IPCop 0.1.1 Review

Selanit writes "I just found a link on Distrowatch to a SecurityFocus Review of IP Cop 0.1.1. IP Cop is a fork of the GPL version of the Smoothwall Linux firewall distro, which had a review linked by Slashdot. Though it has a slick, easy install. and good features, a number of people had issues with Smoothwall.. IPCop has implemented shadow passwords to fix the security flaw, and their mission statement includes a provision that they will "Provide an enjoyable environment for the Public to discuss and request assistance." The to-do list of features for the upcoming 0.2 version is also interesting. "

OpenBSD?

[daemonslayer]

Looks interesting. Does anyone know from a security standpoint how this compares to OpenBSD or other similar security minded projects?

An appliance, not an OS

[RevCheswollen]

OpenBSD is an operating system, designed with security in mind. It is probably as secure as anything BSD-derived can possibly be at this point.

IPCop, Smoothwall, Freesco, etc. are not operating systems, they are dedicated firewall/router devices built on stripped-down linux kernels. Although they incorporate DHCP servers, DNS relays, and similar network infrastructure schtupfh they are nonetheless strictly single-purpose appliances.

Morrell and Manning should be applauded for their achievement; Smoothwall broke new ground as an easily configured home firewall with Snort and Squid transparently integrated (no small feat).

UNfortunately, Smoothwall shares one characteristic with OpenBSD; like OpenBSD guru Theo De Raadt, Richard Morrell has an egotistical, abrasive manner and does not communicate well with end-users or fools. If his commercial venture is to be a success, he's going to have to learn some diplomacy. Or maybe not, Larry Ellison gets away with it.

Re:OpenBSD?

[Schubert]

Just a quick note on distro-on-disk BSD's I'd look towards ClosedBSD (freebsd based) or emBSD (openbsd for embedded systems). Both are basically stripped down systems, with closedbsd probably being closer to IPCop since its targetted to easy to setup net access gateways.

Cool, but...

[Sunda666]

does it run in runlevel 0 like the "halted firewall"?

I got invaded the other day because my linux FW was running a stupid service (ssh). Considering a true W ever since.

Re:Cool, but...

[NetJunkie]

SSH isn't stupid. But why was it available to the outside world? You should only do firewall management from inside your network.

Re:Cool, but...

[EllF]

You got cracked whilst running ssh? How?

I'm guessing that you didn't notice that ssh was found vulnerable to an off-by-one compromise recently, and that a new version is out. Check out the advisory [openbsd.org] on it, and get the latest version while you're there.

The solution to security flaws like this is not running in runlevel0 - it is diligance and administration. Subscribe to bugtraq (here [securityfocus.com], and keep an eye on what's coming out. Do an occasional nmap scan against yourself. *Know* what ports are open, don't wait to be surpised. ssh is by no means "stupid". Neither are you. Not keeping up to date on what's out there, however, is.

Re:Cool, but...

[Anonymous Coward]

The off-by-one channel hickup isn't remotely exploitable. He was no doubt running a broken version of SSH v1.

Re:Cool, but...

[Sunda666]

of course I was ;-)

the point is, broken or not, I should not be running ssh AT ALL on the firewall, with access from outside.

But, since it was my home system, nothin really important got compromised. I think the dude just tried to set an account and use my relay to spam a bit. Damn me.

And nay, it was SSH v2, dunno how they did it.

Re:Cool, but...

[nihilogos]

of course I was ;-)

the point is, broken or not, I should not be running ssh AT ALL on the firewall, with access from outside.

But, since it was my home system, nothin really important got compromised. I think the dude just tried to set an account and use my relay to spam a bit. Damn me.


I think you are either making this up or are just simply wrong.

And why don't you just allow ssh to a few trusted machines anyway?

IPCop as a quick solution to firewalling

[freeio]

We have tried IPCop 0.1.1 at the office, and it has one very big advantage over using a general purpose distribution: it installs and comes up running very quickly. From inserting the CDROM to completion of the install on a typical system (200MHz Pentium with 64MB memory) it took about 14 minutes to having it running.

We use it as a three-way firewall with a DMZ, and that is stone-cold simple to install. Slick, with no problems.

Highly recommended!

Re:IPCop as a quick solution to firewalling

[paenguin]

I've done a lot of IPCop installs and I can have it installed and configured in 10 minutes pretty much every time. That includes from the time I boot the CD to start the install to doing all the patches, turning on all the services I like and defining the dhcp ranges it will be serving.

