Linux distro that is a firewall - like ipcop etc

Discussion in 'all things UNIX' started by Sully, Jul 23, 2011.

Thread Status:
Not open for further replies.
  1. Sully

    Sully Registered Member

    Hello everyone.

    I have been on a search for a couple weeks now for a fix.

    The problem is simple, I no longer have a static IP at home, but a dynamic one.

    My remote computers had rules in the router for my home static IP, and rules in the firewalls for my home IP.

    I have a dynamic dns account, and am using my router at home to update it to whatever my current WAN IP is. This works well. The router is a Dlink DIR-655.

    I haven't tried every firewall, but from googling I don't see mention of one that will accept a domain name in a rule, only IP or it coverts name to IP but never "rechecks" the name to IP again. I have a thread started in the firewall forum but so far no takers :(

    I had a thread in the hardware forums asking more about hardware firewalls. I have since learned that at least 2 manufacturers say they don't do this in thier products. I am not going to waste my time reading into multiple hundreds or multiple thousands of dollars units that I cannot afford.

    Instead, I have started down the linux path of firewall/router type distros. I started with IPFire, as was recommended. It does not seem to offer what I need, although it was not too bad to get going. Next I tried m0n0wall, but apparently there is a problem using that in vmWare, or at least it must be hooked up for real. I could not get into the webGUI. I am not going to put it to bare metal until I try it a bunch in VM. I tried SmoothWall, but it failed to install in VM. I tried a couple others, don't remember the name, but they were a bit old I think.

    Anyway, at this point I am beginning to wonder if I can even achieve what I desire. I do not want a full blown OS, but would prefer a firewall specific distro. I might have to use a full OS, but would really prefer it be as meager as possible, as I don't dabble in linux that often and really don't need much more than a firewall.

    What I hope to achieve is to keep my router in place and use the linux firewall machine to put a few servers behind it.

    My WAN IP might be to

    The current addressing at work is a static WAN IP, with LAN IP of
    I have a few servers which have ports forwarded to their LAN IPs.

    My hope it to Keep the router, so all workstations can maintain 192.168.1.x and reside behind the router as normal.

    Then give the FIREWALL a 192.168.1.X WAN IP, with a 192.168.0.X LAN IP to those machines behind it. I could then continue to port forward from the router to the FIREWALL IP, and from the firewall create rules to the servers behind it.

    I realize I am mixing things up. I could route my incoming WAN line to a hub or switch prior to the router and possibly get things to work. I realize I should be getting rid of the router, but it has good wireless (at least for me) and I hate to rely 100% on a box that might fail for differing reasons when a router has much less to go wrong. And besides that, the servers are mostly only for LAN use, I just happen to need to remote into them at times, and I have a few team speak servers on them as well, but it is the remote access that I really want to have a good handle on.

    So, does anyone have any ideas? The firewall must be able to have a rule created that allows dynamic names to be used rather than strictly IP addresses, and the dynamic name must be resolved periodically, or it must check the DNS cache to see if a change has occurred.

    I hope this makes sense. It is not the easiest thing to describe in easy terms.

  2. J_L

    J_L Registered Member

  3. mack_guy911

    mack_guy911 Registered Member

    Last edited: Jul 23, 2011
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Sul, you can do periodic checkups for name resolution, say every minute.
    Always allow dns to your isp, which should be a single ip.

    There, you can query names/ips (with a command line host).

    As specified in /etc/resolv.conf, and also check /etc/nsswitch.conf for more details on how different databases are contacted and in what order.

    After you obtain the correct resolution, pipe the ip into a script that creates firewall rules on the fly. Flushes existing rules, takes input, creates allow/deny rules and then saves the tables.

    I guarantee for a fact that this works as I had to implement something similar somewhere else, but I used a combination of dns and nis and had updates on hourly basis. The only bad thing is, you have a milisecond downtime while you flush the rules and create new ones.

    You can get around flushing if you just delete/add specific entries, so you should always add them to the top of the chain, but mind any conflicts or double entries, as once you hit true statement, the chain will end.

    P.S. Done using standard iptables.

  5. Sully

    Sully Registered Member

    @J_L and mack_guy911

    Thanks for the tips. I have not gotten to those yet in VM, although I did know of most of them.

