*nix firewall vs off the shelf

[Duster]

Ok I have been asked to put in place a firewall for a small business. they need something to pass vpn between two locations and a laptop.

my first thought is endian, set it up and let them go would give them what they need and wha t not. But they have seen the netgear/dlink firewalls from off the shelf stuff and are thinking about those instead.

My question is what is the benefit of say endian vs a netgear firewall. Both are web configurable and endian gives more control but other then that what kind of features would a nix box have compared to a off the shelf firewall. Money is an object here and both places need wireless and vpn. currently they just have netgear routers with wirless access points.

 

[YeOldeStonecat]

"Off the shelf" products are usually very basic NAT routers, you get the basic hardware firewall protection, and the usual basic services such as DHCP, basic SPI. As you move away from the under 100 dollar "home grade" router range..and towards the 200-300 dollar business grade router range....you get some VPN options, ability to build VPN tunnels, ability for the router to be a VPN server of various types, and a bit more "horsepower" (thus better performance for a network of computers..which may be too much for home grade routers), sometimes options like port based VLANs, ability to add ACL with better firewall features, etc. For a business...you really want to stay away from home grade routers.

Now with some linux distros such as Endian...you get more features...deeper SPI, Intrusion Detection, antivirus scanning, and spam removal, (Transparent proxy) as well as some good VPN features. Consider it more of a "Unified Threat Management" (UTM) appliance. Stick it on a higher range P3 or higher with 512 megs...and you now have an appliance that gives you enterprise grade performance and features that you'd be spending $5,000 or higher on if you bought a pre-build brand off the shelf. It'll easily handle the traffic and loads of a large network. Great for putting in front of an Exchange server also.

Endian is a great distro....I've used it at a few clients, it's too bad development and the community sort of died down. IPCop has an add-on called "Copfilter"..and it's that setup which Endian is based on....they groomed it into a nice smooth package. I've used it to build site to site VPN tunnels also..does a good job.

I encourage you to look at a rather new distro.... www.untangle.com It's hot hot hot...strong development, they intend on becoming serious players in the business firewall market. They sell pre-made boxes, and they have a distro you can download and install for free...just missing some features of the Pro version such as SSL VPN.

One of the drawbacks that I can come up with...from using *nix distros for business clients...is support. Not many techs out there in the real world know about *nix routers. The client may be concerned with that..and may feel more comfortable having an "off the shelf solution" in place..so that if you leave as their consultant..some other propeller head can come in and quickly be able to support them.

 

[Duster]

with untangle can you say have your network in one area and then have wireless in another with has a lot more restrictions?

 

[YeOldeStonecat]

with untangle can you say have your network in one area and then have wireless in another with has a lot more restrictions?

Not sure what you mean there....if you want wireless..just add a WAP. If you need to keep a wireless network separate...business grade WAPs can support multiple SSIDs with multiple rules, combined with managed switches that support port based VLANs..you can separate your network to your hearts content.

 

[swatbat]

My experience with the off the shelf routers that do vpn is pretty bad. If you want a normal router that will do it look at a cisco 871w.

As far as running a unix or linux firewall I would go get a slim line dell vostro 200 or something like it(I mention that as you can find them in the outlet for 300 bucks with a gig of ram). I don't recomend running them off an old machine as reliability can be more of an issue. Also when you start running the addons for things like ip cop the extra ram helps.

I personaly prefer m0n0wall for small builds and ipcop for the extras when needed. That untangle looks interesting other then the fact they mention a benfit of the pro package is backing up the configuration. That makes me wonder about the options in the free one.

As far as wireless goes you can just throw a wireless access point on the network for that support. You can also throw a wireless card in the systems but I would really recomend an access point instead.

 

[YeOldeStonecat]

I personaly prefer m0n0wall for small builds and ipcop for the extras when needed. That untangle looks interesting other then the fact they mention a benfit of the pro package is backing up the configuration. That makes me wonder about the options in the free one.

Pro package over the free distro...
*Live Support
*Policy Management
*Integrates with active directory
*Config backup
*SSL VPN portal

Free one has everything else.

To me, the benefits of having UTM features such as the transparent proxy doing antivirus/antispam/antimalware...it's good to have...especially for a business. I can't see stepping down to a plain distro that basically just does NAT..might as well just have an RV0 router in there if that's the case.