This is one nice Linux security distribution. It requires minimal skill to install and there is a huge FAQ on the website.

Highly recommended!

Here's what you get:

- Totally GPL
- Friendly support on mailing list
- All source code available on public CVS
- Installs from bootable CD, or with a floppy to kick it off, installs from CD, http or ftp.
- 2.2.21rc1 Kernel
- EXT3 File System
- IPChains based firewall
- Network Address Translation (NAT)
- Analog/ISDN/ADSL modem support
- Support for almost any connection type
- CheckPoint Soft. SecuRemote Support
- Full DMZ Support
- Web Based GUI Admin & Config System
- Full Status Display
- Full Traffic Graphs
- Full Connections Information
- PPP Settings/Configuration Area
- PPtP ADSL Support
- PPPoE Support
- USB ADSL Firmware Upload Area
- Modem Configuration Area
- SSH server for Remote Access
- Password Control Area
- HTTP/FTP/HTTPS Web Proxy
- DHCP Server
- Caching DNS
- TCP/UDP Port Forwarding
- External Service Access Control
- DMZ Pinholing Capacity
- Dynamic DNS Support
- Intrusion Detection System (SNORT)
- VPN Support (FreeSWAN) with Control Area
- Full System Logs
- Web Proxy Logs
- Firewall Logs
- Intrusion Detection System Logs
- Remote Shutdown/Reboot Area
- Integrated JAVA Based SSH Shell Area
- IPCop Linux Updates Area

Re:IPCop as a quick solution to firewalling

[paenguin]

This is weird - I just surfed by the Sourceforge mailing list archive. You are an admin on this project so effectively whoring yourself here.

You must have bad vision, then, because I am not associated with the administration of this project in any way. I don't even have CVS rights. I haven't donated any code, I have no submissions to anything that is in the CVS of this project.

The copyright on most of the SmoothWall 0.9.9 GPL code reads: "Copyright, 2001, The SmoothWall Team". Good luck on enforcing that one. It is my understanding that copyrights can only be held by legal entities, and as far as I have found, "The SmoothWall Team" was never a legal entity. If there was such an entity, anyone who was ever granted membership of the team would hold legal copyright. I'm open to being proven wrong.

...if Eben Mogel is reading this I'd suggest he contact the guys at the FSF Center because this smacks of really abusing author rights protected under the GPL.

Doing whatever you want to do with the code is exactly what the GPL is all about. If you don't like the way things are going with some GPL code for any reason, you are free to do whatever you like with the code as long as you feed it back to the community as GPL code.

Now, if copyrights were removed, that would be a different matter. From what I understand, that has not been done.

From what I have read on the IPCop-dev mailing list, most of the SW 0.9.9 code will be discarded and implemented in a different way in the 0.2.0 branch of the IPCop project. According to the IPCop-dev mailing list, the Perl code will all be discarded.

Talk is cheap when you post as an Anonymous Coward.......

Re:IPCop as a quick solution to firewalling

[aslak79]

Nice work whoring yourself, Phil. I supose you couldn't resist stooping to a new low. Well, I am damned if I'm staying in the shadows any longer. I think I'm best qualified to comment on the "IPCop feature list", since really IPCop is something I wrote a significant amount of. I thought it might be interesting to see what (if any) progress you've made.

- Installs from bootable CD, or with a floppy to kick it off, installs from CD, http or ftp.

So it uses the installer I wrote for SmoothWall then. Ah, you did change the banner along top to remove both mine and Richard Morrell's names.

- IPChains based firewall, - Analog/ISDN/ADSL modem support
- Support for almost any connection type

Yeah. Again, looks just like a SmoothWall feature.

- Full DMZ Support, - Web Based GUI Admin & Config System

So lets see. You changed the logo (very nice btw!!!) And did some edits of the header.pl file. Well done! Thanks for the tiny mention in the Credits page. It's nice to credit where it's due. I don't think any member of the IPCop team wrote the DMZ support code, did they?

- Full Status Display, - Full Traffic Graphs

Hmm... SmoothWall features, those! Of course, I would never use the word "Full" in describing any feature. It shows that you are unable to think of something better.

- Full Connections Information

If you call "netstat -taM" in a CGI 'Full Connections Information', that's up to you. I find it very funny though. You've obviously not used real tools before if you think thats "Full Connections Information". But Jack had to get his "feature" in, didn't he.

- PPP Settings/Configuration Area

I wrote that for Smoothie too. This is getting DULL. Where are the improvments, Phil? Where is support for unlimited numbers of profiles, which I will one day get around to writing? Etc etc?