  6. Sully

    Sully Registered Member

    Being a noob in linux, I think what you are saying is that a simple iptables based distro, such as ipcop, is really all that is needed.

    Further, you are suggesting that I do a simple command line query of the IP in question and script the firewall rules. That might work, as it is very simple to do. Even in windows I can ping the domain name and get the ip. So in linux, it will be a very similar approach. I might have a go doing this with ipcop. I had not tried that yet because I was looking for something more than iptables, but what you suggest sounds good enough for me.

    It is not critical that I update the ip to name more than once a day, so that makes it even easier.

    I am not certain how the whole approach will work with me wanting to leave the router in place and the linux box with 2 nics, but I will play and see.


  7. Johnny123

    Johnny123 Registered Member

    You ain't whistlin' Dixie there ;)

    Are you installing these in a VM for test purposes only? Reason I ask is that on the German IPCop support forum they won't support anyone running IPCop in a VM, they say it's a security no-no. It's better to run it on dedicated hardware. For IPCop you don't need anything fancy, it will even run on a 486.

    Now if you want the router with the workstations behind it and the servers behind the firewall you can add more NICs. In the case of IPCop, IPFire, Smoothwall or Endian, you would then have Red for WAN, Green for LAN and Blue for the router. Plug a switch into the Green NIC and you can hang the servers on that. If you want a web server available add another, which would be Orange for a DMZ. This is assuming that you have a modem in front of the firewall box. Don't know if your router is just a router or if it has a modem in it.
  8. mack_guy911

    mack_guy911 Registered Member

    i my self no idea about it until 1st i start with endian and use it for a year or 2
    its pretty easy to configure and you can run it as low as p3 machine with 2 nics

    try that distro its pretty easy and out of box utm once get a grip on it then try others like astaro untangle .....etc

    also i highly recommened check this guide old one but better simple and straight forward then the new guide

    also like to add you need to configure green zone (ie internal local gateway address]

    for example and connect it via port 10443 default

    then from other pc set your pc ip range in network range

    as above example

    connect to green zone (internal local gateway address by this ) via HTML web and configure your red zone (external modem ip).......etc other configurations :))

    for this no need or very few knowledge of linux required everything is easy and gui web base

    last i didnt install endian on virtual machine but on real hardware are some examples of virtual machine
  9. Sully

    Sully Registered Member

    Thanks for the replies.

    It isn't whether one distro will be easier than another, it is which one handles the domain name in the way that I want.

    Just to set this straight, so anyone wishing to help understands...

    Router has static WAN IP and is
    All workstations are 192.168.1.x
    Servers are currently 192.168.1.x

    Proposing to

    Router has static WAN IP and is
    All workstations are 192.168.1.x
    Linux Firewall box NIC 1 is 192.168.1.x
    Linux Firewall box NIC 2 is 192.168.0.x
    Servers will be 192.168.0.x

    Incoming packet to WAN IP on port 123.
    Router forwards port 123 to Linux Firewall box.
    Linux firewall box forwards to server on 192.168.0.x behind it
    Server accepts incoming request, because linux firewall box handles the rules.
    Server may still run firewall for outbound rules if desired.

    The problem comes when using domain name as IP in a firewall rule. All incoming traffic on port RDP to router will be allowed because I have real alternative. Router will forward traffic to linux firewall. Linux firewall will then check if originating port was the domain name IP or not. If it is, then it passes it to server(s). It not, it denies. The firewall must have ability (or I must script it) to update the IP for the domain name ideally once every 24 hours.

    I am playing (or trying to) with these in VM because I want to test it without putting in on real hardware just yet. I don't mind putting it on hardware, but it is much faster to install in VM and check out the settings/gui etc before actually installing it on metal. I am not having the best of luck though on making things work within the VM.

    It seems I have to do a little more studying on the green+red thing. I had thought it was simple, one NIC for WAN side, one NIC for LAN side, and that I could set WAN side to my normal LAN, and the LAN side to a different subnet. It is apparently not that simplistic with a few of these firewalls.

