Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Linux Firewalls

Status
Not open for further replies.
pansophic

pansophic

MIS
Sep 24, 2001
1,347
0
0
US
At the behest of some of the other frequent posters, I have been asked to start a thread on Linux firewalls. For starters, I'd be interested in what others' experiences are with these software systems, like:

- How good is the default configuration?
- Were you able to customize it to your liking?
- How was the documentation?
- Are there any features that you would like to see included?
- How good is the GUI configuration?
- How flexible is the command line configuration?
- Did you buy an appliance or just download the software?

Personally, I have used FloppyFW, IPCop, Smoothwall and Astaro. Each of them were downloaded from the net and run on an excess computer that I had, either as a home firewall or for testing. I've also messed around with NetBSD as a firewall, but I'm not smart enough to make it work. I guess I have too much time on System V systems to effectively make the switch to BSD.

I'll drop in later with comments on the ones that I have used.
pansophic
 
Sort by date Sort by votes
Thanks for starting this thread Pansophic. We will be downloading and starting evaluation on at least Smoothwall and Astaro installed on a surplus box within 3 weeks. Look forward to other users comments on these and/or other systems.

Presently using software based firewall on primary NAT gateway. Working toward DMZ with hardware upfront, software behind.

Will post our evaluation results as they become available.

Regards,
David
 
Upvote 0 Downvote
I'll also be experimenting with a linux firewall here in the short-term, and will gladly post my results.

 
Upvote 0 Downvote
Hi.
Good idea for a thread.
I'd also like to see you put up a blurb about setting up a FreeBSD firewall.... since FreeBSD is more secure than most Linux distros. ------------
Bill
Consultant / Network Engineer
CNE, CCNA
 
Upvote 0 Downvote
FreeBSD is more secure than most Linux distros
I don't see how it can be more secure than most Linux distros, as it's the kernel and [tt]ipchains[/tt]/[tt]iptables[/tt] that create the firewall. Most (all?) distros relies on these, and the only time one distro is more secure than the other is perhaps in it's default configuration. //Daniel
 
Upvote 0 Downvote
I think that the reference to FreeBSD being more secure has to do exactly with the default configuration. There is very little add-on software installed as you go through the BSD installation. At nearly every screen, all of the options are turned off, and you must choose to install every application. Very little additional software is bundled on the installation disk. You can download applications as they are needed.

Also, none of the services are on when you install them, you have to configure them to start manually. This is good from a security standpoint, but difficult if you are unfamiliar with the OS.
pansophic
 
Upvote 0 Downvote
Watchguard Firewall Appliance:

It has been more than 3 years since I last dealt with one of these. It is a "cute" Linux appliance that has three network interfaces, a Red (external) a Green (internal - protected) and a Yellow (DMZ). There is an LED interface on the front panel that allows even the most novice of users to identify if the interfaces are up and operating.

I never got into the command line guts of this appliance, but the web-based configuration utility and the menu driven terminal interface make it really simple to setup and operate. Their configuration application on the web reminded me of the Check Point FW-1 front end, with lots of graphics and very little text.

Their update utility was excellent. It polled their site periodically and downloaded and installed updates automatically. I don't recall any kernel patches in the time that I worked on it, so I don't know if they were performed automatically or not.

If you are not Linux literate, and are just looking for a "set it and forget it" type of firewall, this may be your baby. A little on the expensive side for a linux firewall, but the appliance is aestetically pleasing. And there are idiot lights on the front, so even your boss can look impressive, explaining to people that their firewall is working because of the lovely LEDs on the front.
pansophic
 
Upvote 0 Downvote
You're right.... I was referring to the default configuration.

One of these days, the main distros will start turning things off by default.... until then, my statement stands
------------
Bill
Consultant / Network Engineer
CNE, CCNA
 
Upvote 0 Downvote
SmoothWall:

This is the firewall that I have been using since I moved in June. Not because I particularly like it, but because it supports dialup PPP and there is NO real internet access in my new neighborhood.

The interface is web based, after a console installation. The entire software fits on a single, bootable CD. They include IPChains (firewall and NAT), VPN, Snort (IDS), ssh/scp, Squid web proxy, DHCP and DNS. A nice additional feature is a Dynamic DNS application, so you can use a dynamic hosting service like dhs.org.

The software was simple to set up, but didn't let me automatically configure my 4 ethernet ports. They only let you do 3 in their automatic configuration, and I use a serial port for one of them, so two of my ethernet ports on my quad ethernet card are unusable.

The configuration supports a Red, Green and Orange network, external, internal and DMZ respectively. But the web based interface is kludgy at best. For instance, you cannot create or modify a dial up connection while you are dialed in, even if it is not the primary configuration that you wish to modify.