- PPtP ADSL Support

You score one point :) It's only not been written for SW because the demand is so small.

- PPPoE Support Pierre-Yves Paulus wrote that for SW, with some help from me. Ah, that was fun. Wrting scripts to actually connect to the net on a remote box was a memorable experience. Anyway, where do you credit him?

- USB ADSL Firmware Upload Area

Dan Goscomb wrote the CGI/scripting support for USB ADSL. Where do you credit him?

- Modem Configuration Area

MMM yes, I seem to remember writing that page too.

- SSH server for Remote Access, Password Control Area, HTTP/FTP/HTTPS Web Proxy, DHCP Server, Caching DNS, TCP/UDP Port Forwarding, External Service Access Control, DMZ Pinholing Capacity

All standard features of SW, mostly the script work was done by me with some help from other people in the team.

- Dynamic DNS Support

CGI and script written by Pierre-Yves Paulus, for SW.

- Intrusion Detection System (SNORT)

Conf file tweaked by SW team member Dan Cutherbert. CGI (such that it is) writen by me.

- VPN Support (FreeSWAN) with Control Area

CGI and setuid helper writen by me in a bored afternoon.

- Full System Logs, Web Proxy Logs, Firewall Logs, Intrusion Detection System Logs

Hmm, wonder who wrote those log viewers? :) It wasn't an IPCop team member, thats for certain.

- Remote Shutdown/Reboot Area, Integrated JAVA Based SSH Shell Area

Richards idea that one. Obvious when you think about it, but his idea none-the-less. Where are your ideas??

- IPCop Linux Updates Area

Dan Goscomb wrote the update feature, and associated routines. Again, can't you do anything different?

Ah well, that was interesting wasn't it? I hope everyone thought so. As to progress, it seems a nice round (fat) 0 would be the best score to give. IPCop is SmoothWall GPL with a different banner along the top, and very little else. They also refuse to give credit where it is due, and this, IMNSHO, is totally unethical. The IPCop team also seems to have a total lack of talent. You've had getting on 5 months, and all you've produced is a clone with a ugly web interface. Anyway, I thought I would stick my head out for once. Personally I don't give a damn what you do with IPCop. The fact that you don't even give us proper credit shows what a sick bunch of people you are, though.

Lawrence Manning (lawrence@smoothwall.org [mailto])
Principle Author, SmoothWall

Re:IPCop as a quick solution to firewalling

[wpanderson]

> [snip feature list]

I've said it before [slashdot.org], I'll say it again - ipcop owes a hell of a lot of that to SmoothWall.

If you (ipcop the project that is) intended to rip up [slashdot.org] the 0.9.9 GPL codebase, which forms the bulk of IPCop 0.1.x, why did you bother using the 0.9.9 codebase at all? Oh, to shout out loud and gather numbers. Just how far away is that fabled 0.2 codebase? All I see are confusing discussions about Perl, Python and Ruby (oh my!</oz>), very basic XML/RPC implementations, and not much else.

ipcop had the wrong motivation behind it from the start. If you had issues with Richard Morrell, why not confront him about them, instead of slinking off (some ex-SW team members didn't even tell us they'd left!!) to ipcop-land, and muttering amongst yourselves on your own lists and news servers. You were vocal in the worst way, but so be it.

I personally am sick of all this bollocks. It's a waste of everyone's time and energy. People must think we sit and scheme about ipcop and think up insults and so on - we don't. We just get on with things. There's no point in sitting about going "oh DICK morrell, what a [insert insult]" or "smoothwall is [insert insult]" ... It's utterly juvenile, and just a waste of time. As soon as the ipcop "crowd" realise that, the better.

Redundant Solutions?

[bleckywelcky]

I have read over IPCop configurations and documentations several times before, and it is definitely a good solution for a simple home office or other small business network. It is fairly simple to use and setup, and fairly robust in operations. However, there is one thing that it lacks, as well as what many other solutions lack: the ability to handle redundant internet access. Although I have not looked at every single software solution for routing and networking on this scale, there still seems to be a lack of redundant-internet-connection support in the field. The ability to use multiple internet connections for backup in a single software solution, as well as to use multiple internet connections to increase overall bandwidth, seems to be missing.

Has anyone run across developing projects (or already developed projects) that are trying to accomplish this sort of feat? I have seen a hardware solution or two that have tried to work this problem, but they are rather impractical for a home office user who needs redundancy (telecommuting, etc) or expansion of their bandwidth (kids playing games while they need to transfer projects around, etc) for their home network. Can anyone comment on this subject?