    Here is a good quote of what I am thinking
  10. mack_guy911

    mack_guy911 Registered Member

    yes its same

    lan= green zome

    wan= red zone

    forget it go for astaro it has everything you need its free for 50 users and 32000 concurrent connection for home license or clearOS

    is there special reason you want to put it behind the router

    i a have my setup

    Internet--> Modem--> astaro security gateway --> Swtich ---> pc and wireless router

    i use it as simple utm gateway not as server or dns forwarder

    for dns quires you need a dns server on your LAN network this will give more light

    also like to add you get everything on astaro but you need to create rules by default astaro block all external

    you need to create rules

    like for example you need to connect to ftp you
    need to create a rule for it

    which is pretty simple

    1st go to network security
    2nd click on packet
    3rd make new rule
    4th source: click on folder icon you see networks on left

    drag internal network to it

    5th same way click on folder and drag service to it ftp for example

    6th destination let leave it to any

    apply rule created now click on red button to make rule active

    please check astaro demo it give you all idea

    same way clear OS will work for you can set a entire server as well on clearos

    clearos demo

    you need to open port 81 to connect
    Last edited: Jul 24, 2011
  11. mack_guy911

    mack_guy911 Registered Member

  12. Johnny123

    Johnny123 Registered Member

    This is starting to get confusing. I thought you didn't have a static IP anymore, hence the dynamic DNS (which all of these distros support). I also thought you wanted the workstations behind the router with the wireless capability and the servers on Green. If you have a setup with Red, Green, Blue and Orange (if you have publicly accessible servers) I don't see where that's any less secure than with the router in front, as the Smoothwall guy suggested. That's the reasoning behind these different interfaces, to keep them separate from each other. I don't think a router is going to be more robust in doing this than a firewall box with one of the previously mentioned distros.

    Take a look at this page from the IPCop installation manual. The IPCop documentation is amongst the best. Details may vary a little from one distro to the next, but the basic principles are the same. You can download the installation and administration guides as PDFs here. It's worth it to read through all of this, gives you a bit more insight.

    I also don't understand what kind of a rule you are trying to make based on domain name. Is this incoming, outbound, what exactly is it for?

    I would try to keep it as simple as possible. The more complicated it gets, the more opportunity there is for something going south.
    Last edited: Jul 24, 2011
  13. Sully

    Sully Registered Member

    One more time. I realize it is a bit confusing, because I am trying not to write a book that could describe it better ;)

    First, I desire the router to stay in place because it is my wireless device, the only one I have for clients to attache to, so I need to keep it. I realize I could use the router as a switch. I was hoping to keep the router on the front side of everything so that if the firewall box were to die (bad hdd, psu burns up, etc) the clients would not be without service because they still use the router.

    At home, I had a static IP. Now, I have a dynamic IP.

    At work, I have a static IP. At work, I made inbound filters in the router for my HOME IP. There were some ports that were forwarded to the servers for remote management. The port forwarding used the inbound filter, so that ONLY connections from my HOME IP were passed on to the servers. Now, my HOME IP is NOT STATIC, but the WORK IP is STATIC STILL.

    The router offers inbound filtering but ONLY for static IPs. Thus, my dynamic IP from HOME is of no use with the router. I have to either stop using an inbound filter for those ports to forward, or I have to create an inbound filter for my subnet of the dynamic IP I now have, which is a lot of surface area IMO.

    After the router would send the requests to the servers, based on my filters, a firewall on the servers would check the incoming requests. If the request was for a certain application on a certain port, and it was originating from my HOME IP, then it would allow it. The firewall does allow me to use a name on the rule, and it does convert it to IP. So, my HOME IP, which is now dynamic, can get into the firewall rules, but it will never update the IP to Name translation. That means whatever the dynamic IP was when I put in the name for the rule will stay forever until I remove that entry and put it in again, in which case it will resolve the name to IP, put it in the rule, and it will work until my HOME IP changes again.

    My idea then is to use a linux firewall box and put the servers behind the firewall. The linux box then gets a normal WORK LAN address for its WAN IP. This IP is then on my WORK LAN, which I can then see and attach to in order to configure, etc. It uses the router as its gateway.

    The LAN IP of the linux firewall (2nd nic) would likely be on some other IP scheme than the router. The servers would then sit behind the linux box. The linux box would act as the filter for the servers. So when I am at home, and go to remote into the servers, it hits the router. The router forwards the ports required to the linux firewall IP rather than the server IPs. Within the linux firewall, the incoming IP (my HOME IP which is dynamic) is examined, and depending on what it is (if it matches my HOME IP) and what port it is, it forwards it on to the correct server. The server then doesn't need to try and maintain a rule for my HOME IP any more because the linux box is doing that.

