Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Linux based firewall distros

Status
Not open for further replies.
iSeriesCodePoet

iSeriesCodePoet

Programmer
Jan 11, 2001
1,373
US
I am curious if what distros people use. I currently use IPCop, which is great, but I am curious to know if there is a better one. Others I have heard of is ClarckConnect and Smoothwall. I do NOT want to spend money, as I am on a tight budget. iSeriesCodePoet
IBM iSeries (AS/400) Programmer
[pc2]
Want to have all your bookmarks in one spot?
 
Sort by date Sort by votes
Take a look here...
thread83-486570 been working with astaro, and is free for home use (up to ten internal IPs. Its got a whole suite of products bundled under a hardened linux kernel. Includes squid, dns cache, vpn, and others. I really like it, and have been running it at home for about two weeks. It is all configurable using a web interface. ________________________________________
Check out
 
Upvote 0 Downvote
I currently am running the latest release of Astaro. I love it, easy to setup and manage. I have been running it for about 2 months now. Formally I was running SmoothWall, but Astaro is superior in my opinion. I have a ADSL connection with 2 WinXP Pro pc's, and a RedHat server behind it. Hope this helps.
 
Upvote 0 Downvote
Been looking for a decent firewall for a 'nix machine I'm putting together for a while.

BUT..........

Could someone please tell me WHY Astaro iso needs to be 95MB?!?!?
 
Upvote 0 Downvote
Wow... a lot of people recommend this firewall! I will have to check it out. Are they better about releasing patches? iSeriesCodePoet
IBM iSeries (AS/400) Programmer
[pc2]
Want to have all your bookmarks in one spot?
 
Upvote 0 Downvote
OK Boys & Girls, the magic word for today is "BLOATWARE".
 
Upvote 0 Downvote
How well does Astaro work with rulesets?

In other words, I'm having IPCop issues with sending files over Messenger or Trillian. So far I haven't found an easier solution.

I like IP Cop alot, but agree on the patching issues. J.R.
 
Upvote 0 Downvote
Hey Wheedoggy, its not really bloatware at all. Its has a whole suite of products in there that take up a lot of room. It has Squid, DNS proxy, VPN, Bandwidth control, port scanning detector, extensive reporting capabilites, and many more that I'm forgetting at the moment. This is NOT your standard linux "firewall on a floppy" firewall. Most of those simply run iptables, and don't need these resources. Astaro runs a whole lot more. Its not bloatware.
It also requires the machine to have 128 MB of RAM. Thats a lot for a simple firewall right? Well, I'm assuming that you need this if you're running all the services it provides. I for one only use the firewall side of it (and some of the other small things), and its only using around 70MB. I've been running it for a while, and that number has not changed.

jrjuiliano - The rulesets are pretty nice. You can create your own service definitions, and add them to the ruleset. Packet is applied to the ruleset, and goes down (in order) the list of rules, until it finds one that applies to it. If it finds none it is dropped. Or the last rule you put the Any - Any - Any - Log Drop to log all packets that don't fit the rulebase.

Either way, this is free software (for home use) and its not a huge download. If you have a spare machine, and some spare time, try it out.
[thumbsup2] ________________________________________
Check out
 
Upvote 0 Downvote
~SgtB
I understand that it is feature rich but still............
247MB is alot of space and that is just the pre-installation files size.
Can I assume however that the installation can be easily customised to install the firewall alone?
Don't mean to sound ignorant but I am completely unfamiliar with this app.

~iSeriesCodePoet
Please post how it goes.
 
Upvote 0 Downvote
Unfortunately there is no custom install options.

If you are using a dedicated firewall (which is what you'd have to do with Astaro) you can't use it for anything except as a firewall right? So you got this hard drive with all this space. What does it matter if its 247MB?
Granted, if you're using some spare POS 486 machine to run a firewall (with a 100MB hard drive [smile]), then Astaro is definately not the solution for you. You'd have to go with a firewall on a floppy like IPCop or something.

Now that I think of it, there is an option during install to install the open source software only, and scrub the Astaro stuff. Don't know what that actually does though.

Try it out. Its a pretty nice firewall for the price (free). I don't mean to sound like an Astaro spokesperson, but so far I really like the product.