 

[Duster]

To me, the benefits of having UTM features such as the transparent proxy doing antivirus/antispam/antimalware...it's good to have...especially for a business. I can't see stepping down to a plain distro that basically just does NAT..might as well just have an RV0 router in there if that's the case.

I agree I need UTM. I am playing with untangle and endian. So far I like untangle a tad more just for the simple fact it finds my internal network port. However I kind of like endian configuration settings more.

 

[moetop]

Untangle looks like a great product. Not to hijack the thread, but is there a way of installing SSL VPN on the free distribution, or it locked down too tight?

 

[Grentz]

I have mostly used smoothwall as I am familiar with it, it has a great community, and it has a full paid for version backing it.

I believe there is a SSL VPN you can install as a 3rd party type thing on smoothwall.

Frankly, it is much better to use these full PC firewalls as they are much more powerful and stable than the home and SMB class equipment from Linksys, Netgear, etc.

I have one client using a SMB Linksys VPN setup though and it has been rock solid for years, so you can get good results with the stuff in small situations.


One thing to watch for with the PC Firewall software is to make sure it has a good community backing it....if it does not many times developers can miss security holes, etc. and they are not as safe as ones with a very good community constantly checking the code and looking for bugs/holes. Also be careful when adding on 3rd party components as sometimes they can reduce the security of it.


Smoothwall 3.0 is my pick overall though and I have used pretty much all of them at one point or another. IPCop is also very good, but I like the layout of smoothwall a bit better.

 

[Madwand]

Untangle has surprisingly high hardware requirements and recommendations, esp. for a firewall distribution which claims to have a significantly faster architecture (which would imply being able to perform with lesser hardware). It also failed during installation on an old machine here which didn't present any problems for IPCop and Smoothwall Express. Price of progress? Perhaps, but it seems high to me for a router build.

 

[Jay_2]

for very small offices I use 3Com office connect routers. DNS, DHCP, PPTP, IPSec and very good content filtering.

 

[swatbat]

Untangle has surprisingly high hardware requirements and recommendations, esp. for a firewall distribution which claims to have a significantly faster architecture (which would imply being able to perform with lesser hardware). It also failed during installation on an old machine here which didn't present any problems for IPCop and Smoothwall Express. Price of progress? Perhaps, but it seems high to me for a router build.

I can't comment on untangle per say but ip cop with the addons and Endian you need a pretty beefy system to run them. They are a lot more then a basic firewall. I recomend a p4 with at least 512 ram for those setups. A celeron in the same class would work fine as well. How old of a system you trying to run it on?

 

[Duster]

I have installed untangle onto a 800 mhz 256 machine. It runs. It is slow it was really more or less to see how i liked it and what not. I have been uninstalling and installing different firewalls onto it. I really like endian I think but it seems the community has died off for it, it is not as user friendly as untangles seems to be. I have some problems getting into it once installed. I did it the first time but now it just sits asking what to do. It really needs better documentation on installing it.

 

[ThreeDee]

I have mostly used smoothwall as I am familiar with it, it has a great community, and it has a full paid for version backing it......

One thing to watch for with the PC Firewall software is to make sure it has a good community backing it....if it does not many times developers can miss security holes, etc. and they are not as safe as ones with a very good community constantly checking the code and looking for bugs/holes. Also be careful when adding on 3rd party components as sometimes they can reduce the security of it.


Smoothwall 3.0 is my pick overall though and I have used pretty much all of them at one point or another. IPCop is also very good, but I like the layout of smoothwall a bit better.

That's why I keep going back to Smoothwall .. using latest Smoothwall Express 3.0 with Advanced Web Proxy (http://www.advproxy.net) , AdZapper , (with Squirm chained off of that to mess with some people http://community.smoothwall.org/forum/viewtopic.php?t=25837) , Dansguardian, ClamAV Blocklist, Blackhole DNS, Guardian Reactive firewall , Connview , ...etc , etc .. (I run alot of mods to see what all they do and to see what would be good to implement campust wide) all can be found in homebrew section in smoothwall forums http://community.smoothwall.org/forum/viewforum.php?f=26

..great active community as stated ..tho it doesnt have alot of features perhaps that the other guys have out of the box ..its very customizable and you can have do as much or as little as you want it to do..

