Linux distro that is a firewall - like ipcop etc

[Sully]

Hello everyone.

I have been on a search for a couple weeks now for a fix.

The problem is simple, I no longer have a static IP at home, but a dynamic one.

My remote computers had rules in the router for my home static IP, and rules in the firewalls for my home IP.

I have a dynamic dns account, and am using my router at home to update it to whatever my current WAN IP is. This works well. The router is a Dlink DIR-655.

I haven't tried every firewall, but from googling I don't see mention of one that will accept a domain name in a rule, only IP or it coverts name to IP but never "rechecks" the name to IP again. I have a thread started in the firewall forum but so far no takers

I had a thread in the hardware forums asking more about hardware firewalls. I have since learned that at least 2 manufacturers say they don't do this in thier products. I am not going to waste my time reading into multiple hundreds or multiple thousands of dollars units that I cannot afford.

Instead, I have started down the linux path of firewall/router type distros. I started with IPFire, as was recommended. It does not seem to offer what I need, although it was not too bad to get going. Next I tried m0n0wall, but apparently there is a problem using that in vmWare, or at least it must be hooked up for real. I could not get into the webGUI. I am not going to put it to bare metal until I try it a bunch in VM. I tried SmoothWall, but it failed to install in VM. I tried a couple others, don't remember the name, but they were a bit old I think.

Anyway, at this point I am beginning to wonder if I can even achieve what I desire. I do not want a full blown OS, but would prefer a firewall specific distro. I might have to use a full OS, but would really prefer it be as meager as possible, as I don't dabble in linux that often and really don't need much more than a firewall.

What I hope to achieve is to keep my router in place and use the linux firewall machine to put a few servers behind it.

My WAN IP might be 70.70.1.1 to 70.70.254.254

The current addressing at work is a static WAN IP, with LAN IP of 192.168.1.1/24.
I have a few servers which have ports forwarded to their LAN IPs.

My hope it to Keep the router, so all workstations can maintain 192.168.1.x and reside behind the router as normal.

Then give the FIREWALL a 192.168.1.X WAN IP, with a 192.168.0.X LAN IP to those machines behind it. I could then continue to port forward from the router to the FIREWALL IP, and from the firewall create rules to the servers behind it.

I realize I am mixing things up. I could route my incoming WAN line to a hub or switch prior to the router and possibly get things to work. I realize I should be getting rid of the router, but it has good wireless (at least for me) and I hate to rely 100% on a box that might fail for differing reasons when a router has much less to go wrong. And besides that, the servers are mostly only for LAN use, I just happen to need to remote into them at times, and I have a few team speak servers on them as well, but it is the remote access that I really want to have a good handle on.

So, does anyone have any ideas? The firewall must be able to have a rule created that allows dynamic names to be used rather than strictly IP addresses, and the dynamic name must be resolved periodically, or it must check the DNS cache to see if a change has occurred.

I hope this makes sense. It is not the easiest thing to describe in easy terms.

Sul.

[J_L]

I don't have any specific ideas, but you can look at the overwhelming choices here (under 5.5 Gateways): http://www.techsupportalert.com/cont....htm#Firewalls

[mack_guy911]

astaro security gateway is one of best out there

you can check endian as well its base on ipcop + copfilter

http://www.wilderssecurity.com/showthread.php?t=283905

[Mrkvonic]

Sul, you can do periodic checkups for name resolution, say every minute.
Always allow dns to your isp, which should be a single ip.

There, you can query names/ips (with a command line host).

As specified in /etc/resolv.conf, and also check /etc/nsswitch.conf for more details on how different databases are contacted and in what order.

After you obtain the correct resolution, pipe the ip into a script that creates firewall rules on the fly. Flushes existing rules, takes input, creates allow/deny rules and then saves the tables.

I guarantee for a fact that this works as I had to implement something similar somewhere else, but I used a combination of dns and nis and had updates on hourly basis. The only bad thing is, you have a milisecond downtime while you flush the rules and create new ones.

You can get around flushing if you just delete/add specific entries, so you should always add them to the top of the chain, but mind any conflicts or double entries, as once you hit true statement, the chain will end.