PS - In case you didn't know...Astaro comes on a bootable CD, and you install it that way. No other OS can run with Astaro. Astaro is not just an app, it installs a hardened linux kernel that it runs off of. Does that make sense?
[smile] ________________________________________
Check out
 
Upvote 0 Downvote
Tried running it last night and could *not* get DNS working for my internal clients. I tried everything, including opening it up to the world. So I put back on IPCop, and need to do some reading.

What I am trying to do is keep my four clients behind the firewall, no proxy, with NAT (or I guess masquerading is the better term), and use my cable modem's DNS (which seems to be the issue at this point for me).

But I DO like how it allows me to restrict services on a whim. If I get it set up right I'll be able to do it based on client and not have to worry that my Samba/rsync server is getting directly messed with! J.R.
 
Upvote 0 Downvote
~SgtB

Thanks! Just one more question:

"Granted, if you're using some spare POS 486 machine to run a firewall (with a 100MB hard drive []), then Astaro is definately not the solution for you."

Would a POS PI/90 or a Celeron (233or333-can't recall right now which one I have in spares) w/ an old 1.6GB do the trick?
 
Upvote 0 Downvote
Well, I think the big issue with Astaro is the req. for 128 MB of RAM. I presonally think that's way to much for a firewall, and should be able to use 64. Now, they are sproting this as a solution for business, so if you're running squid along with the firewall, AND have quite a few connections...128MB might be feasible.
I think this should be lowered, but I guess they're not pandering to the home user too much. Personally I think 64-96MB might be enough. I'm running mine of a celreon 366 right now, and I've had no performance issues. I've monitored cpu activity for a while, and I barely see a ripple.

A P1/90 might not work out, but a celreon 233 might be ok. I'm pretty sure the 1.6HDD would work too, although the 4 GB I tried to use crapped on me. (I think it was a hardware issue though)

My advice, if you have the time, download it and give it a shot. Seems like you got a spare machine, so the only thing you'll lose is time. Personally, I don't think it'll be a waste of time for you.

jrjuiliano -
You're specifying the DNS server on each of the clients and the dns queries are not coming back correct? What do the packet filter logs say? Are the packets being dropped? What about other services, are they getting through? Are you sure NAT is working properly?
Let me know, I'll do my best to help!
[thumbsup2][wiggle] ________________________________________
Check out
 
Upvote 0 Downvote
EDIT:
If you do decide to give it a try, Astaro has some built-in monitoring features. You can take a look at mem/cpu usage, network traffic, etc. I'd keep an eye on that if you're running it on a slow machine. ________________________________________
Check out
 
Upvote 0 Downvote
SgtB,

I had IPCop set up to handle DNS queries at the box. So I had the DNS performed at the default GW.

I used IP masquerading, but didn't configure anything else in NAT. And at the time, just to get things working, I had set the filter rules for basically ANY:ANY:ALLOW.

I also didn't have any proxies setup, such as HTTP, DNS, etc.

Still, I noticed a lot of dropped packets.

If you have anything short of an idiot's guide to setting up Astaro on a cable modem (with dynanmic IP), that would be good! I'm not running a DMZ, so it should be easier for me to figure out. J.R.
 
Upvote 0 Downvote
Well, I just set up eth1 as a DHCP. Then allowed object LAN to access Any service to Any Destination (for testing only, you should only open the ports you need). Configured my clients to use the firewall's internal interface as the gateway, and set their DNS servers to the ISP's DNS. I've had no problems that way.

Post two of the dropped packet strings from your logs. Omit your public IP of course! [smile] I'll take a look at them.

You could also set up the DNS proxy on the firewall, and point your clients' DNS to that, but for simplicity's sake, just configure that on the clients for now. ________________________________________
Check out
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
113
hairlessupportmonkey
hairlessupportmonkey
hall5942
  • Locked
  • Question
open firewall port on 881
Replies
0
Views
80
hall5942
hall5942
hall5942
  • Locked
  • Question
open firewall port on 881
Replies
0
Views
75
hall5942
hall5942
RodneyMcSnow
  • Locked
  • Question
Hardware firewall bypassed access to the lan network. Please Help! No it's not a root kit or virus
Replies
1
Views
76
ChrisHirst
ChrisHirst
DataCenter23
  • Locked
  • Question
Cisco Firewall Help!
Replies
1
Views
62
imbadatthis
imbadatthis

Part and Inventory Search

Sponsor

Back
Top