    While I was waiting for Astaro to download I installed Untangle on VM. It got to the point of setting the LAN IP but then froze. It appears none of these firewall/router distros work correctly in a VM so I am going to have to go to bare metal.

    One option Untangle gave me was to make this a transparent gateway. I am unfamiliar with that term, but it was there as the option to use if I was connecting the untangle box to a router or modem.

    The issue at the heart of all of this is that I do wish to have some tighter rules in place rather than just allowing any IP to hit those servers and rely on a good password or trust the service is not exploitable easily. The router did a good job of filtering out all requests to the servers except my OLD HOME IP which was static. My NEW HOME IP is now dynamic, and the best I can do is to make an inbound filter for my subnet, and do the same for the firewall on the server. If my subnet is, that is a lot of potential IPs that could be forwarded. Without a way to utilize my address, I am left with no alternative.

    Mrkvonics talk of scripting a change in the firewall (iptable) that every X hours translates the name to its current IP is a good solution. It might not be needed, as I have yet to get inside of most of the firewall distros to see what is there. I will have to install for real I guess to see.

    I hope that explains it well enough. More text than I wanted to use, but it is tricky to describe o_O

  14. Johnny123

    Johnny123 Registered Member

    OK, that makes it somewhat clearer. Mrkvonic is definitely the one that can help you out here, the domain name vs. IP thing is too advanced for my limited knowledge. You might also want to ping YeOldeStonecat, he sets these up for companies and he has apparently tried just about everyone of these distros. He might be able to give you a solution.
  15. mack_guy911

    mack_guy911 Registered Member

    how could that possible

    if your clients can still use router even your firewall box fails (not working) than what is use of it.

    please check them as well
  16. mack_guy911

    mack_guy911 Registered Member

    also please this going pretty confusing :rolleyes:

    are you setting up a internal lan server or it can accessed form external i mean WAN as well

    secondly your wireless router is set it for lan clients or what o_O??
  17. Sully

    Sully Registered Member

    It really isn't all that confusing if I could explain it correctly.

    The router handles all wifi and workstations right now. It also handles the servers. It is the gateway of course.

    The limitations of a dynamic ip mean the router nor software firewalls on the servers can be used to the best potential, meaning I would like more granular control - I want ONLY my HOME DYNAMIC IP to be forwarded to those servers on the specific ports (all other incoming traffic on other ports I don't care about, it is the remote management ports I want control over) - this is an incoming WAN IP that hits the router and is destined for the servers. The workstations also hit the servers, and that is something I need to maintain, although I am leaving that to be dealt with later as I first need to handle the incoming requests from the WAN to the servers.

    The linux firewall/router/gateway/whatever you call it box sits between the router and the servers. Its job it to apply a filter to traffic heading from the router to the servers, because in this way I can still filter on my HOME DYNAMIC IP. Once it passes the filter it lets it go to the servers.

    I am uncertain yet because I haven't played with the distros yet, to know what exactly this linux box is going to do, because I don't know the capabilities yet. It might be a router, or a transparent gate way, or just a packet filter.

    I only plan to use the linux box to control traffic from the WAN to the servers. It might be cumbersome, it might not be doable. I am currently setting up a spare box as a testbed to see what distro has what and actually play for real.

  18. Sully

    Sully Registered Member

    Well, I found a way that works,to a degree.

    I installed Smoothwall (after a few others), and set the Green to, and the Red to I created a rule that says

    Source IP: (my home dynamic ip)
    source port: 1234
    Destination IP: (a server)
    destination port: 1234

    In the router I set this port forward rule

    Source IP: Any
    Port: 1234
    Destination IP: (the smoothwall box)

    I remote into the server from LAN side, set firewall on server to wizard mode, then hit the router from my house (remotely). The router forwards the packets to the smoothwall box, the smoothwall box checks the IP, and passes the packets to the server. The firewall pops up, shows the addressing is incoming from the smoothwall box (which is fine), and after a rule is made, all is working.

    Conversely if I disable that rule in the smoothwall box, the router passes the packets to the smoothwall box, but it drops them, and nothing heads to the server.

    Now I just need to figure out what to do about creating a rule via script so I can update it once a day with the ip that is at my dnydns name.