P.S. Done using standard iptables.

Cheers,
Mrk

[Sully]

@J_L and mack_guy911

Thanks for the tips. I have not gotten to those yet in VM, although I did know of most of them.

Sul.

[Sully]

Quote:

Originally Posted by Mrkvonic

After you obtain the correct resolution, pipe the ip into a script that creates firewall rules on the fly. Flushes existing rules, takes input, creates allow/deny rules and then saves the tables.

Being a noob in linux, I think what you are saying is that a simple iptables based distro, such as ipcop, is really all that is needed.

Further, you are suggesting that I do a simple command line query of the IP in question and script the firewall rules. That might work, as it is very simple to do. Even in windows I can ping the domain name and get the ip. So in linux, it will be a very similar approach. I might have a go doing this with ipcop. I had not tried that yet because I was looking for something more than iptables, but what you suggest sounds good enough for me.

It is not critical that I update the ip to name more than once a day, so that makes it even easier.

I am not certain how the whole approach will work with me wanting to leave the router in place and the linux box with 2 nics, but I will play and see.

Thanks.

Sul.

[Johnny123]

Quote:

Originally Posted by Sully

It is not the easiest thing to describe in easy terms.

You ain't whistlin' Dixie there

Are you installing these in a VM for test purposes only? Reason I ask is that on the German IPCop support forum they won't support anyone running IPCop in a VM, they say it's a security no-no. It's better to run it on dedicated hardware. For IPCop you don't need anything fancy, it will even run on a 486.

Now if you want the router with the workstations behind it and the servers behind the firewall you can add more NICs. In the case of IPCop, IPFire, Smoothwall or Endian, you would then have Red for WAN, Green for LAN and Blue for the router. Plug a switch into the Green NIC and you can hang the servers on that. If you want a web server available add another, which would be Orange for a DMZ. This is assuming that you have a modem in front of the firewall box. Don't know if your router is just a router or if it has a modem in it.

[mack_guy911]

i my self no idea about it until 1st i start with endian and use it for a year or 2
its pretty easy to configure and you can run it as low as p3 machine with 2 nics

try that distro its pretty easy and out of box utm once get a grip on it then try others like astaro untangle .....etc

http://www.endian.com/en/support/documentation/

http://www.endian.com/us/

also i highly recommened check this guide old one but better simple and straight forward then the new guide

also like to add you need to configure green zone (ie internal local gateway address]

for example

192.168.1.1:10443 and connect it via port 10443 default

then from other pc set your pc ip range in network range 192.168.1.2
subnet 255.255.255.0
gateway 192.168.1.1

as above example


connect to green zone (internal local gateway address by this 192.168.1.1:10443 ) via HTML web and configure your red zone (external modem ip).......etc other configurations )

for this no need or very few knowledge of linux required everything is easy and gui web base

last i didnt install endian on virtual machine but on real hardware ........here are some examples of virtual machine

-http://www.youtube.com/watch?v=NP23-BRKUk0-
-http://www.youtube.com/watch?v=zmuKpkavhNA-

[Sully]

Thanks for the replies.

It isn't whether one distro will be easier than another, it is which one handles the domain name in the way that I want.

Just to set this straight, so anyone wishing to help understands...

Router has static WAN IP and is 192.168.1.1
All workstations are 192.168.1.x
Servers are currently 192.168.1.x

Proposing to

Router has static WAN IP and is 192.168.1.1
All workstations are 192.168.1.x
Linux Firewall box NIC 1 is 192.168.1.x
Linux Firewall box NIC 2 is 192.168.0.x
Servers will be 192.168.0.x

Incoming packet to WAN IP on port 123.
Router forwards port 123 to Linux Firewall box.
Linux firewall box forwards to server on 192.168.0.x behind it
Server accepts incoming request, because linux firewall box handles the rules.
Server may still run firewall for outbound rules if desired.

The problem comes when using domain name as IP in a firewall rule. All incoming traffic on port RDP to router will be allowed because I have real alternative. Router will forward traffic to linux firewall. Linux firewall will then check if originating port was the domain name IP or not. If it is, then it passes it to server(s). It not, it denies. The firewall must have ability (or I must script it) to update the IP for the domain name ideally once every 24 hours.

