Need a Firewall?
Do you have an old PC you don’t use?
I have now reviewed the pfSense firewall here.
Hello again! Up until a few days ago I secured my home DSL broadband network with the IPCOP 1.4 firewall. I do like IPCOP and it was fun and easy to use.. especially when you add all the addons (which are of course unsupported) that you may want. Keep in mind that, while Linux based, everything is managed through a web interface, just like any Netgear/Linksys router. Now, I do believe in the KISS principal on security. A server/box should be what it is and nothing more. A firewal should be a firewall, proxy a proxy, mail server a mail server, etc. The more you combine into one machine the more chance multiple applications/systems can become compromised.
However, some of us are just securing our home network here, not some corporate secrets that will cause a global radioactive explosion if they happen to leak beyond the boundaries of the intrawebz. Granted, Your own life could potentially be ruined if someone gets ahold of your bank information, but to expect the average user to be running 30 different systems for each piece of security is just unrealistic.
So, the addons on IPCOP almost become a necessity because out of the box it’s a Firewall, and IDS, and Proxy. But the proxy doesn’t include much of any content filtering by default, it’s just simply a proxy. The other thing about IPCOP is by default the interface doesn’t really support bi-directional rule creation. It pretty much assumes all outgoing traffic is good, all incoming is bad. Which is nice and simple, if a bit limited. So, a few addons later you have a full content-filtering, bi-directional, firewall and router solution to secure your home.
What all this means for you is that (especially if you have kids): You can easily block most Porn, Virus’, Spams, Advertisements, Hacker/Illegal/Piracys/gambling/etc websites, and a whole bunch of other things considered “bad” on the internet, simply by clicking a checkbox. Try getting your Linksys to do that :).
The downside to these firewalls is that they require hardware. Unlike the Linksys or Netgear router that you buy from the store, take home and just plug into your DSL/cable/satellite modem to give you the assumption of security (these don’t provide much protection, especially if you leave them at the defaults, including passwords.), IPCOP and the others I discuss here require a separate computer. The nice thing however is that this computer can be the biggest piece of junk you can find in a yard sale and it’ll likely still work. We’re talking PII’s here with 5GB hard drive space and probably 256MB memory is more than enough to run these.
As I said, it was IPCOP for me until recently. Several months ago Snort started failing with a Helper Code on the page. It appears that the version of Snort (the Intrusion Detection System, IDS) on IPCOP 1.4 is 2.6 and the new Snort rulesets only support 2.8 and up. So I checked out IPCOP’s forums and other sources of information and basically gathered that, not only is it known that Snort is broke, but the people at IPCOP seem to have gotten the idea that snort is useless anyway, so they just won’t include it in the next release, 2.0.
Well, this blog isn’t to argue the usefullness or lack thereof of Snort. Suffice to say, I like Snort, I do find it useful in detecting various things (sure, I get a lot of fluff, but it’s easier to look through Snort alerts than the billions of lines of firewall logs that get generated) and I think an IDS is an integral part of security. I’m sure IPCOP has good reasons for ditching Snort, but I want it, so I ditched IPCOP. While on the search for a new “turn-key” based firewall solution I came across these:
Leave a Reply