That's what routers are for.

[NetJunkie]

It isn't the firewall's job to do this, that is up to your router. Firewalls shouldn't get in the business of routing or handling routing protocols.

Re:That's what routers are for.

[NetJunkie]

An average home user won't have multiple Internet connections. How many people have DSL and Cable at the same time? There are small NAT routers that do this on the cheap. If your company is paying a couple grand for Internet connections they will already have at least one router and probably more.

Good routing protocols handle congestion as well as downed links. EIGRP takes these in to account. We have two connections to the same Bellsouth POP and use Cisco's CEF for packet level load balancing and redundancy should one circuit fail. You can bundle many links using CEF, but they must all go to the same router. Multiple connections to different POPs would require BGP.

Re:That's what routers are for.

[bleckywelcky]

Lots of people have both DSL and Cable. I was actually in between many different connections at one time, and for some reason I ended up with 3 DSL connections, 2 Cable connections, and a single 56k dial-up connection at my house. Don't ask me why I had all of that, but it would have been interesting to piggy back all of them.

However, what sort of NAT routers are you referring to? Are they easily obtainable software solutions, or hardware solutions? I've only seen single connection hardware gateway solutions on the end-user side of things.

And most small (I'm talking small, family/friend-type companies, not small companies on the grand scale who still gross several million a year) won't pay a couple grand for their connection unless the connection is really part of their business. Some simple just need to retrieve order information or communicate over their connections, etc. This could be done with a decent cable connection, but could manage to get bogged down at some times. To only pay an extra $50/month for an additional same service or opposing service and still be able to double their bandwidth would be a great. The slow periods in their connection could be eliminated without needing to fork over several hundred dollars a month for a fractional T1 or whatnot.

Re:That's what routers are for.

[NetJunkie]

Check out the Nexland ISB Pro800Turbo Firewall/NAT box. It will load balance two broadband connections.

Re:That's what routers are for.

[bleckywelcky]

That's a nifty little piece of equipment there. The specifics of the dual wan tech are slim as suspected. It would be interesting to at least hear how they went about the implementation of that. I would prolly get one of those except I don't need to have a dual setup, it would just be nice, heh. Still, for a company that is just barely exceeding its DSL or cable bandwidth where the next step up would be several hundred dollars per month more, buying this piece and getting another broadband connect would definitely be more economical in the long run.

I just find it odd that they limit the number of leasable IPs to 253 - I can't see any reasoning behind that.

And I just remembered another thing relating to this topic. Several years back (95ish - 96ish), I was able to combine connection bandwidth in a similar way. Right before cable and DSL were out, I had to rely on my good old 56k modems with the v90 and Flex technology. Still, these weren't enough. Somehow I came across an article or something talking about combining modem bandwidth to increase the perceived bandwidth of the computer/user. It involved taking two modems and dialing up to your ISP with each modem into two different accounts. It was called multilinking I think, and some company even had a proprietary version of the technology called shotgunning I believe. The bandwidth was combined/your request split somehow, and you could effectively have a 112k connection, heh. The ISP had to support the technology and it wasn't entirely stable, but if you got it going then everything was great. Now, instead of getting 5k/sec downloads, you could get a whopping 9k/sec or so and brag to everyone else. My ISP claimed to not support the technology, but at around 10 PM each night, I could get the connections going and have some wicked speed.

As well, I think you could even multilink more than two connections. You just dialed the first main connection and then dialed each additional one afterwards.

Seems like that technology would've been/could be implementated for broadband connections or any set of mulitple connections. I'll have to keep looking around for some more info.

Re:That's what routers are for.

[NetJunkie]

It's called Multilinking and is part of PPP. It's done all the time with ISDN links. Most people don't exceed the bandwidth of cable/dsl so no one cares. If you want more speed just pay. I can get cable modems here up to 4Mb/sec and I've seen DSL in other parts of the country up to 7Mb/sec. No need for multilink.

As for the Nexland router, they just load balance by connection. Track how much each connection is being used and when the next user needs something you send it over the leased used line. That would be the only way to handle it.

As for the IPs...if you have more than 253 hosts inside you need to look at another device.

Re:That's what routers are for.