I am playing (or trying to) with these in VM because I want to test it without putting in on real hardware just yet. I don't mind putting it on hardware, but it is much faster to install in VM and check out the settings/gui etc before actually installing it on metal. I am not having the best of luck though on making things work within the VM.

It seems I have to do a little more studying on the green+red thing. I had thought it was simple, one NIC for WAN side, one NIC for LAN side, and that I could set WAN side to my normal LAN, and the LAN side to a different subnet. It is apparently not that simplistic with a few of these firewalls.

Here is a good quote of what I am thinking

Quote:

The smoothwall features are not "negated" by placing a router in front of it, they are "enhanced". I say enhanced because I don't care what is bouncing off the perimeter router. however, I really do care if flaky stuff is within the DMZ trying to penetrate the smoothwall.

The issue addressed with this design is "where does the access point go?" Placing it behind the smoothwall would allow a wireless hacker access to the internal systems. Placing it in front of the smoothwall allows you to drop all the chaff that would fill you smoothwall logs. If it can't get through the perimeter router, I don't care to see it in my snort logs.

Quote:

The first router is a packet filter. The newest version of smoothwall uses IPtables, which is better than simple packet filtering. The router in front of a smoothwall setup does not slow things down in any noticable way, (I often had the lowest ping in online games) but does allow the benefits mentioned in my previous post.

It's quite common to have a router in front of your "firewall", it's called a DMZ when you have a router in front of the firewall. The DMZ is a great place to put web servers, etc, since they are protected by the router, but still not inside the perimeter to your internal LAN. That way, if one of those systems gets hacked, it doesn't provide any additional access, you've limited the damage.

Sul.

[mack_guy911]

yes its same

lan= green zome

wan= red zone

forget it go for astaro it has everything you need its free for 50 users and 32000 concurrent connection for home license or clearOS

is there special reason you want to put it behind the router


i a have my setup

Internet--> Modem--> astaro security gateway --> Swtich ---> pc and wireless router

i use it as simple utm gateway not as server or dns forwarder

for dns quires you need a dns server on your LAN network this will give more light


https://support.astaro.com/support/i...guration_Guide

also like to add you get everything on astaro but you need to create rules by default astaro block all external

you need to create rules

like for example you need to connect to ftp you
need to create a rule for it

which is pretty simple

1st go to network security
2nd click on packet
3rd make new rule
4th source: click on folder icon you see networks on left

drag internal network to it

5th same way click on folder and drag service to it ftp for example

6th destination let leave it to any

apply rule created now click on red button to make rule active

please check astaro demo it give you all idea

http://demo01.astaro.com/

same way clear OS will work for you can set a entire server as well on clearos

http://www.clearfoundation.com/Software/overview.html

-http://www.youtube.com/watch?v=ByCpXIjS89I-
-http://www.youtube.com/watch?v=uKP5HDkhIRE-

clearos demo

https://demo1.clearos.com:81/admin/users.php

you need to open port 81 to connect

http://www.clearfoundation.com/Community/Videos.html

[mack_guy911]

http://www.clearcenter.com/support/d...cal_dns_server


http://scottlinux.com/2010/07/24/cle...se-5-2-review/

[Johnny123]

This is starting to get confusing. I thought you didn't have a static IP anymore, hence the dynamic DNS (which all of these distros support). I also thought you wanted the workstations behind the router with the wireless capability and the servers on Green. If you have a setup with Red, Green, Blue and Orange (if you have publicly accessible servers) I don't see where that's any less secure than with the router in front, as the Smoothwall guy suggested. That's the reasoning behind these different interfaces, to keep them separate from each other. I don't think a router is going to be more robust in doing this than a firewall box with one of the previously mentioned distros.

Take a look at this page from the IPCop installation manual. The IPCop documentation is amongst the best. Details may vary a little from one distro to the next, but the basic principles are the same. You can download the installation and administration guides as PDFs here. It's worth it to read through all of this, gives you a bit more insight.