The logging is "interesting" as well. The content is standard, but the virtual tab interface of their web front end is not intuitive. And you cannot view more than a single day at a time, making it difficult to track an event that spans a day. And the Older and Newer buttons at the bottom of each log page do not change, even if there are no older or newer events to view. You have to press them anyway and see what happens.

The firewall log has check boxes throughout it next to IP addresses. It is not apparent why these exist until you get to the bottom of the page where you find a lookup button. Once I figured it out, I found that you are supposed to check the addresses that you wish to lookup, and then check them all at once. It is a little bizaar, but you get used to it.

The IDS log provides truly truncated messages, like: "SCAN Proxy attempt" without providing any type of link for more detailed information.

That said, the info page has the status of each of the services, with a large red or green indicator, making it simple to see at a glance that something is not functioning. And you can get in through ssh and change the configuration by hand if you wish.

The update service is really lousy though. It is a page on the web interface that you have to visit to see if there are any updates. And if there are updates, then you must download them to your computer and then use the update screen to browse your hard disk for the upgrade. This was EXTREMELY painful when there were 18 patches immediately after install. I downloaded all of them, but had to upgrade 1 patch at a time. I couldn't push them all to the firewall and upgrade it all at once. And none of the 18 patches were cumulative, so I couldn't download, say #15, and get 1 - 14.

They recently released 1.0 final, so if you download now, your patch time will be non-existant. Another thing, patches are painfully slow to be released. I would NOT recommend or use this firewall for a business unless that business is on dialup.
pansophic
 
Upvote 0 Downvote
Smoothwall v1.0
I tried out smoothwall even though pansophic did not recommend it. Its all he says it to be. I really disliked the logs in particular. The web interface was clumsy to say the least. I installed the 1.0 version, and only had to do one update, but I could see how running multiple updates could be a little frustrating. Creating a rulebase is extremely painful, and consists of editing what you'd like to allow, not block. I'm assuming you're supposed to trust smoothwall to hopefully take care of everything else. I'm sure one could actually go in there and edit the rules via command line, but I'm not sure about that.
I won't repeat everything previously mentioned, but I'll confirm that its the same with smoothwall version 1.0.

Linux Embedded Appliance Firewall
I have yet to get the thing to work. Its esseantially a firewall on a floppy, and the idea is great. I'm guessing you need to be a little more familiar with Linux than I am to get this properly configured. There are several "branches" of this project including one called Bering that utilizes the linux firewall, shorewall. Others use IPTables/Chains. Some branches come on a bootable CD that have some nice features on there including VPN capability. Documentation isn't that bad. Most branches have detailed docs regarding install and setup. You can also get support for leaf via a mailing list.
I'm still working on getting it to work, but someone more familiar with Linux will probably have a much easier time with this.

I'll be trying out Astaro soon.
[thumbsup2] ________________________________________
Check out
 
Upvote 0 Downvote
I have used Watchguard's Firebox appliance and agree with the statement above. Only issue i have, which i guess is the same with all vendor appliances, is the need to purchase IPSec licenses. Otherwise, PPTP is the only way to go.

I'm in the process of evaluating IPCop which is derived from the Smoothwall code. I've tested smoothwall and find IPCop preferable. Once i test it and set up a tunnel with another site I will post back.

Since we're here, any highly recommended security books? New to security but exteremly fascinated by it and look to pursue as a specialization.

Thanks
 
Upvote 0 Downvote
I know this isn't a Firewall but it seems like it might be a good forum to mention it in.

Compledge Sentinel is a specialist Linux distribution designed for
system monitoring and security auditing. Based on the Linux from
Scratch project and Slackware, the x86 Sentinel distribution includes
the Nagios monitoring tool with the Nagat web interface, the Nessus
scanner, and the Snort intrusion detection utility amongst other
software. Sentinel is free to download and is available now.



"There are only 10 types of people in the world - those who understand binary, and those who don't"
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

HopnDude
  • Locked
  • Question
Two Firewalls on 1 VM running 2 VE with 2-2 Port Gigabit NIC's. Doable?
Replies
1
Views
32
nblount
nblount
daytooner
  • Locked
  • Question
pix 515 blocks access to certain sites (only w/ linux)
Replies
1
Views
26
iggsterman
iggsterman
paulmoss
  • Locked
  • Question
Connecting 2 Firewalls via a secure tunnel
Replies
2
Views
29
PeterHurst
PeterHurst
goulin1
  • Locked
  • Question
Site-To-Site VPN Between Nokia Checkpoint R65 Firewalls
Replies
1
Views
41
goulin1
goulin1
scott0011
  • Locked
  • Question
Problems with Cisco ASA and Linux VPN client
Replies
0
Views
16
scott0011
scott0011

Part and Inventory Search

Sponsor

Back
Top