[bleckywelcky]

Ah, well you're lucky then. Currently SE Michigan only has a couple of broadband choices (I think just 2) - all of which are less than or equal to 1 Mb. SBC Ameritech for DSL and Comcast for cable are the two I know of. The cable used to be 1.5 Mb, but with the dissolve of @Home, they bumped everyone down to 1 Mb. WideOpenWest [wideopenwest.com] supposedly has plans to move into the area with bandwidth selections ranging up to 10 Mb. I ll be looking forward to that, but until then we're all stuck with Comedycast and the 1 Mb max here in SE Michigan.

Department of Redundancy Department

[TheSHAD0W]

All *nix distributions can handle multiple uplinks, once you've tweaked them properly. Load balancing can be an issue, but if you want pure redundancy, that's not a huge problem. Servers on redundant connections is a whole different ball of wax, though.

Re:Department of Redundancy Department

[bleckywelcky]

Well, I was mainly interested in investigating these 'solutions-out-of-the-box' type setups. I actually haven't looked seriously into the specifics and ideas behind piggy-backing, so I'm not sure of what the algorithms for this to work would look like. Although, I would have to assume that the technology could look similar to the processes behind certain download managers, where the specific package is divided and retrieved from different servers. For any given client, the infomation they may request would be split into default chunk sizes. The server controlling the multiple connnections would then attempt to retrieve each chunk along one connection, and allow a certain amount of time before it has determined that the wait is 'too long' and request remaining chunks along an alternate connection until the former connection has caught up.

Having said that, I have tried to get some connections up and running on various *nix distros before, but could never get them working completely properly. Do you know of any references that explain the process/tweaking behind setting up these multiple connections? As far as running servers on redundant connections - I would think that you would need some client side configuration for that to work (or a new communication protocol to allow server directions in this situation, heh), which seems to be rather impractical right now, heh.

Re:Redundant Solutions?

[Nethead]

...as well as to use multiple internet connections to increase overall bandwidth...

That really requires BGP to do right.. and BGP means you have an ASN [arin.net], which costs money now and you wouldn't be able to get your braodband provider to peer with you anyway.

Re:Redundant Solutions?

[gunther788]

For connecting a large (300+ seats) internal network at our LAN parties to the Internet via a combination of ADSL and cablemodem lines, I use the Squid Proxy Cache [squid-cache.org] to bundle the lines. This provides us with fault-tolerance, nice load-balancing of the outgoing connections, and a solid cache pool. There's one primary cache (high-end box with fast disks) that is visible to the users, and for each outgoing line a small PC (Pentium 233 will do fine) that acts as a parent (see round-robin [visolve.com] option).

We've experimented with load-balancing on a layer below, and I've found it much more difficult to maintain and debug... you know, squid offers beautiful logs and has many cool tuning parameters (I can even put weights on the lines!).

Choice is good

[DreamerFi]

As author of a similar project (www.dubbele.com) I', glad to see competition. Different people need different solutions, and there's plenty of difference between mine and theirs.

-John

Uprising Politechs...

[bhsx]

It seems that more and more people are using politics to spur linux distributions. Spinning-off a GPL project is all well and good; but do you have to wish ill on the original project? It doesn't seem like this is different enough from smoothwall yet to indicate a new distribution. On a similar topic, has anyone checked out Sorcerer GNU/Linux [wox.org] lately? Seems this is happenning a bit too much for my taste. I'm all for things like K12LTSP [k12os.org] which don't attempt to take anything from there originators, yet add productive/usefull features for anyone in a specialized nitche.

Re:Uprising Politechs...

[TellarHK]

Actually, as a member of the IPCop user mailing list, I'd have to say that any ill-will has been pretty well restrained. The list might occasionally flare with the occasional flame, but the moderators of the list do a pretty good job of keeping it all in check.

IPCop has the goal of planning a large rewrite for the .2 release, and I'm looking forward to seeing where these efforts go. While Smoothwall GPL support seems to have stalled in a few areas (most notably USB Speedtouch modem speeds) IPCop continues with the full effort of the team.

Re:Uprising Politechs...

[bhsx]

That's good to know, and it doesn't seem to be nearly as flame-skewed as the SGL fiasco, but it is a nonetheless disturbing trend.

Re:Uprising Politechs...