I also don't understand what kind of a rule you are trying to make based on domain name. Is this incoming, outbound, what exactly is it for?

I would try to keep it as simple as possible. The more complicated it gets, the more opportunity there is for something going south.

[Sully]

One more time. I realize it is a bit confusing, because I am trying not to write a book that could describe it better

First, I desire the router to stay in place because it is my wireless device, the only one I have for clients to attache to, so I need to keep it. I realize I could use the router as a switch. I was hoping to keep the router on the front side of everything so that if the firewall box were to die (bad hdd, psu burns up, etc) the clients would not be without service because they still use the router.

At home, I had a static IP. Now, I have a dynamic IP.

At work, I have a static IP. At work, I made inbound filters in the router for my HOME IP. There were some ports that were forwarded to the servers for remote management. The port forwarding used the inbound filter, so that ONLY connections from my HOME IP were passed on to the servers. Now, my HOME IP is NOT STATIC, but the WORK IP is STATIC STILL.

The router offers inbound filtering but ONLY for static IPs. Thus, my dynamic IP from HOME is of no use with the router. I have to either stop using an inbound filter for those ports to forward, or I have to create an inbound filter for my subnet of the dynamic IP I now have, which is a lot of surface area IMO.

After the router would send the requests to the servers, based on my filters, a firewall on the servers would check the incoming requests. If the request was for a certain application on a certain port, and it was originating from my HOME IP, then it would allow it. The firewall does allow me to use a dyndns.org name on the rule, and it does convert it to IP. So, my HOME IP, which is now dynamic, can get into the firewall rules, but it will never update the IP to Name translation. That means whatever the dynamic IP was when I put in the dyndns.org name for the rule will stay forever until I remove that entry and put it in again, in which case it will resolve the name to IP, put it in the rule, and it will work until my HOME IP changes again.

My idea then is to use a linux firewall box and put the servers behind the firewall. The linux box then gets a normal WORK LAN address for its WAN IP. This IP is then on my WORK LAN, which I can then see and attach to in order to configure, etc. It uses the router as its gateway.

The LAN IP of the linux firewall (2nd nic) would likely be on some other IP scheme than the router. The servers would then sit behind the linux box. The linux box would act as the filter for the servers. So when I am at home, and go to remote into the servers, it hits the router. The router forwards the ports required to the linux firewall IP rather than the server IPs. Within the linux firewall, the incoming IP (my HOME IP which is dynamic) is examined, and depending on what it is (if it matches my HOME IP) and what port it is, it forwards it on to the correct server. The server then doesn't need to try and maintain a rule for my HOME IP any more because the linux box is doing that.

While I was waiting for Astaro to download I installed Untangle on VM. It got to the point of setting the LAN IP but then froze. It appears none of these firewall/router distros work correctly in a VM so I am going to have to go to bare metal.

One option Untangle gave me was to make this a transparent gateway. I am unfamiliar with that term, but it was there as the option to use if I was connecting the untangle box to a router or modem.

The issue at the heart of all of this is that I do wish to have some tighter rules in place rather than just allowing any IP to hit those servers and rely on a good password or trust the service is not exploitable easily. The router did a good job of filtering out all requests to the servers except my OLD HOME IP which was static. My NEW HOME IP is now dynamic, and the best I can do is to make an inbound filter for my subnet, and do the same for the firewall on the server. If my subnet is 34.34.0.0, that is a lot of potential IPs that could be forwarded. Without a way to utilize my dyndns.org address, I am left with no alternative.

Mrkvonics talk of scripting a change in the firewall (iptable) that every X hours translates the dyndns.org name to its current IP is a good solution. It might not be needed, as I have yet to get inside of most of the firewall distros to see what is there. I will have to install for real I guess to see.

I hope that explains it well enough. More text than I wanted to use, but it is tricky to describe

Sul.

[Johnny123]

OK, that makes it somewhat clearer. Mrkvonic is definitely the one that can help you out here, the domain name vs. IP thing is too advanced for my limited knowledge. You might also want to ping YeOldeStonecat, he sets these up for companies and he has apparently tried just about everyone of these distros. He might be able to give you a solution.

