop this afternoon. Coincidentally, I saw this news story show up on slashdot the same time I was burning the CD-ROM.

    So far, I am impressed.

    The securityfocus review is very lacking, and very disappointing in content to be coming from a "security" site.

    The IPCop installation was very simple and straightforward. The only hiccup was getting my ISA NICs to work.. I had to use a setup floppy to set the IO address, and manually load the driver "ne io=0x220".

    The DMZ feature is very cool, and it looks like you can run IPSec out of the box.

    The web interface is very slick. This interface is what separates it from a stock RedHat distribution with some custom iptables rules. Previously I was running a floppy-based distro for my firewall (BBIagent). I like IPCop better because it has SSH support, an update system, and I can log in to the console and 'do stuff'.
    • I have had the same experiences with old ISA NICs. Installing IPCop on a machine with 2 old SCM (driver: scm-ultra) required me to modify conf.lilo and tweak the IRQ setting on one card. Not easy, but workable.

      OTOH, yesterday I installed it on a newer machine with 2 identical 3c905 PCI NICs and everything when swimmingly! I love IPCop and can't wait for v0.2!

      BTW: The only thing I had an "issue" with was figuring out which NIC was attached to which interface. (GREEN = PCI1 = eth0???) Or, how does it know which card to use for which interface on a cold boot? Does anyone have any clues on this?
  • by joebp ( 528430 ) on Sunday March 17, 2002 @04:16PM (#3177853) Homepage
    • IPCop lacks Richard Morrell [google.com].
    • IPCop fixes the long-known USB ADSL bug with Smoothwall -- which cripples upload speed to 3K/s instead of 30K/s.
    • No nagware, adverts, requirements to donate to get basic support, etc.
    • Smoothwall GPL is treated and referred to as 'trialware' by the Smoothwall development team, and is essentially dead as GPL project.
    Smoothwall is in my opinion perhaps the most ungraceful transition from a pure open-source project to a business in recent history.
  • Don't click on the article link hoping for a review from the fine folks at Security Focus. This is simply an install HowTo; editorializing is kept to a minimum.
  • Better Solution? (Score:2, Interesting)

    by PJPorch ( 257393 )
    I was playing with a number of similar stripped-down version of linux that were intenedd for firewalls. IPCop has a nice interface and is simple to setup, but found that I like Astaro for a better solution. The Hardware requirements are a little higher, but the I think the interface is better and one key feature that changed my mind is that Astaro is a stateful firewall
    From Astaro Website

    http://www.astaro.com

    System
    Linux 2.4-based, Change-Root Protection, Kernel-Capability Protection, Web-based Administration (128 Bit SSL encrypted), Updating via Internet (1024 Bit PGP signed), Logging via Syslog/SNMP/ASCII-Files.

    Firewall
    Stateful Packet Inspection, Portscan Detection, Anti Spoofing.

    Virtual Private Networks (VPN)
    IPSec and IKE (RFC 2408/RFC 2409), Microsoft PPTP (RFC 2637) Algorithms: Diffie-Hellmann/3DES/MD5/SHA 1.

    Proxies
    HTTP (Content Filter, Cache, Authentication), HTTPS, SMTP (Virus Protection), DNS, SOCKS 4.0/5.0 (Authentication), Authentication via User Database/Radius/MS Windows NT or 2000.

    Networking
    Source and Destination NAT, Masquerading, up to 25 Ethernet Interfaces (10/100/1000 MBit), IP Aliasing, Randomized TCP Sequencing, Proxy ARP, Automated Routing.

    Performance
    Running on a 750 MHz CPU: Up to 64000 concurrent Connections, up to 650 MBit/s Filter Throughput, up to 25 MBit/s VPN Throughput.

    Josh
  • Author speaks out. (Score:3, Interesting)

    by Babel ( 100429 ) on Sunday March 17, 2002 @10:19PM (#3179180) Homepage
    As the author of the SecurityFocus article in question, I'd just like to answer a few comments:

    * Yup, I found this an interesting project for a number of reasons. It was WAY easier to set up than a standard Linux distro, but be aware that's because it has ONE purpose and one only -- to be a firewall. This is good and bad. As a simple, easy to install firewall system, I like it.

    * I haven't played with www.dubbelle.com but I'll be sure to check it out shortly. There are lots of other good cut-down distros out there, and I'm sure there is place for all of them. The one advantage that IPCop has over a single floppy distro is a few extra features such as squid and IPSec.

    * Sorry, the article really was meant to be a how-to, rather than a review. I'm sorry about those who were dissapointed expecting more of a review article but I prefer to write in the more practical sense. If you want a review, here's a one word one: GOOD. I'd be interested to hear what one poster (sloop) found "lacking" in the article, however.

    * I hereby refuse to make any comment concerning Richard Morrell.

    * Yup, Astaro is a fine distro too, and no doubt the fine folks at SecurityFocus will probably review it as well. I'm not that familiar with it myself so no doubt they'll get someone else to do the review.

    Del
  • I'm running e-smith [e-smith.org] server 5.1.2 and wonder how it compares to ipcop. Since I'm on cable, every time I reboot I get assigned a new IP address; e-smith has a useful service that will automatically register my new IP with any one of a number of different domain name forwarding agents, e.g. dyndns [dyndns.com].

    I note that ipcop is only on version 0.1.1 and I wonder if this means that the product is still evolving.

    How would a product like Mandrake [mandrake-linux.com] Server compare, apart from potentially being much bigger? (e-smith was only about 400 MB for the complete package).

    • E-Smith is an excellent little distro but if you consider every service is runs as a security risk then it simply has more of them than a stand alone firewall.

      Also, I know Smoothwall has built in support for dyndns, no-ip etc. also. I would think Ipsec does too.
  • Having just spent a few hours installing ipcop I can say it rocks. We had a problem that it wasn't detecting the USB properly, but this was solved by not having the usb modem plugged in. The real difficulty was that the usb claimed to be "Unset" rather than either of the two options, but when my friend emailed them he got a quick response saying that the installed was being changed to make it more clear.

    Once you get the thing working it's a dream, uploaded the file and had USB ADSL (to BTOpenWorld) going in no time at all. Possibly it's just wishful thinking, but response times and pings in general seem better (though it's bto, so they're still pretty crap), and it is just brilliantly easy to admin. Even the non-linuxy guys in the house are loving the new setup (for the record it's a student place with about 8 machines so we fit into the home/small office category).

Brain off-line, please wait.

Working...