SOHO Firewall Roundup

  • user warning: Table 'cache' is marked as crashed and should be repaired query: SELECT data, created, headers, expire FROM cache WHERE cid = 'filter:3:204d8e1adab937d5ee674114318341af' in /home/dowdle/public_html/montanalinux/includes/database.mysql.inc on line 121.
  • user warning: Table 'cache' is marked as crashed and should be repaired query: UPDATE cache SET data = '<p>For several years now I have used <a href=\"http://smoothwall.org/\" target=\"_SW\">SmoothWall Express</a> as a personal firewall on my cable modem connection. I have been very pleased with it and have never had any successful breaches that I have been aware of. Having kids, I knew I would soon need some form of nanny filtering. Early on I investigated <a href=\"http://dansguardian.org/\" target=\"_dg\">Dansguardian</a> and found great support in the <a href=\"http://community.smoothwall.org/forum/viewtopic.php?t=8488\" target=\"_dgmod\">Homebrew forums</a> of the SmoothWall community. Reason being... creator <a href=\"http://dansguardian.org/?page=developers\" target=\"_db\">Daniel Barron</a> also works for <a href=\"http://www.smoothwall.net/\" target=\"_swl\">SmoothWall Limited</a>. In my early testing of this custom addon I found it slowing my browsing experience dramatically to frustrating levels. This was largely due to running it on an old PII 200Mhz box with about 64MB RAM. The CPU was continually getting pegged! I found no reason for the torture as the kids were still too young to get into trouble... so needless to say I turned it off. Since then various other addons and updates have prevented the Dansguardian addon from even functioning.</p>\n<p><span class=\"inline right\"><a href=\"/\" onclick=\"launch_popup(125, 600, 286); return false;\" target=\"_blank\"><img src=\"http://www.montanalinux.org/files/images/GS-L02_big.thumbnail.jpg\" alt=\"GS-L02\" title=\"GS-L02\" class=\"image thumbnail\" height=\"48\" width=\"100\"></a><span class=\"caption\" style=\"width: 98px;\">GS-L02</span></span><br />\nI mentioned in a previous blog, I got some appliance hardware to boost my firewalling abilities. I was easily able to just plop my existing SmoothWall hard drive into this mini-itx box and run the setup to scan for the NICs and away it went. However, I would need to reinstall Dansguardian but I was tempted by other forks of SmoothWall; <a href=\"http://ipcop.org/\" target=\"_ipc\">IPCop</a> to be precise. I even did a presentation of IPCop at the last <a href=\"http://billingslug.org\" target=\"_blug\">BillingsLUG</a> meeting after only using it for about a week. I was fairly impressed with its out of the box features over SmoothWall however Dansguardian was not included. Adding the Cop+ (Dansguardian) addon was rather easy once I understood their GUI way of doing this. They did an awesome job of doing this for non-commandline people. The biggest problem I was facing was that some addons in IPCop were dead with the worst part being that Cop+ didn\'t work with the IPCop version I had installed. The <a href=\"http://home.earthlink.net/~copplus/index.html\" target=\"_cpp\">Cop+</a> addon was last tested and confirmed working with a 1.4.4-1.4.13 and I had installed 1.4.15. Doesn\'t seem to be that big of a difference, but this latest Cop+ was done back in July of 2005 and 1.4.15 was just released in March 2007. So I thought I\'d look for yet another firewall distro.</p>\n<p>I didn\'t give <a href=\"http://m0n0.ch/wall/\" target=\"_mw\">m0n0wall</a> any light of day, but did read into its addon package abilities which include Dansguardian. Most prided themselves with the lack of features in m0n0wall. After all it is just a firewall and not a jukebox eh? Installing Dansguardian is not out of the question with m0n0wall, but you would just not have any integration with the main control panel; this would be true if I had installed it this way with IPCop too. So no, I didn\'t even download the iso BUT... one great tip in their list archive pointed me to <a href=\"http://www.endian.it/\" target=\"_endian\">Endian Firewall</a> (EFW).</p>\n<p>At first glance Endian looked like some commercial product with everything I was looking for and more. Truth is, it is a commercial product out of Italy but there is also a <a href=\"http://www.endian.com/en/community/about/\" target=\"_community\">EFW Community</a> version which is provided without their support naturally but there is a small community following via <a href=\"http://www.nabble.com/Endian-Firewall-f4481.html\" target=\"_list\">list email</a>. </p>\n<p>My first attempt at installing the EFW Community version to my firewall appliance was plagued with problems and I thought this just would have to happen to me. It booted very slowly but I didn\'t think much of it. Then I noticed it trying to boot with an SMP kernel which soon failed in an endless loop trying to find the source USB connected DVD drive I was using. (Yes, Scott I was plagued again by yet another USB problem.) A few days later I decided to try again by moving the target drive into my desktop machine. The bootup zipped by with flying colours! The install was a total success and I plopped it back into the mini-itx box.