[mack_guy911]

Quote:

Originally Posted by Sully

One more time. I realize it is a bit confusing, because I am trying not to write a book that could describe it better

First, I desire the router to stay in place because it is my wireless device, the only one I have for clients to attache to, so I need to keep it. I realize I could use the router as a switch. I was hoping to keep the router on the front side of everything so that if the firewall box were to die (bad hdd, psu burns up, etc) the clients would not be without service because they still use the router.

Sul.

how could that possible

if your clients can still use router even your firewall box fails (not working) than what is use of it.

please check them as well

http://www.astaro.org/astaro-gateway...nd-astaro.html


http://www.stephenwagner.com/?p=80

[mack_guy911]

also please this going pretty confusing

are you setting up a internal lan server or it can accessed form external i mean WAN as well

secondly your wireless router is set it for lan clients or what ??

[Sully]

Quote:

Originally Posted by mack_guy911

also please this going pretty confusing

are you setting up a internal lan server or it can accessed form external i mean WAN as well

secondly your wireless router is set it for lan clients or what ??

It really isn't all that confusing if I could explain it correctly.

The router handles all wifi and workstations right now. It also handles the servers. It is the gateway of course.

The limitations of a dynamic ip mean the router nor software firewalls on the servers can be used to the best potential, meaning I would like more granular control - I want ONLY my HOME DYNAMIC IP to be forwarded to those servers on the specific ports (all other incoming traffic on other ports I don't care about, it is the remote management ports I want control over) - this is an incoming WAN IP that hits the router and is destined for the servers. The workstations also hit the servers, and that is something I need to maintain, although I am leaving that to be dealt with later as I first need to handle the incoming requests from the WAN to the servers.

The linux firewall/router/gateway/whatever you call it box sits between the router and the servers. Its job it to apply a filter to traffic heading from the router to the servers, because in this way I can still filter on my HOME DYNAMIC IP. Once it passes the filter it lets it go to the servers.

I am uncertain yet because I haven't played with the distros yet, to know what exactly this linux box is going to do, because I don't know the capabilities yet. It might be a router, or a transparent gate way, or just a packet filter.

I only plan to use the linux box to control traffic from the WAN to the servers. It might be cumbersome, it might not be doable. I am currently setting up a spare box as a testbed to see what distro has what and actually play for real.

Sul.

[Sully]

Well, I found a way that works,to a degree.

I installed Smoothwall (after a few others), and set the Green to 192.168.1.10, and the Red to 192.168.1.20. I created a rule that says

Source IP: (my home dynamic ip)
source port: 1234
Destination IP: 192.168.1.30 (a server)
destination port: 1234

In the router I set this port forward rule

Source IP: Any
Port: 1234
Destination IP: 192.168.1.20 (the smoothwall box)

I remote into the server from LAN side, set firewall on server to wizard mode, then hit the router from my house (remotely). The router forwards the packets to the smoothwall box, the smoothwall box checks the IP, and passes the packets to the server. The firewall pops up, shows the addressing is incoming from the smoothwall box (which is fine), and after a rule is made, all is working.

Conversely if I disable that rule in the smoothwall box, the router passes the packets to the smoothwall box, but it drops them, and nothing heads to the server.

Now I just need to figure out what to do about creating a rule via script so I can update it once a day with the ip that is at my dnydns name.

Sul.

[mack_guy911]

great achievement Sully glad your problem is sorted out

also like to add form your server side please check grc.com and scan your ip by default ping is visible in smoothwall please create a rule for that if needed create a rule that pinging is allows only on internet network

you can also do this by running a live linux cd with firewall disable on your server machine and scan grc......etc check the results passing through your linux box

[Johnny123]

Quote:

Originally Posted by Sully

Now I just need to figure out what to do about creating a rule via script so I can update it once a day with the ip that is at my dnydns name.

Glad to hear you're making some headway. You might want to login to the Smoothwall forum, it's pretty good and has been around a long time. You might find someone there that has already done what you're doing or can at least put you on the right track.

