LinuxNiche

The ramblings of a Linux geek

Jul 10, 2009 - 11 minute read - Comments - Firewalls Linux

Do you have an old PC you don’t use?

** I have now reviewed the pfSense firewall here.

Hello again!  Up until a few days ago I secured my home DSL broadband network with the IPCOP 1.4 firewall.  I do like IPCOP and it was fun and easy to use.. especially when you add all the addons (which are of course unsupported) that you may want.  Keep in mind that, while Linux based, everything is managed through a web interface, just like any Netgear/Linksys router.  Now, I do believe in the KISS principal on security.  A server/box should be what it is and nothing more.  A firewal should be a firewall, proxy a proxy, mail server a mail server, etc.  The more you combine into one machine the more chance multiple applications/systems can become compromised.

However, some of us are just securing our home network here, not some corporate secrets that will cause a global radioactive explosion if they happen to leak beyond the boundaries of the intrawebz.  Granted, Your own life could potentially be ruined if someone gets ahold of your bank information, but to expect the average user to be running 30 different systems for each piece of security is just unrealistic.

So, the addons on IPCOP almost become a necessity because out of the box it’s a Firewall, and IDS, and Proxy.  But the proxy doesn’t include much of any content filtering by default, it’s just simply a proxy.  The other thing about IPCOP is by default the interface doesn’t really support bi-directional rule creation.  It pretty much assumes all outgoing traffic is good, all incoming is bad.  Which is nice and simple, if a bit limited.  So, a few addons later you have a full content-filtering, bi-directional, firewall and router solution to secure your home.

What all this means for you is that (especially if you have kids): You can easily block most Porn, Virus’, Spams, Advertisements, Hacker/Illegal/Piracys/gambling/etc websites, and a whole bunch of other things considered “bad” on the internet, simply by clicking a checkbox.  Try getting your Linksys to do that :).

The downside to these firewalls is that they require hardware.   Unlike the Linksys or Netgear router that you buy from the store, take home and just plug into your DSL/cable/satellite modem to give you the assumption of security (these don’t provide much protection, especially if you leave them at the defaults, including passwords.), IPCOP and the others I discuss here require a separate computer.  The nice thing however is that this computer can be the biggest piece of junk you can find in a yard sale and it’ll likely still work.  We’re talking PII’s here with 5GB hard drive space and probably 256MB memory is more than enough to run these.

As I said, it was IPCOP for me until recently.  Several months ago Snort started failing with a Helper Code on the page.  It appears that the version of Snort (the Intrusion Detection System, IDS) on IPCOP 1.4 is 2.6 and the new Snort rulesets only support 2.8 and up.  So I checked out IPCOP’s forums and other sources of information and basically gathered that, not only is it known that Snort is broke, but the people at IPCOP seem to have gotten the idea that snort is useless anyway, so they just won’t include it in the next release, 2.0.

Well, this blog isn’t to argue the usefullness or lack thereof of Snort.  Suffice to say, I like Snort, I do find it useful in detecting various things (sure, I get a lot of fluff, but it’s easier to look through Snort alerts than the billions of lines of firewall logs that get generated) and I think an IDS is an integral part of security.  I’m sure IPCOP has good reasons for ditching Snort, but I want it, so I ditched IPCOP.  While on the search for a new “turn-key” based firewall solution I came across these:

Endian Firewall Community – A free version of the Endian Firewall Appliance (not that that means anything, I don’t know it either), but evidently originally based on SmoothWall, the foundation of IPCOP, but I believe was rebuilt using Linux From Scratch.

PFSense – A FreeBSD based firewall solution that has a HUGE list of features ranging from the very cool to super confusing.  How much of each is going to depend on your familiarity level of firewalls :).

Vyatta – Vyatta calls itself the “Open-Source Alternative to Cisco”.  I know you know Cisco, unless you’ve been hiding under a rock they are one of the largest firewall appliance vendors out there.  I mean, they’re Cisco.  So these guys are really saying a lot if they think they can challenge Cisco to a pissing contest.  Obviously, like Endian, this one seems very business oriented in that they want you to pay.  And I do mean PAY.  Wow.  But there is a Community Edition, or so it seems, that is free for download.  They say it’s to “test and evaluate”.

Those 3 firewalls are ALL based on some open-source operating system or another, but have (apparant) easy to use web based front ends that are no more difficult to learn than the standard Linksys/Netgear devices that everyone uses.

I found these firewalls in the order listed above, and since I had no preference I just tried them in order.  I downloaded and installed Endian to replace my IPCOP.  It took me maybe 20 minutes to get installed (I have static IP’s and other complicated things that take longer than most people would), and another 1.5 hours to get all of my firewall rules that I had on IPCOP rebuilt in Endian.  Please understand, this 1.5 hours is not something you, the reader, is likely to encounter unless you also run several servers in a DMZ network with several applications requiring different port ranges to be forwarded.

If nothing I just said made sense to you, Endian will probably take you 20 minutes or less to get it up and running.  Here is where Endian is a bit more business-like than IPCOP: By default, out of the box, it’s blocking traffic bi-directionally (in and out).  It has a default ruleset to accommodate most users, it allows you to get to the web and check email, and FTP (for the tech savvy: port 80 and 443, and 25/143/110, 21) but absolutely NOTHING else.