</p>\n<p>The rest of the installation has to be done remotely which is sort of a pain as it also needs to be the local DHCP server. It was a little inconvenient to set my IP and route manually to be able to remote in and sshd is disabled by default. The remainder of the setup was a snap and I also discovered tons more features including some interesting ones not available in SmoothWall nor IPCop:</p>\n<table align=center>\n<tr>\n<td><span class=\"inline none\"><a href=\"/\" onclick=\"launch_popup(301, 640, 480); return false;\" target=\"_blank\"><img src=\"http://www.montanalinux.org/files/images/net-zones.thumbnail.png\" alt=\"Network Zones\" title=\"Network Zones\" class=\"image thumbnail\" height=\"75\" width=\"100\"></a><span class=\"caption\" style=\"width: 98px;\">Network Zones</span></span></td>\n<td><span class=\"inline none\"><a href=\"/\" onclick=\"launch_popup(299, 640, 480); return false;\" target=\"_blank\"><img src=\"http://www.montanalinux.org/files/images/network-graph.thumbnail.png\" alt=\"Network traffic\" title=\"Network traffic\" class=\"image thumbnail\" height=\"75\" width=\"100\"></a><span class=\"caption\" style=\"width: 98px;\">Network traffic</span></span></td>\n<td><span class=\"inline none\"><a href=\"/\" onclick=\"launch_popup(297, 640, 480); return false;\" target=\"_blank\"><img src=\"http://www.montanalinux.org/files/images/anti-virus.thumbnail.png\" alt=\"HTTP: Antivirus\" title=\"HTTP: Antivirus\" class=\"image thumbnail\" height=\"75\" width=\"100\"></a><span class=\"caption\" style=\"width: 98px;\">HTTP: Antivirus</span></span></td>\n</tr>\n<tr>\n<td><span class=\"inline none\"><a href=\"/\" onclick=\"launch_popup(298, 640, 480); return false;\" target=\"_blank\"><img src=\"http://www.montanalinux.org/files/images/cpu-graph.thumbnail.png\" alt=\"System Graphs\" title=\"System Graphs\" class=\"image thumbnail\" height=\"75\" width=\"100\"></a><span class=\"caption\" style=\"width: 98px;\">System Graphs</span></span></td>\n<td><span class=\"inline none\"><a href=\"/\" onclick=\"launch_popup(302, 640, 480); return false;\" target=\"_blank\"><img src=\"http://www.montanalinux.org/files/images/proxy-log.thumbnail.png\" alt=\"Web Proxy Logs\" title=\"Web Proxy Logs\" class=\"image thumbnail\" height=\"75\" width=\"100\"></a><span class=\"caption\" style=\"width: 98px;\">Web Proxy Logs</span></span></td>\n<td><span class=\"inline none\"><a href=\"/\" onclick=\"launch_popup(303, 640, 480); return false;\" target=\"_blank\"><img src=\"http://www.montanalinux.org/files/images/protocol-distribution_0.thumbnail.png\" alt=\"ntop: Global TCP/UDP Protocol Distribution\" title=\"ntop: Global TCP/UDP Protocol Distribution\" class=\"image thumbnail\" height=\"75\" width=\"100\"></a><span class=\"caption\" style=\"width: 98px;\">ntop</span></span></td>\n</tr>\n</table>\n<blockquote><li>Web based network setup for Red, Blue, Orange</li>\n<li>Connections (IPCop has this... very similar to iftop)</li>\n<li>SMTP Mail Statistics (not using)</li>\n<li>Mail Queue (not using)</li>\n<li>Clamav antivirus (nice out of the box feature)</li>\n<li>Traffic Shaping (IPCop has this but I\'m not using)</li>\n<li>Traffic Monitoring (this is ntop... very sweet!)</li>\n<li>Outgoing firewall (on by default but I quickly disabled. I find this to be very IT Notzie like.)</li>\n<li>Content filter (Dansguardian out of the box! USING)</li>\n<li>Proxy (POP3, SIP, FTP, SMTP, and DNS. All very interesting but not using except testing FTP proxy)</li>\n<li>Openvpn Server (not out of the ordinary but just thought to mention what vpn it was)</li>\n<li>Firewall Logs (not that the other don\'t have... just wanted to point out this has setting to report on different features:</li>\n<blockquote><li>Log packets with BAD constellation of TCP Flags</li>\n<li>Log NEW connections without SYN Flag</li>\n<li>Log accepted outgoing connections</li>\n<li>Log portscans (I\'m logging this)</li>\n<li>Log refused packets (Was logging this for troubleshooting)</li>\n</ul>\n</p></blockquote></blockquote>\n<p>So far the only thing that I have found that the EFW Community version does not seem to have that SmoothWall and IPCop have out of the box is a web-based (one-click) updating procedure. Endian profits from their enterprise appliances pre-installed with Endian and from their <a href=\"http://www.endian.com/en/products/firewall/maintenance/\" target=\"_subs\">maintenance subscriptions</a>. Updates are applied to these automatically under their various paid contracts. Some in the community knock Endian saying you have to download the iso and re-install from scratch in order to upgrade. Then they restore their backup settings crossing their fingers. Community based updates are totally manual and not available until the packages are created and rolled up. Endian does provide these as tar\'d rpm\'s. You just need to extract it to your firewall and since this is an RPM based distribution, you just run your \'rpm -Uvh\' on the extracted updates. I am a fan of RPM\'s anyway so this is a plus in my book.