Hi All,

i am planning to rebuild my firewall and my network. Currently i hv a firewall based on RH 6.1, ker 2.2 and ipchains. i am planning to hv a DMZ and build a new firewall based on iptables. instead of building the rules by hand i want to use some tool. i did quite bit of research for the past few days. i narrowed down to the following three firewall distributions / tool.

- SmoothWall / Ipcop
- Shorewall

Both of them hv their pros and cons

Smoothwall / Ipcop
pros
- Completely customized
- iso image is available
cons
- based on 2.2 kernel
- i think ipchains based
Shorewall
Pros
- based on 2.4 kernel
- based on iptables
Cons
- iso image not avaialble
- so i am not sure what to install and what not to.

i am still unable to decide which way to go. Any help appreciated.

thanks a lot.

-qweqwe

anyone ...

-qweqwe

I haven't used those varieties but if you are looking for a nice GUI tool to set things up.... I hate to sound like I'm beating a drum for firestarter but, it just doesn't get any easier as far as I'm concerned. :) It does use IPTABLES and it is a program to install onto an existing OS ( rpm package ) . You may consider upgrading to something abit more current like RH9. :)

This is what i did.

i found a link which gave me details on exactly whats required for a firewall. i built the firewall using that link - altogether it took just 400MB.

Later on i used Shorewall to configure my firewall. Man it was dam easy, intutive and quick.

Let me know if anyone requires more details.

-qweqwe

I use SmoothWall and am very happy with it.
I would not call the 2.2 kernel a con, as it has been proven to be very stable, fast and secure. ipchains does the exact same thing as iptables, just not as many advanced features...which are usually never used.

kernel 2.2.x is still being maintained and updated, so it is far from being "outdated"

For my 2 cents worth, I like shorewall....

i couldnt implement transparent proxy forwarding to remote squid machine using ipchains. 'junpedintofire' helped me a lot but still i couldnt do it. that was one of the main reason i switched to iptables. secondly i believe statefull firewalls are better than stateless firewalls. iptables w/ kernel 2.4 provides that.

-qweqwe

http://www.killerwall.net/ is all you need

looks like the site is down ...i ll check it out later...but ipchains doesnt provide stateful firewall though...right

-qweqwe

im i the only one who uses ipchains on 2.4x ? lol, anywho, Get RH8.0, and if you want iptables try gShield, it has an GUI availble as well. Personally I use PMFirewall, and have scripts that disable iptables and load ipchains at start. Very reliable.

IPCop now uses kernel 2.4, by the way. I'm using it right now as my gateway machine, and I'm very happy with it.

Sentry Firewall is also good.

Bastille. Bastille has a gui to configure the firewall, and it also helps secure the system in other ways such as password protecting the lilo prompt.

I'll tentatively cast my vote for IPcop. I tried Smoothwall and hated it. That thing is barely an improvement on your $100 SOHO firewall appliance you can get at Best Buy. It's extremely lacking in functionality of a real firewall (and who needs squid for home use, really?)

I tried IPcop after Smoothwall and was very happy to see that IPcop supports external alias. Unfortunately you can't do static dmz,outside nat, but at least you can listen on multiple IP addresses for incoming connections.

I haven't peeked at Shorewall yet, but I imagine any rule-generator for iptables can do real firewall stuff (such as PIX, Checkpoint, Netscreen, etc can do).

Since I don't use any of the extended features (other than Snort) of these firewall distros (proxy, DHCP server, VPN), and I want to do more things than they current allow as far as NAT and draconian ACLs, I'll probably end up just doing my own iptables eventually.

EDIT: Well, I just found the documentation for IPcop on how to add your own custom iptables (to be more granular in blocking traffic). It's: IPcop add-on documentation (http://www.ipcop.org/cgi-bin/twiki/view/IPCop/IPCopAddons) . Based on that, I'm now a happy camper with IPcop.

While it is ture that Smoothwall Version 1 is based on the 2.2 kernel, Smoothwall Version 2 is in beta and it is based on the 2.4 kernel. I have been running the 2.0 beta on my dial-up connection since it has been out, and it is VERY stable. The current Beta version is 4. However, earlier in the week, I received an e-mail from the mailing list that Beta 5 is going to be out this week (which it is not yet as I write this). They are further enhancing the UI, and adding NTP support to synch the smoothie clock. Beta 6 is due in July, and it is going to be considered RC1. Also, Beta 6 will provide NTP to the green interface to synch clients on that interface to the smoothwall box. I fully recommend this product.

I personally I recommend to sit down with google...read a bunch of iptalbes stuff and write your own firewall. It's not that hard to do. Took my about two hours to write my firewall script and it does exactly what I need/want. Every now and again I'll get some idea to "try something new" so I'll goof around with it for a while.

Yeah you don't have all the "cool" GUI stuff but ohwell...no need for X anyway :->

Sebastian