Wanna connect to an IRC server? Not gonna happen. I’m loving Endian :D.  Of course these are fixable, you have to go into the firewall portion of Endian and go to the ougoing traffic link.  Endian, like IPCOP, calls your networks GREEN (for your LAN), RED (for your internet), and optionally BLUE (for a wireless network) and ORANGE (for a DMZ).  It shows you in a pretty little table on the web page what is allowed where… GREEN is allowed all access to your ORANGE and BLUE networks if you have any, and specifically 80 and 443 going out RED.  ORANGE and BLUE are basically allowed DNS and not much else.

This is the one spot where Endian will probably lose your standard, normal, everyday user: You’ll have to start creating rules with scary things like Ports, Source IP addresses, Destination IP ranges, etc.  If you’re willing to try it, it is easy enough: you can either be really picky and only allow ports you know you want or need (beyond the scope of this blog), or you can do a simple rule that says ALLOW from GREEN network to the RED network on ANY/ANY.  This effectively allows all traffic from your computer to go the web and it to respond.. while still keeping you safe from the RED.

That rule is the default on the other user-friendly firewalls like the Linksys/Netgear and IPCOP.  Not many businesses would use that rule because businesses tend not to trust their employees.  If you don’t trust your kids like a business doesn’t trust it’s employee’s though, maybe you should look into learning about ports :D.

Anyway, beyond that there is several other options out of the box that IPCOP lacks (by default).  Endian allows you to easily turn on a content filter to block dozens of categories, such as porn and ads, also the ability to block Virus’ from even getting downloaded to your PC, and prevent you from going to a spyware riddled website.  You can set the threshold level as well, ranging from young children to young adults to say how strict you want the filters. These are excellent increases in security.

Most people will probably say “Well, I already have Anti-Spyware/Virus on my computer.” and that’s good! I’m proud of you.  But a lot of anti-virus softwares don’t play well together on the same machine, meaning you only likely have one (probably mcafee or norton or AVG).  All Anti-Virus software has different databases that check for different virus’.  So what norton finds, mcafee might not and vice-versa.  So while having an AV software is good, one solution is not necessarily enough… in comes Endian.  Endian uses an Anti-Virus called ClamAV, so when you go to a website, or read your email, or open attachments, it will first be scanned by your Endian firewall with ClamAV, if that finds nothing – THEN it will be scanned by your computer’s McAfee or Norton.  I think this is a good thing, your opinion may vary.  For those that use Linux as their main computers, you probably aren’t running a local Virus software (seriously, what’s the point on Linux?) so this provides a way for your files you download to still be scanned, just in case you go and put them on a windows box somewhere.

As you can probably tell.. I’m really liking this Endian Community Firewall, so much so that I haven’t removed it to move on with my list!! So unfortunately, I can’t tell you how well either PFSense or Vyatta work yet.. when I get around to messing with them I will of course blog and compare them as I go, but I wanted to include them on this page in case someone else searching for firewalls wants to give it a shot.  They both have an excellent set of features, so they are definitely worth it.

I do have my complaints with Endian, and this paragraph is going to be a little technical for those that want to skip to the next page. In IPCOP I was able to load addons that allowed me to configure to have my log files automatically emailed to me nightly. They also would automatically submit the firewall logs and such to places like DShield, which is cool because not only does that let DShield compile and see who the most active “bad” guy is right now, but they also format your log traffic for you into an easy to read “Low, Medium, High” risk table of traffic. Endian has neither of these components, and I have not (yet) found a way to add them in as I haven’t found an “Addon” area like for IPCOP. So this is a work in progress. Also, I am having trouble getting the port forward to work from ORANGE, to a RED IP that goes back to an ORANGE system. Basically, Server to Server or Server to itself using the public IP’s and not private ones. This is probably not a very common setup, however, and thus is not a huge deal. I am positive there’s a rule or rules I need in the outgoing/incoming sections to facilitate this, I just haven’t (yet) discovered it.

In a quick conclusion I’ll say this:

If you are the type of user that had to lean over and ask your 15 year old son/daughter (this includes google >:) ) what a “firewall” is, I recommend you stick with either your purchased Linksys/Netgear (that I hope) you are using, with the understanding that the security they provide is quite minimal, especially if you followed the “1, 2, 3, GO!” instructions.. or you can download IPCOP and use that for the same basic features.  Don’t worry about the addons, installing them is probably the most difficult thing I mentioned in this article.

If you are the type of person that has at least heard the terms Firewall, Port, Anti-Virus, and Anti-Spyware – then I definitely recommend you take a look at Endian and see if you can dust off that old computer you had 10 years ago and put it to use.  All it requires is two network cards, one to go to your internet, one to go to your LAN.

If you’re a technically skilled person like myself, and enjoy tinkering and messing with your computers – I invite you to give Vyatta or PFSense a try and come back and tell me what you think.  Are they user friendly? Is their default setup easy enough for mom and pop to install, plug in and google?  Is their webpage nicely built and logical? etc.

Hope this blog was helpful, or at least in some way insightful, for most of you.

Happy googling!