</p>\n<p>Endian uses the 2.6 kernel whereas both SmoothWall and IPCop are 2.4 based with the 2.6 kernel currently in beta releases only. SmoothWall is not using RPM but is a Red Hat 7 cousin. I\'m not sure if IPCop is using RPM but is a fork from SmoothWall and soon to be driven by <a href=\"http://www.shorewall.net/\" target=\"_shw\">Shorewall</a> code; loosing the remainder of SmoothWall code.</p>\n<p>Depending on how my love of EFW Community goes, I may go back with SmoothWall Express. The development from this community seems to be picking up again after what seems to have been years of little progress.</p>\n', created = 1410931814, expire = 1411018214, headers = '' WHERE cid = 'filter:3:204d8e1adab937d5ee674114318341af' in /home/dowdle/public_html/montanalinux/includes/database.mysql.inc on line 121.
  • user warning: Table 'cache' is marked as crashed and should be repaired query: SELECT data, created, headers, expire FROM cache WHERE cid = 'filter:1:6bdbd887d9a5c4b57f01b9112bdc24fe' in /home/dowdle/public_html/montanalinux/includes/database.mysql.inc on line 121.
  • user warning: Table 'cache' is marked as crashed and should be repaired query: UPDATE cache SET data = '<p>I have to agree. once you try mono wall you will never need anything else. To add to fj40dan\'s comments. M0n0wall uses FreeBSD\'s IPFW which is commercial grade. Some of the larges internet sites and installations use IPFW including a few of the major search engines, except for microsoft of course. I have used mono wall for over three years and i have never had problems, even the beta versions run solid. It would take a lot to sway me from it. I have tried PF Sense too. I found it to be unstable. If you ever have to reboot your firwall it is a bad thing.</p>\n<br class=\"clear\" />', created = 1410931815, expire = 1411018215, headers = '' WHERE cid = 'filter:1:6bdbd887d9a5c4b57f01b9112bdc24fe' in /home/dowdle/public_html/montanalinux/includes/database.mysql.inc on line 121.
  • user warning: Table 'cache' is marked as crashed and should be repaired query: SELECT data, created, headers, expire FROM cache WHERE cid = 'filter:1:5bdb2778841ad16f97a84a20887521f1' in /home/dowdle/public_html/montanalinux/includes/database.mysql.inc on line 121.
  • user warning: Table 'cache' is marked as crashed and should be repaired query: UPDATE cache SET data = '<p>First I would like to say very nice write up! Very professional. Well done. </p>\n<p>Now for some observations (based on poor memory lol) I have had on each of these. Endian firewall has some nice features over ipcop, especially during the install. A huge one is that you can pick and choose a network adapter for each network as you install and you can switch them after you have it installed. If you want different nic capabilities at each network/or upgrade them it is very hard to do this with ipcop. Another nice feature is filtering connections on the wireless side by mac. I know macs can be spoofed, but that requires someone who is really determined to get at the lowbandwidth/qos\'ed/pornfiltered internet. The only thing that had kept me from endian is the great add-on for ipcop for openvpn, openvpn is great for every roadwarier client. I could never get the default ipsec (pptp? I don\'t remember now) vpn to work well in either. Openvpn is very easy for windows (openvpn gui), reasonably so for mac and linux. I have tried the ipcop/copfilter (I think copfilter is included with endian). They have many nice features, however expect exponentially higher need for resources (much more than the 1gig pIII w/ 512ram that I put on it). I\'m also not all that comfortable with the swiss-army knife proxy approach, I\'m not sure exactly why. Maybe, because proxies don\'t have to be at the firewall and if one service has vulnerability your fire wall is toast. I don\'t know. You just need a good firewall to make them transparent. That brings me to random thoughts on monowall. I wish you had time to take a look at it, I think you would have liked it. Based on freebsd it is reasonably secure. Bsd pf is a great firewall. Monowall supports vlans on different nic with filtered bridging between them. PPTP vpn with radius that is stupid simple to setup on windows clients (just what I need- stupid simple!). They also have a great walk-through with windows 2k/xp built-in vpn client. It also has a very cool captive portal web page (with radius auth) for wireless. Making a cool wireless access point. Thats all the random mutterings I come up with right now.</p>\n<p>Thanks for the good read.</p>\n<p>dan</p>\n<br class=\"clear\" />', created = 1410931815, expire = 1411018215, headers = '' WHERE cid = 'filter:1:5bdb2778841ad16f97a84a20887521f1' in /home/dowdle/public_html/montanalinux/includes/database.mysql.inc on line 121.

