Linux/BSD firewall

A

Asha'man X

Expert Member
Joined
Aug 31, 2006
Messages
1,401
Reaction score
23
Location
Cape Town
Hi guys

I've been looking at tightening up network security at my school, and one of the things that I've looked into replacing is the stand alone Symantec firewall, and possibly the box running squid for the proxy service as well, to create a nice all in one package.

I've looked into IPCop, Smoothwall, and Pfsense for firewalls and played with them in virtual machines. Each have their own pros and cons, with Smoothwall and Pfsense seeming to have the most active user communities and forums, whereas IPCop seems to be quite quiet.

Having Dansguardian on the system is pretty much a must (filtering for the students), so that more or less puts Smoothwall at the front. The mod for IPCop that does DG is quite old and doesn't see much active development. Along with Advanced Proxy, I can use Active Directory authentication.

Also, having a box like that should help me get a better idea of the traffic flowing through the internet connection, and should let me be more in control. The current Symantec firewall is pretty much useless in this regard.

What are your guys experiences with these firewalls? Any recommended ones I should look into that I haven't mentioned? Any tips, idea and tricks?

This isn't something I can implement right away but it is something I am looking into with a lot of interest.

Many thanks
 
I've been using smoothwall for a coupld of years now... I cant really complain and the system has prevented a number of nasties getting into my network.
 
For my home lan I have firestarter and squid3 for proxy, squid can do far more than the simple settings I have it set to do.
 
Problem with smoothwall, is to get a decent version.. you have to pay :(
 
Thanks for the replies so far.

@ w1z4rd

I noticed that on the site. Seems like they tempt you with the open source version, but hold all the best features back for the commercial editions. I know I can install mods to do most of those features, which does help a bit.

I looked at Untangle briefly, but again they hold back the best features for a commercial edition. Also from various forums I've read, it appears to be a bit unstable, but I can't comment first hand.

Anyone had any luck with Endian? It was forked off IPCop, sort of like IPCop plus the good mods. I tried installing it in VirtualBox but it would not install for some reason.
 
I still maintain that if you want a good, secure setup, you should do it yourself :D

I would suggest Gentoo Hardened (mainly because I have a Gentoo fetish at the moment), with Squid and Dans Guardian for proxy/filtering and IPtables as the firewall. I have found that for school filtering, you're best off with Dans Guardian (all the school systems we admin run it). I haven't had much experience with Smoothwall or other "all-in-one" firewall distributions, but it really depends on whether you are looking for a quick, easy fix or you want to get down and dirty with a custom set up. If you are stuck in Gentoo, fortunately it is quite possibly the best-supported distribution in the universe, so there is probably a HOWTO for pretty much anything.

IPCop is probably your best (free) bet, as it is quick and easy to install and can be maintained via a simple web interface. So what it comes down to is whether you are looking for easy (IPCop/Smoothwall), or awesome (custom set up)? :p
 
@ Kasyx

LOL, you really have quite the Gentoo fetish. I've never played with this distro, and I don't quite have the time to learn everything related to it. I've played with Linux quite a bit, but never super seriously.

Would a copy of openSUSE 10.2 also do the trick? I can leave out the GUI easily enough and use Webmin or SSH at worst. It will pretty much do the same thing as Smoothwall/IPCop, as it uses the same Iptables in the end?

I found that on my current old Mandriva box, I've been able to hack around and customise DG and squid in ways I couldn't quite from Webmin, or in the all in one firewall.

Hmm, I think I must experiment some more in virtual machines. I have my openSUSE with me today luckily. :)
 
Asha'man X said:
@ Kasyx

LOL, you really have quite the Gentoo fetish. I've never played with this distro, and I don't quite have the time to learn everything related to it. I've played with Linux quite a bit, but never super seriously.

Would a copy of openSUSE 10.2 also do the trick? I can leave out the GUI easily enough and use Webmin or SSH at worst. It will pretty much do the same thing as Smoothwall/IPCop, as it uses the same Iptables in the end?

I found that on my current old Mandriva box, I've been able to hack around and customise DG and squid in ways I couldn't quite from Webmin, or in the all in one firewall.

Hmm, I think I must experiment some more in virtual machines. I have my openSUSE with me today luckily. :)
Click to expand...

openSUSE would work fine, we have a few clients using it for their proxies and it does just fine, I just suggested Gentoo because, well, it is awesome in its purest form :D
I just suggested setting it up yourself as I feel one has more control and customizability with a custom set up as opposed to an "out-of-the-box" all-round solution. At the end of the day, each to his own and whatever you feel will suit your needs is what you should go with.
 
w1z4rd said:
Problem with smoothwall, is to get a decent version.. you have to pay :(
Click to expand...

The free version is very good, have you tried it?

Asha'man X said:
Thanks for the replies so far.

@ w1z4rd

I noticed that on the site. Seems like they tempt you with the open source version, but hold all the best features back for the commercial editions. I know I can install mods to do most of those features, which does help a bit.
Click to expand...

Do you really need to sit and play with a firewall all day long? surely it's supposed todo just one thing, and do it well? The free versions of Smoothwall, OpenWall, and Redwall are all good enough for firewalling, filtering & reporting traffic usage, and best of all, they're easy to install. My dad's running a smoothwall, and I can get him to reinstall it over the phone if I have to.


Kasyx said:
openSUSE would work fine, we have a few clients using it for their proxies and it does just fine, I just suggested Gentoo because, well, it is awesome in its purest form :D
I just suggested setting it up yourself as I feel one has more control and customizability with a custom set up as opposed to an "out-of-the-box" all-round solution. At the end of the day, each to his own and whatever you feel will suit your needs is what you should go with.
Click to expand...

We also use OpenSuse for some of our clients, but if you need something more (say file shares, email, etc), then I can recommend SME Server 7.3, or Clarkconnect - they also do firewalling & filtering very well, but with the extra network server stuff
 
Hey again everyone

Some very useful replies to this thread, thank you :)

I've played with Smoothwall 3 in VirtualBox, and I think I was more impressed with it than IPCop. Somehow, it seems like IPCop is going nowhere slowly. Smoothwall also have a great active forum, which is always a plus.

The list of features not supported by Express is long, reading that pdf made me sad. Some of those features you can get with mods though, which helps. Having DG is pretty much a must, due to the school environment.

The more I play around, the more I'm wondering if I shouldn't eventually go the route of taking a SUSE install and harden it up. It's similar to what I did with the current old Mandriva box that is running everything now.

This is most interesting indeed :)
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X