[Anonymous Coward]

the reason ipcop doesn't currently appear that technically different from smoothwall is because currently it's not. the 0.1 release was just a stop-gap measure to provide people an immediate alternative to smoothwall; not a technical alternative, but a logistical alternative.

matter-of-fact, phil barnett, who use to run the unofficial smoothwall mailing lists (even before smoothwall.org had an "official" mailing list), says something along those same lines here [matrixlist.com].

a major rewrite is planned for 0.2, which will clearly differentiate ipcop from smoothwall.

but was the logistical problem really that big, big enough to necessitate a fork? what follows is a repost from the official smoothwall "users" mailing list where all i did was inquire about the GPLed kernel sources and patches used in the distribution. i didn't ask for the smoothwall project to provide them, but only to state what they were so that i could find, download, and rebuild the kernel sources with qos (quality-of-service) capabilities enabled, one that would be as similar as possible to the smoothwall kernel (for a drop-in replacement).

i thought one of the original benefits richard stallman intended for GPLed software is that the user can infinitely customize and tailor the product to suit them and there is no vendor lock-in as the source code can be altered for the customer by third-parties? isn't the GPL about the customer? obviously smoothwall management (richard morrell, "project manager and founder") doesn't have anything (especially ideals) in common with stallman besides a first name.

note: yeah, i've removed the email addresses and phone numbers contained in the following message. as much as i disagree with richard morrell's attitude, i don't wish spambots or people upon him or his email addresses (see "Golden Rule", Matthew 7:12 & Luke 6:31).

From: Richard Morrell
Sent: Saturday, September 22, 2001 2:58 PM
To: Wright, Corey
Cc: users@
Subject: Re: [users] What kernel source and distro-base?

DONT

If you think you have something to add use your brain

Come talk to the team

QoS is so so so unneeded.

You will get fuck all help from us dude

Richard Morrell, project manager and founder - SmoothWall
Technical Director - Caveonet Ltd

On Fri, 21 Sep 2001, Wright, Corey wrote:

> What kernel source (plus patches) and distribution (if any) is 0.9.9 based
> on?
>
> I'm wanting to add QoS capabilities to SmoothWall using kernel modules
> (sch_*), the tc application, and a script borrowed/modified from LRP
> sec-EtherToEtherFiles.html>.
>
> I know from looking at the smoothwall-0.9.9-kit.tar.gz tarball that the
> kernel config's are included in that and that the kernel was 2.2.19, but
> what kernel source was used (stock, patches, etc)? If the kernel was
> patched, is the modified kernel source provided somewhere, or at least the
> patches to apply to the stock kernel?
>
> What distribution was used as the base for the SmoothWall, if any? If all
> the apps came from a distro, then I can simply see if that distro provides
> tc (ex. in Red Hat's iproute rpm) instead of having to statically compile tc
> (or try to match library versions).
>
> The "donor" computer I currently use for SmoothWall 0.9.8 had Red Hat 6.2
> installed on it (just two weeks ago, right before 0.9.9 was released) and I
> had QoS set up, but with a simpler script. The script I used only provided
> "Stochastic Fair Queuing" and didn't discriminate between different types of
> traffic (like the LPR script does), but it really helped make web surfing
> and chatting tolerable while apt-getting debian packages over a dial-up
> link. (Instead of one large queue, like the tcp/ip stack has, SFQ creates
> multiple queues based on origin and destination ip address pairs [and
> possibly including destination port; can't remember], and pulls a packet off
> of each queue round-robin style. So even though there may be tons of
> packets queued, bound for a particular ftp server, packets bound for a
> [different] web server don't have to wait at the end of the line behind all
> those backed-up ftp packets, because those http packets have their own
> line.)
>
> I would be happy to document my work (assuming I get it to work) so that
> this could be incorporated into SmoothWall.
>
> Or if the SmoothWall team isn't interested, I'll just have to ask for this
> same information next time/version around. ;-)
>
> Corey
>
> PS Thanks for SmoothWall and I look forward to installing and modifying
> 0.9.9.

i never received any follow-up or further assistance from the smoothwall team (if you even dare to call the above "assistance"), but eventually reached my goal with the helpful detective work of another smoothwall user, who had also received a similar reply from smoothwall management to a similar request.

and this is why i do not recommend nor support smoothwall, and instead point to the ipcop project.

Re:Uprising Politechs...

[bhsx]

That's not too surprising, considering what I've heard, thanks for the linkage. I'm trying to keep it all in perspective, yet hear both sides.

Re:Uprising Politechs...

[Selanit]

As an active user of Sorcerer GNU/Linux, I would like to point out that no one went out of their way to antagonize Kyle Sallee, the original creator of Sorcerer. Following the two Slashdot articles about Sorcerer, interest in the distro skyrocketed, and suddenly Kyle found that there was far more work than he could handle alone. Several people offered to help him manage the project, notably Ryan (whose last name I don't know) who later founded sorcerylinux.org.