For several years now I have used SmoothWall Express as a personal firewall on my cable modem connection. I have been very pleased with it and have never had any successful breaches that I have been aware of. Having kids, I knew I would soon need some form of nanny filtering. Early on I investigated Dansguardian and found great support in the Homebrew forums of the SmoothWall community. Reason being... creator Daniel Barron also works for SmoothWall Limited. In my early testing of this custom addon I found it slowing my browsing experience dramatically to frustrating levels. This was largely due to running it on an old PII 200Mhz box with about 64MB RAM. The CPU was continually getting pegged! I found no reason for the torture as the kids were still too young to get into trouble... so needless to say I turned it off. Since then various other addons and updates have prevented the Dansguardian addon from even functioning.

GS-L02GS-L02
I mentioned in a previous blog, I got some appliance hardware to boost my firewalling abilities. I was easily able to just plop my existing SmoothWall hard drive into this mini-itx box and run the setup to scan for the NICs and away it went. However, I would need to reinstall Dansguardian but I was tempted by other forks of SmoothWall; IPCop to be precise. I even did a presentation of IPCop at the last BillingsLUG meeting after only using it for about a week. I was fairly impressed with its out of the box features over SmoothWall however Dansguardian was not included. Adding the Cop+ (Dansguardian) addon was rather easy once I understood their GUI way of doing this. They did an awesome job of doing this for non-commandline people. The biggest problem I was facing was that some addons in IPCop were dead with the worst part being that Cop+ didn't work with the IPCop version I had installed. The Cop+ addon was last tested and confirmed working with a 1.4.4-1.4.13 and I had installed 1.4.15. Doesn't seem to be that big of a difference, but this latest Cop+ was done back in July of 2005 and 1.4.15 was just released in March 2007. So I thought I'd look for yet another firewall distro.

I didn't give m0n0wall any light of day, but did read into its addon package abilities which include Dansguardian. Most prided themselves with the lack of features in m0n0wall. After all it is just a firewall and not a jukebox eh? Installing Dansguardian is not out of the question with m0n0wall, but you would just not have any integration with the main control panel; this would be true if I had installed it this way with IPCop too. So no, I didn't even download the iso BUT... one great tip in their list archive pointed me to Endian Firewall (EFW).

At first glance Endian looked like some commercial product with everything I was looking for and more. Truth is, it is a commercial product out of Italy but there is also a EFW Community version which is provided without their support naturally but there is a small community following via list email.

My first attempt at installing the EFW Community version to my firewall appliance was plagued with problems and I thought this just would have to happen to me. It booted very slowly but I didn't think much of it. Then I noticed it trying to boot with an SMP kernel which soon failed in an endless loop trying to find the source USB connected DVD drive I was using. (Yes, Scott I was plagued again by yet another USB problem.) A few days later I decided to try again by moving the target drive into my desktop machine. The bootup zipped by with flying colours! The install was a total success and I plopped it back into the mini-itx box.