Since implementing smoothwall with Dansguardian (w/ blacklist from urlblacklist.com) & ClamAV a few years back.. support calls went down by a good 90% on our campus ..

if you are linux savvy even in the least bit ..you can set up a dev box and roll your own mods pretty easily



[F]old|[H]ard

 

[Duster]

I like smoothwall in what it has to offer, I am just not that great with linux and am afraid it is over my head for getting the features out of it that I want

 

[YeOldeStonecat]

I have installed untangle onto a 800 mhz 256 machine. It runs. It is slow it was really more or less to see how i liked it and what not.

Hardware specs is below what they state for minimum...1GHz and 512 megs. So it will run very slow on that. It has a lot of features/components....above others, which is why it wants more horsepower.

Endian would run "OK" on your machine...although it gets snappier with 512 megs...256 is light for it, I found it wants 320 or so megs to run in..for a small network. Have you clicked on the "Help" section? The documentation is very rich there.

 

[ThreeDee]

I like smoothwall in what it has to offer, I am just not that great with linux and am afraid it is over my head for getting the features out of it that I want

lol ..when it comes to linux , they don't come much noobier than me ...but I can usually follow others direction pretty good

whatever you do run tho ..as YeOldeStonecat is pointing out, you should get a beefier machine with at least 512meg ram ..more is better tho

I run an XP 1600+ w/768megs of DDR as are main smoothie at the school for troubled teens place I work at .. it run Smoothwall Express 2.0 with Dansguardian w/ClamAV and a few other mods

my "play" box that sits over a smaller network of about 25 computers is pogo linux rack mount P4 3.0ghz w/ 1 GB ram ..it will eventually become our main smoothie

at my church I run an old AMD K6-2 400 w/ 256megs of ram running Smoothwall Express 2.0 with Advanced Web Proxy w/ Urlfilter add-on and AdZapper ..it ran Endian for awhile , and yeah ..it was a smidge slow , lol.

IPCop with Copfilter is running ok on a Dell GX1 box ..P3 500 w/256megs ram

 

[Duster]

yeah I think I am going to go with endian. I like what untangle has to offer but the pay for things kind of scares me. What if one day they decide you know what we need to charge for this feture. Which endian could do as well but I not know when I am in untangle and when you start adding in your modules and it says purchase even though it is for free doesn't sit right with me

the box I have things on now is just to play with everything will be moved to either a dell vostro core 2 setup with one gig of ram or a custome build A64 setup with one gig of ram. I thinking dell boxes (need 2 firewalls) just for easier faster tech support.

 

[swatbat]

yeah I think I am going to go with endian. I like what untangle has to offer but the pay for things kind of scares me. What if one day they decide you know what we need to charge for this feture. Which endian could do as well but I not know when I am in untangle and when you start adding in your modules and it says purchase even though it is for free doesn't sit right with me

the box I have things on now is just to play with everything will be moved to either a dell vostro core 2 setup with one gig of ram or a custome build A64 setup with one gig of ram. I thinking dell boxes (need 2 firewalls) just for easier faster tech support.

I would play with ipcop with the addons as well. As far as the dells go the outlet has them for around 300 bucks from time to time with the full warranty. You also see them new for 400 or so with a 19 inch lcd which is a nice deal when they run that special. Just use the monitor for something elce.

 

[Duster]

Ok so far I have ipcop up and running with copfilter. Been looking at vpn looks like it is built-in but don't know if i should get a plugin for it or not

What is the big difference between ipcop and smoothie?

 

[Madwand]

What is the big difference between ipcop and smoothie?

Smoothwall Express uses an old 2.6 kernel, whereas IPCop uses an even older 2.4 kernel; Smoothwall might have support for more devices out of the box.

They're so simple to install and setup,and so similar, that you could just try them out -- that's probably the best option, esp. at the onset.

(One difference I recall is that IPCop graphs CPU utilization, but Smoothwall Express doesn't. Not a big deal in my case though, because the CPU utilization was generally very low.)

 

[ThreeDee]

Smoothwall 2.0 used the 2.4 kernel .. 3.0 uses the 2.6

there is pretty much a mod to do anything you want it to ..with more being ported over from 2.0 every week .. there is a perfomance graphs mod for both



[F]old|[H]ard

 

[darkar]

Personally i like OpenBSD, but you can't go wrong with smooth either...