Kyle refused help, and eventually (for reasons that are unclear) dropped the project. He announced it was all over, pointed sorcerer.wox.org to a fork called lunar-penguin which had already been established, and disclaimed any further interest. Later, he added a link to the sorcerylinux.org [sorcerylinux.org] project. Then, inexplicably, those were taken down and replaced with a long diatribe ( mirrored here [sagelikefool.net]) dissing both projects, followed a few days later by an apparent attempt to revoke the GPL license Sorcerer was released under. (That article is still up at sorcerer.wox.org, as reported in the parent comment, at the time of this writing.)

(Please note that the authorship of the last two documents mentioned above is not 100% certain. The consenus on the Sorcerer mailing lists, however, is that Kyle did in fact write them.)

The leader pro tem of rhe current Sorcerer project wrote a rebuttal of the first article [sorcerylinux.org] and when the new one came out another one. [sorcerylinux.org]

The whole mess is puzzling, but one thing is clear: this was NOT a hostile takeover of the Sorcerer project. This was a group of people just trying to save a cool project after its creator dumped it and tried his best to kill it.
1) Nobody forced Kyle to drop it.
2) Nobody forced him to link to the two "child" projects, Sorcerylinux.org and lunar-penguin.org
3) Nobody forced him to put up the article attacking both projects, or to try and remove the GPL.

If Kyle has become alienated from the Sorcerer community, it is no one's fault but his own.

IPCOP 0.2 Release

[mnordstr]

looks interesting alright, but why wait?
I'm running my own RedHat 7.2 box with iptables, squid and the whole nine yards. Works perfectly, probably because I had to configure it myself, didn't use a preconfigured firewall distro.

Fli4l

[XRayX]

You might already know this, but there is a really good one-disk-router/firewall around: Fli4l [fli4l.de].

nice web site(cough oswd.org, cough)

[mike13down]

You can find layouts like that , and my special super [oswd.org]

this packet passed through IPCop

[sloop]

I just installed IPCop this afternoon. Coincidentally, I saw this news story show up on slashdot the same time I was burning the CD-ROM.

So far, I am impressed.

The securityfocus review is very lacking, and very disappointing in content to be coming from a "security" site.

The IPCop installation was very simple and straightforward. The only hiccup was getting my ISA NICs to work.. I had to use a setup floppy to set the IO address, and manually load the driver "ne io=0x220".

The DMZ feature is very cool, and it looks like you can run IPSec out of the box.

The web interface is very slick. This interface is what separates it from a stock RedHat distribution with some custom iptables rules. Previously I was running a floppy-based distro for my firewall (BBIagent). I like IPCop better because it has SSH support, an update system, and I can log in to the console and 'do stuff'.

Re:this packet passed through IPCop

[Corrado]

I have had the same experiences with old ISA NICs. Installing IPCop on a machine with 2 old SCM (driver: scm-ultra) required me to modify conf.lilo and tweak the IRQ setting on one card. Not easy, but workable.

OTOH, yesterday I installed it on a newer machine with 2 identical 3c905 PCI NICs and everything when swimmingly! I love IPCop and can't wait for v0.2!

BTW: The only thing I had an "issue" with was figuring out which NIC was attached to which interface. (GREEN = PCI1 = eth0???) Or, how does it know which card to use for which interface on a cold boot? Does anyone have any clues on this?

IPCop kicks Smoothwall's ass, for these reasons:

[joebp]

• IPCop lacks Richard Morrell [google.com].
• IPCop fixes the long-known USB ADSL bug with Smoothwall -- which cripples upload speed to 3K/s instead of 30K/s.
• No nagware, adverts, requirements to donate to get basic support, etc.
• Smoothwall GPL is treated and referred to as 'trialware' by the Smoothwall development team, and is essentially dead as GPL project.

Smoothwall is in my opinion perhaps the most ungraceful transition from a pure open-source project to a business in recent history.

Re:ANOTHER bloody fork?

[Air-conditioned cowh]

GPL fork != Closed-source fork

Having seen a few forks in my time (especially at meal times), I can say that the effect of a GPL fork isn't half as bad as the closed-source forks we've seen.

For a start, diverging GPL projects can always converge later, they can shamelessly copy each other's code. It's more like parallel processing than a dead end splinter.

Not a review

[jrimmer]

Don't click on the article link hoping for a review from the fine folks at Security Focus. This is simply an install HowTo; editorializing is kept to a minimum.

Better Solution?