The rest of the installation has to be done remotely which is sort of a pain as it also needs to be the local DHCP server. It was a little inconvenient to set my IP and route manually to be able to remote in and sshd is disabled by default. The remainder of the setup was a snap and I also discovered tons more features including some interesting ones not available in SmoothWall nor IPCop:

Network ZonesNetwork Zones Network trafficNetwork traffic HTTP: AntivirusHTTP: Antivirus
System GraphsSystem Graphs Web Proxy LogsWeb Proxy Logs ntop: Global TCP/UDP Protocol Distributionntop
  • Web based network setup for Red, Blue, Orange
  • Connections (IPCop has this... very similar to iftop)
  • SMTP Mail Statistics (not using)
  • Mail Queue (not using)
  • Clamav antivirus (nice out of the box feature)
  • Traffic Shaping (IPCop has this but I'm not using)
  • Traffic Monitoring (this is ntop... very sweet!)
  • Outgoing firewall (on by default but I quickly disabled. I find this to be very IT Notzie like.)
  • Content filter (Dansguardian out of the box! USING)
  • Proxy (POP3, SIP, FTP, SMTP, and DNS. All very interesting but not using except testing FTP proxy)
  • Openvpn Server (not out of the ordinary but just thought to mention what vpn it was)
  • Firewall Logs (not that the other don't have... just wanted to point out this has setting to report on different features:
  • Log packets with BAD constellation of TCP Flags
  • Log NEW connections without SYN Flag
  • Log accepted outgoing connections
  • Log portscans (I'm logging this)
  • Log refused packets (Was logging this for troubleshooting)
  • So far the only thing that I have found that the EFW Community version does not seem to have that SmoothWall and IPCop have out of the box is a web-based (one-click) updating procedure. Endian profits from their enterprise appliances pre-installed with Endian and from their maintenance subscriptions. Updates are applied to these automatically under their various paid contracts. Some in the community knock Endian saying you have to download the iso and re-install from scratch in order to upgrade. Then they restore their backup settings crossing their fingers. Community based updates are totally manual and not available until the packages are created and rolled up. Endian does provide these as tar'd rpm's. You just need to extract it to your firewall and since this is an RPM based distribution, you just run your 'rpm -Uvh' on the extracted updates. I am a fan of RPM's anyway so this is a plus in my book.

    Endian uses the 2.6 kernel whereas both SmoothWall and IPCop are 2.4 based with the 2.6 kernel currently in beta releases only. SmoothWall is not using RPM but is a Red Hat 7 cousin. I'm not sure if IPCop is using RPM but is a fork from SmoothWall and soon to be driven by Shorewall code; loosing the remainder of SmoothWall code.

    Depending on how my love of EFW Community goes, I may go back with SmoothWall Express. The development from this community seems to be picking up again after what seems to have been years of little progress.

    Comment viewing options

    Select your preferred way to display the comments and click "Save settings" to activate your changes.

    m0n0 Wall

    I have to agree. once you try mono wall you will never need anything else. To add to fj40dan's comments. M0n0wall uses FreeBSD's IPFW which is commercial grade. Some of the larges internet sites and installations use IPFW including a few of the major search engines, except for microsoft of course. I have used mono wall for over three years and i have never had problems, even the beta versions run solid. It would take a lot to sway me from it. I have tried PF Sense too. I found it to be unstable. If you ever have to reboot your firwall it is a bad thing.


    fj40dan's picture

    First I would like to say

    First I would like to say very nice write up! Very professional. Well done.

    Now for some observations (based on poor memory lol) I have had on each of these. Endian firewall has some nice features over ipcop, especially during the install. A huge one is that you can pick and choose a network adapter for each network as you install and you can switch them after you have it installed. If you want different nic capabilities at each network/or upgrade them it is very hard to do this with ipcop. Another nice feature is filtering connections on the wireless side by mac. I know macs can be spoofed, but that requires someone who is really determined to get at the lowbandwidth/qos'ed/pornfiltered internet. The only thing that had kept me from endian is the great add-on for ipcop for openvpn, openvpn is great for every roadwarier client. I could never get the default ipsec (pptp? I don't remember now) vpn to work well in either. Openvpn is very easy for windows (openvpn gui), reasonably so for mac and linux. I have tried the ipcop/copfilter (I think copfilter is included with endian). They have many nice features, however expect exponentially higher need for resources (much more than the 1gig pIII w/ 512ram that I put on it). I'm also not all that comfortable with the swiss-army knife proxy approach, I'm not sure exactly why. Maybe, because proxies don't have to be at the firewall and if one service has vulnerability your fire wall is toast. I don't know. You just need a good firewall to make them transparent. That brings me to random thoughts on monowall. I wish you had time to take a look at it, I think you would have liked it. Based on freebsd it is reasonably secure. Bsd pf is a great firewall. Monowall supports vlans on different nic with filtered bridging between them. PPTP vpn with radius that is stupid simple to setup on windows clients (just what I need- stupid simple!). They also have a great walk-through with windows 2k/xp built-in vpn client. It also has a very cool captive portal web page (with radius auth) for wireless. Making a cool wireless access point. Thats all the random mutterings I come up with right now.

    Thanks for the good read.

    dan


    Comment viewing options

    Select your preferred way to display the comments and click "Save settings" to activate your changes.