Linux distro that is a firewall - like ipcop etc

[mack_guy911]

i started with smoothwall my self after that i run endian on advice of wise guy

YeOldeStonecat my all journey of linux router begin from there


i use endian on my old hardware p3 933 mhz old pc with 256 ram about a year i run it like a server the only problem pretty old hardware and cannot support all the features on 256 so i have to close some of them like av proxy scanning i run it nearly 2 years without any problem then

endian help me lot to understand untangle astaro .....etc

i found curiosity about knowing distro like astaro and untangle

astaro 1st experience was like hell 2nd one even didnt work for me too then i try untangle didnt like the way it work find somewhat confusing then i start astao again keeping software firewall in mind i forget its linux i forget its utm just tweak with simple rules like doing to any internet security suite software and it work for me

after that i learn many new things like running av web filter behind proxy server setting icmp from packet rules...... forwarding dns setting IPS rules pretty simple ............etc

now since astrao 8.3 is one of best pretty straight forward UTM (or simple words it work same way your KIS OR NIS work but on linux mode without effecting your pc performance)

i know its more than that what i say above but i keep it simple


The trick is keep it simple less rules and functions enable by default making it workable save backup so in case your astaro wont work you can rollback and go further step by step setting one at a time at end you get rock solid security with lot of tweaks and setup.


sub-netting super-netting .ipsec ....keep it simple dont dig too deep unless you really know what you doing make it workable on simple like for example 192.168.169.235/24 or 255.255.255.0 then keep digging as deeper if you want

http://www.wilderssecurity.com/showthread.php?t=228779


http://www.wilderssecurity.com/newre...te=1&p=1911167

[Sully]

Quote:

Originally Posted by Johnny123

Out of curiosity, how did you get it to work with Smoothwall? (what you say wasn't the proper way).

I was playing with different router distros, and I found problems with VM, so at work I setup an old 500mhz pentium box and 2 nics. I realized that most of these linux firewall boxes were designed to have one nic facing the internet, the other facing the lan. I realized that if I wanted to keep my router, that I would have to put one of the nics on the lan (the one that was normally connected to the internet) and that the other would be on a different network. I knew that I would have to route between the two networks, and I wanted to avoid that.

What I did then was set the internet facing nic to 192.168.1.188 and the lan side nic to 192.168.1.189. The rest of my network was on one large subnet of 192.168.1.x. It did work, where I set a rule in the router to forward one of my server ports to .188 on the smoothwall box. If the smoothwall box had a rule to pass the traffic onto the server, it worked. If the rule was missing, it did not work.

At the smoothwall forums I shared this, and was informed this was all incorrect. I am not interested in just doing it my way, I am interested in learning the whys. Those guys over there were very nice to work with. I had my terminology all goofed up, and due to my lack of routing experience, had a lot of assumptions that were just not correct.

It turns out while what I did might work, it is far from the "best" way to go about it because using the smoothwall and my existing router were giving what is termed a double NAT, which can work but can cause issues. The other thing I was doing wrong is not understanding how each interface worked within smoothwall. Once I began to understand what the use of each interface was, I began to understand why and started to see the logic. Turns out, smoothwall (and I assume most of these types of distros) are pretty powerful and very granular - you just have to learn a bit to be able to grasp it.

Sul.

[Kees1958]

Why not use DHCP reservation to make sure that with dynamic IP addresses a given client will get the same IP address, is standard feature of D-link 635 and 655 see pic

[Sully]

Quote:

Originally Posted by Kees1958

Why not use DHCP reservation to make sure that with dynamic IP addresses a given client will get the same IP address, is standard feature of D-link 635 and 655 see pic

Perhaps you misunderstand?

I have a dynamic WAN IP at HOME now. It changes periodically, or when the modem reboots from a power outage, etc. The router at HOME is set to update DDNS with whatever new WAN IP my HOME connection is assigned.

The problem lies when I make a rule in the router or software firewall at WORK. I made rules for my OLD STATIC IP FROM HOME, but NOW that my HOME IP IS DYNAMIC, those rules/filters no longer work. Well, they work, but only until my HOME WAN IP changes, then they are no longer valid on the router at WORK because I have to manually change them.

I was following Mrkvonics advice to script it in iptables. I have found though that at WORK, I don't really think one of these distros is the best solution. Instead I have, for now, used IPSec and a batch file to handle the situation. I am currently looking at options that would incorporate the use of one of these distros.

I believe you are meaning assigning a reserved DHCP address to an internal machine using its MAC address so that it always is assigned the same IP. If you mean I can use this with what I am referring to, I am all ears, but I don't think that will work.

Sul.

[Kees1958]

Quote:

Originally Posted by Sully

Perhaps you misunderstand?

Sul.

Yes sorry

[Sully]

Just a quick note to anyone who was reading this and wondering for themselves...

I went with pfSense. Not really because it is any better, but because it suited my tastes a little more.

I will say, I truly do think my Dlink router is a good router. But, from what I have been witnessing, it cannot come close to what my current setup is doing. I have tried it on a pIII 667mhz rig and a p4 1.5ghz rig. For my internet connection,either suffices. I am amazed at the difference in speed. I don't normally use torrents much, but I tried some just to watch the speeds, and never before have I reached full download speed, ever. But I do now.

It is a bit of a hassle, to figure everything out. There are many more options, and truthfully they are not as polished as they are in a consumer router. Well, maybe polished isn't the right word. Maybe they are just less complicated. Regardless, after doing side by side comparisons, I will not be going back to a normal router ever again, it is just that good.

Now that I have a few weeks messing with it, as with anything new, it is not as hard. It doesn't give me everything that I want, but I am more than willing to make concessions now based upon the change in my connection. Especially considering the options it gives me for my kids and guest machines. Now I have quite a bit of control over things I had little or no control over before!

Sul.

[mack_guy911]

i guss ease of use would be right word than polished ..........

yes are not ease of use like most routers but the power they give worth learning
unfortunetly BSD didnt support my old hardware and on new one i am pretty happy using astaro for about 2 years

you have one of best open source router firewall which is made on BSD if your hardware support it stay with it its light fast with awesome security

http://www.pfsense.org/index.php?opt...d=40&Itemid=43

[rudyl]

Having used pfSense 2.0-RC3 as my perimeter router/firewall for just over a month, I totally concur. I'm running on a Compaq CQ5810 (AMD E-350 with 2GB memory) with an Intel E1G44ET quad-port card (PCIe 4x). Idling, it uses ~3% CPU and ~9% memory. At 62Mbps, it peaks at 29% CPU (still at ~9% memory).

[mack_guy911]

astaro screenshot

cpu 2%
Ram 15%
swap 0%
log disk 2%
data disk 6%