[PJPorch]

I was playing with a number of similar stripped-down version of linux that were intenedd for firewalls. IPCop has a nice interface and is simple to setup, but found that I like Astaro for a better solution. The Hardware requirements are a little higher, but the I think the interface is better and one key feature that changed my mind is that Astaro is a stateful firewall
From Astaro Website

http://www.astaro.com

System
Linux 2.4-based, Change-Root Protection, Kernel-Capability Protection, Web-based Administration (128 Bit SSL encrypted), Updating via Internet (1024 Bit PGP signed), Logging via Syslog/SNMP/ASCII-Files.

Firewall
Stateful Packet Inspection, Portscan Detection, Anti Spoofing.

Virtual Private Networks (VPN)
IPSec and IKE (RFC 2408/RFC 2409), Microsoft PPTP (RFC 2637) Algorithms: Diffie-Hellmann/3DES/MD5/SHA 1.

Proxies
HTTP (Content Filter, Cache, Authentication), HTTPS, SMTP (Virus Protection), DNS, SOCKS 4.0/5.0 (Authentication), Authentication via User Database/Radius/MS Windows NT or 2000.

Networking
Source and Destination NAT, Masquerading, up to 25 Ethernet Interfaces (10/100/1000 MBit), IP Aliasing, Randomized TCP Sequencing, Proxy ARP, Automated Routing.

Performance
Running on a 750 MHz CPU: Up to 64000 concurrent Connections, up to 650 MBit/s Filter Throughput, up to 25 MBit/s VPN Throughput.

Josh

Author speaks out.

[Babel]

As the author of the SecurityFocus article in question, I'd just like to answer a few comments:

* Yup, I found this an interesting project for a number of reasons. It was WAY easier to set up than a standard Linux distro, but be aware that's because it has ONE purpose and one only -- to be a firewall. This is good and bad. As a simple, easy to install firewall system, I like it.

* I haven't played with www.dubbelle.com but I'll be sure to check it out shortly. There are lots of other good cut-down distros out there, and I'm sure there is place for all of them. The one advantage that IPCop has over a single floppy distro is a few extra features such as squid and IPSec.

* Sorry, the article really was meant to be a how-to, rather than a review. I'm sorry about those who were dissapointed expecting more of a review article but I prefer to write in the more practical sense. If you want a review, here's a one word one: GOOD. I'd be interested to hear what one poster (sloop) found "lacking" in the article, however.

* I hereby refuse to make any comment concerning Richard Morrell.

* Yup, Astaro is a fine distro too, and no doubt the fine folks at SecurityFocus will probably review it as well. I'm not that familiar with it myself so no doubt they'll get someone else to do the review.

Del

Re:Author speaks out.

[DreamerFi]

Del,

feel free to contact me once you've looked at dubbele.com, I'd be happy to talk about your impression..

-John

how about e-smith

[midtoad]

I'm running e-smith [e-smith.org] server 5.1.2 and wonder how it compares to ipcop. Since I'm on cable, every time I reboot I get assigned a new IP address; e-smith has a useful service that will automatically register my new IP with any one of a number of different domain name forwarding agents, e.g. dyndns [dyndns.com].

I note that ipcop is only on version 0.1.1 and I wonder if this means that the product is still evolving.

How would a product like Mandrake [mandrake-linux.com] Server compare, apart from potentially being much bigger? (e-smith was only about 400 MB for the complete package).

Re:how about e-smith

[Air-conditioned cowh]

E-Smith is an excellent little distro but if you consider every service is runs as a security risk then it simply has more of them than a stand alone firewall.

Also, I know Smoothwall has built in support for dyndns, no-ip etc. also. I would think Ipsec does too.

It rocks

[Plinth]

Having just spent a few hours installing ipcop I can say it rocks. We had a problem that it wasn't detecting the USB properly, but this was solved by not having the usb modem plugged in. The real difficulty was that the usb claimed to be "Unset" rather than either of the two options, but when my friend emailed them he got a quick response saying that the installed was being changed to make it more clear.

Once you get the thing working it's a dream, uploaded the file and had USB ADSL (to BTOpenWorld) going in no time at all. Possibly it's just wishful thinking, but response times and pings in general seem better (though it's bto, so they're still pretty crap), and it is just brilliantly easy to admin. Even the non-linuxy guys in the house are loving the new setup (for the record it's a student place with about 8 machines so we fit into the home/small office category).

Re:It rocks

[tallbloke]

I'm about to install ipcop on bt adsl usb
please get in touch.

rog at headingley dot uk dot net

Cheers