Also, ignore the call for such high end machines.. you REALLY don't need that much cpu power.. right now my firewalls on like a p2 3/4XX ish.. you know one of those used computer outlets 5 dollar bargin bin computers. and then i threw in 3 nic's. and it never goes over 10% Cpu usage. the only usage i get is when my weekly log is compressed and sent to my backup folder and i query to see which guy from russia is trying to access my box


they need something to pass vpn between two locations and a laptop
-locations meaning differant buildings :

firewall on either side then. with WAP at each location depending where the laptop is at the time ?

-1 building multiple computers and a laptop
firewall to outside world, VPN redirect from any to any...


I will say this.. if i was using a laptop and i wanted any kind of security.. i would throw 3 nic's in a box 1 being isolated to the WAP 1 to outside world 1 to hard wired computers (can add a switch behind there for more machines) And then the wireless only access would be through the VPN you set up...


wireless is not protected just keep repeating that to yourself.. anyone who wants to get in can.. its very easy...


id go with whatever solved the job first, sounds like its nothing too serious they just want a firewall to feel safer.. and it doesn't sound like you want to setup some hardcore filter rules in iptables/pf etc

 

[rosco]

I am searching for something that will work well for content filtering for a small school. What would you guys recommend for that?

I have been using censornet. It has been working OK for us, but I'm looking for something better.

The only issue is that we already have a older sonicwall firewall in place and are happy enough with it. So, I would rather NOT replace it but we'll see what happens.

I have used untangle and it is pretty nice. It is a very polished product and could not get any easier to install. Would smoothwall or ipcop install on a Dell Vostro 300? Those are nice cheap little computers that have quite a bit of horsepower.

 

[ThreeDee]

I work at a school for troubled teens and use Smoothwall Express 3.0 to lock down various networks using Dansguardian content filter and set up different filter groups to filter according to user

..the more appropriate question might be , why wouldn't ipcop or sw install on a dell vostro



[F]old|[H]ard

 

[swatbat]

I am searching for something that will work well for content filtering for a small school. What would you guys recommend for that?

I have been using censornet. It has been working OK for us, but I'm looking for something better.

The only issue is that we already have a older sonicwall firewall in place and are happy enough with it. So, I would rather NOT replace it but we'll see what happens.

I have used untangle and it is pretty nice. It is a very polished product and could not get any easier to install. Would smoothwall or ipcop install on a Dell Vostro 300? Those are nice cheap little computers that have quite a bit of horsepower.

The content filtering is what really can bring up the system requirements. Their is no reason they would not work on a vostro 300 other then the fact they don't make a vostro 300. Just a 200 and a 400. A slim 200 with a few extra nics(low form factor) and you have a hell of a nice firewall for less then a cisco 871 or comparable sonicwall and will give you a lot of extra options.

 

[Private Citizen]

If you would like to have all the VPN features and such in one nice package why not try Clarkconnect? It has everything you can think of to choose from in the free package. You don't have to worry about using third party addons and Clarkconnect is updated and revised very frequently and also tested extensively before any new patches or revisions are released. They also have paid versions with support, server monitoring and etc. All administration is done using a web based GUI, so you never have to touch the command line with this distro and installing packages is as easy as clicking a checkbox.

Very user friendly.

As far as system specs go - http://www.clarkconnect.com/info/requirements.php

 

[ThreeDee]

I was thinking it was just a discontinued Dell product as I didn't see any listing for a Vostro 300 on their site nor did I find it under support


..if I am not mistaken ..Clarkconnect is not free for commercial use ..so that would come in to play as a factor whether or not to use it in a school or not



[F]old|[H]ard

 

[Private Citizen]

I was thinking it was just a discontinued Dell product as I didn't see any listing for a Vostro 300 on their site nor did I find it under support


..if I am not mistaken ..Clarkconnect is not free for commercial use ..so that would come in to play as a factor whether or not to use it in a school or not



[F]old|[H]ard

Oh....you are right my friend. I should have kept that in mind. To the OP, you may need to check with Clarkconnect to see what the license requirements would be in your situation. Thanks for reminding me on that.

 

[Duster]

I am really thinking of a dell slim vostros and SW with some mods. I like the fact is has a forum that I can search for answers. If IPCOP had something like that I might go that way.