[Sully]

Thanks for the replies. I am posting some questions at smoothwall forum, see what might be learned. I tried m0n0wall and ipcop, and also smart router and zeroshell, but they either did not work (at least as easily) or would not install.

I have to try a few of the others still, although I think I lean towards the more spartan distros.

If I did not care about outbound control, I could code something up for XP inbound firewall easy enough, but I hate not being able to see what is going on. Windows firewall on XP offers nothing really in way of realtime logs.

Anyway, I do appreciate the help.

Sul.

[mack_guy911]

Quote:

Originally Posted by Sully

Thanks for the replies. I am posting some questions at smoothwall forum, see what might be learned. I tried m0n0wall and ipcop, and also smart router and zeroshell, but they either did not work (at least as easily) or would not install.

I have to try a few of the others still, although I think I lean towards the more spartan distros.

If I did not care about outbound control, I could code something up for XP inbound firewall easy enough, but I hate not being able to see what is going on. Windows firewall on XP offers nothing really in way of realtime logs.

Anyway, I do appreciate the help.

Sul.

have you tried endian it ipcop+cop filter (ipcop itself base on smoothwall)

hows your experience with astaro gateway

you can see it on smoothwall logs as on xp.......etc it just bypass by firewall

[Sully]

Quote:

Originally Posted by mack_guy911

have you tried endian it ipcop+cop filter (ipcop itself base on smoothwall)

hows your experience with astaro gateway

you can see it on smoothwall logs as on xp.......etc it just bypass by firewall

I have not, yet. I tried them in VM but I have to do it on real hardware because the VM installs don't work correctly.

Based on the replies in the smoothwall forum, these (at least some) are not just firewalls or gateways, but more like full blown routers. What I am doing, or want to do, is not exactly in the plan of a router. I know what a router is, and I would not put a normal router like most of us have in this picture because I know what the deal is. For some reason, I thought unless I utilized the portions of the distro that were "router-ish" I could just use it as a firewall/gateway/filter type of thing. I am being schooled on the do's and don'ts of smoothwall over there, so I will attend class for a few days and see what I can learn, then decide where to go from there.

On a side note, I did find a solution to do this with inbuilt mechanisms on the windows boxes, but I do have to create a script or two. I like the idea of having one box that deals with it for all servers rather than configuring each server, but we shall see.

Thanks again for sharing.

Sul.

[Sully]

Well, I have finished my first semester at the smoothwall forum lol. I had many misconceptions, much of it due to not fully understanding the terminology. Also much of it was due to only limited application within my LAN.

Turns out, while I did get smoothwall to perform what I wanted, it was not the proper way to do things, and I found out why. I don't know if every linux firewall distro can be lumped into the same basic description or not, but I would label them as routers instead of firewalls. A lot of the explanations and advertisements I was seeing said something like "linux firewall, easy to use, better than home routers, and free, etc etc". Turns out, they are routers which have firewalls and a whole lot more. It is basically your home router (linksys, dlink, belkin etc) on steroids.

Once I fully understood what a subnet was things began to shape up. I had no idea really how a subnet worked or why or what it was in the context of how it was really used. My perspective of it was limited to my one little subnet on my lan. And really, until you actually do some routing, it might as well be greek, because you don't have a need to know what it is.

Anyway, to make a long story short, smoothwall and I will assume about any of the linux firewall/router distros, offers much more than what I need, and that is both a good thing and a bad thing. It will certainly be more robust and more secure, in many ways, but also because it is not targeting home users like normal linksys type routers, there are some misgivings that need to be weighed.

At this point, I am deciding what I want to do before proceeding to either testing more versions or worrying about any scripting. There is added expense going the linux route, but it might be well worth it in the end.

I found a way to do what I wanted using IPSec in a windows box. Not the most elegant method, but it does work and is very easy to do.

Sul.

[Johnny123]

Out of curiosity, how did you get it to work with Smoothwall? (what you say wasn't the proper way).

I guess you could say that these distros are like routers on steroids. The more complex ones, like Astaro, Collax, Untangle, etc, are really meant for businesses, they just happen to offer a free version for over-enthusiastic home users

Anyway, you got it sorted out, that's the main thing.