  19. mack_guy911

    mack_guy911 Registered Member

    great achievement Sully glad your problem is sorted out :D

    also like to add form your server side please check and scan your ip by default ping is visible in smoothwall please create a rule for that if needed create a rule that pinging is allows only on internet network

    you can also do this by running a live linux cd with firewall disable on your server machine and scan grc......etc check the results passing through your linux box
    Last edited: Jul 25, 2011
  20. Johnny123

    Johnny123 Registered Member

    Glad to hear you're making some headway. You might want to login to the Smoothwall forum, it's pretty good and has been around a long time. You might find someone there that has already done what you're doing or can at least put you on the right track.
  21. Sully

    Sully Registered Member

    Thanks for the replies. I am posting some questions at smoothwall forum, see what might be learned. I tried m0n0wall and ipcop, and also smart router and zeroshell, but they either did not work (at least as easily) or would not install.

    I have to try a few of the others still, although I think I lean towards the more spartan distros.

    If I did not care about outbound control, I could code something up for XP inbound firewall easy enough, but I hate not being able to see what is going on. Windows firewall on XP offers nothing really in way of realtime logs.

    Anyway, I do appreciate the help.

  22. mack_guy911

    mack_guy911 Registered Member

    have you tried endian it ipcop+cop filter (ipcop itself base on smoothwall)

    hows your experience with astaro gateway

    you can see it on smoothwall logs as on xp.......etc it just bypass by firewall
  23. Sully

    Sully Registered Member

    I have not, yet. I tried them in VM but I have to do it on real hardware because the VM installs don't work correctly.

    Based on the replies in the smoothwall forum, these (at least some) are not just firewalls or gateways, but more like full blown routers. What I am doing, or want to do, is not exactly in the plan of a router. I know what a router is, and I would not put a normal router like most of us have in this picture because I know what the deal is. For some reason, I thought unless I utilized the portions of the distro that were "router-ish" I could just use it as a firewall/gateway/filter type of thing. I am being schooled on the do's and don'ts of smoothwall over there, so I will attend class for a few days and see what I can learn, then decide where to go from there.

    On a side note, I did find a solution to do this with inbuilt mechanisms on the windows boxes, but I do have to create a script or two. I like the idea of having one box that deals with it for all servers rather than configuring each server, but we shall see.

    Thanks again for sharing.

  24. Sully

    Sully Registered Member

    Well, I have finished my first semester at the smoothwall forum lol. I had many misconceptions, much of it due to not fully understanding the terminology. Also much of it was due to only limited application within my LAN.

    Turns out, while I did get smoothwall to perform what I wanted, it was not the proper way to do things, and I found out why. I don't know if every linux firewall distro can be lumped into the same basic description or not, but I would label them as routers instead of firewalls. A lot of the explanations and advertisements I was seeing said something like "linux firewall, easy to use, better than home routers, and free, etc etc". Turns out, they are routers which have firewalls and a whole lot more. It is basically your home router (linksys, dlink, belkin etc) on steroids.

    Once I fully understood what a subnet was things began to shape up. I had no idea really how a subnet worked or why or what it was in the context of how it was really used. My perspective of it was limited to my one little subnet on my lan. And really, until you actually do some routing, it might as well be greek, because you don't have a need to know what it is.

    Anyway, to make a long story short, smoothwall and I will assume about any of the linux firewall/router distros, offers much more than what I need, and that is both a good thing and a bad thing. It will certainly be more robust and more secure, in many ways, but also because it is not targeting home users like normal linksys type routers, there are some misgivings that need to be weighed.

    At this point, I am deciding what I want to do before proceeding to either testing more versions or worrying about any scripting. There is added expense going the linux route, but it might be well worth it in the end.

    I found a way to do what I wanted using IPSec in a windows box. Not the most elegant method, but it does work and is very easy to do.

  25. Johnny123

    Johnny123 Registered Member

    Out of curiosity, how did you get it to work with Smoothwall? (what you say wasn't the proper way).

    I guess you could say that these distros are like routers on steroids. The more complex ones, like Astaro, Collax, Untangle, etc, are really meant for businesses, they just happen to offer a free version for over-enthusiastic home users :cool:

    Anyway, you got it sorted out, that's the main thing.
Thread Status:
Not open for further replies.