VPN is from site to site, not really laptop no wifi really, way to insecure. As far as system specs from what I have read and what I want to do, content filter and vpn will push those specs up a bit. I also don't really have the spare machines to put them on so might as well spend some money and buy something i can fold on to

 

[ThreeDee]

I tried IPCop and Endian ..but went back to Smoothwall because of the active community/support ..

SW might take a bit more to get setup initially , but it's pretty easy/painless .. If I can do it , anybody can


[F]old|[H]ard

 

[YeOldeStonecat]

I like the fact is has a forum that I can search for answers. If IPCOP had something like that I might go that way.

There are a TON of wiki's and forums around IPCop....Google points to many..here's one of them..
http://www.ipcops.com/

 

[rosco]

Can anyone do a quick comparison of smoothwall vs ipcop? I will probably load both either way.

I would think ipcop would be more add on friendly as there is no commercial version that they are trying to integrate with. Maybe not though. What are the main limitations of the free smoothwall version?

Thanks

 

[ThreeDee]

What are the main limitations of the free smoothwall version?

...there are no limitations ... you could setup a dev box and roll your own mods for it if you wanted.

I went to the homebrew section and asked about how to do a certain thing .. immediately I got responses and a link to a program that did what I wanted it to do under linux .. I setup a dev box and followed directions and compiled the program and then copied folders over to my main smoothie ..and it didnt work (I know now why tho as I didn't put in the ip range in a certain config file) ..

..anyways , I asked what I was doing wrong and somebody took the program and packaged it up for me for easy install (instead of copying folders into the right place) and pointed out the changes I needed to make in a certain config file for it to work .. now it works

More than likely the mods currently available will meet your needs quite nicely .. but if there isn't , there are alot of guys over there that are willing to help yuh out.

 

[Rakinos]

Let's not forget pfSense! pfSense=monowall + extras/plugins

 

[rosco]

Well, smoothwall does not detect the onboard nic or the low profile intel nic I installed.

IPCOP starts the install and then after I choose to install from cdrom, it says it cannot find the cdrom even though it just booted off of it.

Now I remember why these distros are so frustrating. Also, that's why I asked if it would work on the Vostro. (I mistakenly called it the 300 instead of the 200).

Anyone have any tips? I had to enable RAID in the BIOS to get smoothwall to detect the hard drive. That was one little tidbit of info I found out.

Thanks

 

[ThreeDee]

any SW3 questions , you would probably get a better response here
http://community.smoothwall.org/forum/viewforum.php?f=20&sid=f7fd4b4c2a1c7b1b1e28af0efb6b18c1

for mods check here
http://community.smoothwall.org/forum/viewforum.php?f=26&sid=f7fd4b4c2a1c7b1b1e28af0efb6b18c1

.. I know with the new 2.6kernel , some nics that where supported in SWe 2.0 under 2.4 kernel are not supported now .. but there is also support for some 10/100/1000 cards now in SWe 3.0 .. so its a give and take thing I guess

**oops**
I see you have already posted over there ..lol

..as far as the nics go .. I have a couple D-Link low profile nics that I know would work for you if you have 2 available pci slots open in that vostro I could send you if you can't get drivers compiled for your current setup.

 

[rosco]

Do you have the model number of those low profile NICs? I thought I was making a safe bet by going with intel but I guess not.

I may end up just using the standard size vostro from now on otherwise as I have a whole bunch of 3com nics that linux seems to have liked over the years. They are not low profile though. Do they make a bracket to convert it to low profile? I am thinking of the 3c905b. It might be too big even with a low profile bracket though.

 

[ThreeDee]

they are 530tx+'s ..they came with full and low profile brackets ..we got a bunch of these and I have used them in several different sw2 and 3 boxes.

 

[Grentz]

As far as system requirements with SW...

You really do not need much at all if you are using it as a basic firewall with port forwarding etc. I run a few small businesses on machines that are 400mhz or below (one is a 233mhz I think) with only around 256mb - 512mb of RAM.

That little power and it still works fine for an office of about 20 people that are using the internet and email all day long.

Now if you want to do content filtering and webproxy, that is where you need more power. But still not much more. A 800mhz - 1ghz machine should be plenty with around 1gb of RAM. Now of course if you are doing a whole campus/larger office you might want to bump it up a bit more, but that is the beauty of it...you can scale it to your needs.