firewall distro

Anti-Trend

Smoothwall is crippled unless you buy a commercial license. IPCop is the 100% open-source branch of Smoothwall by some of the original developers.

__________________
See My Desktop | Try Linux | Install Linux | Visit My Server | Support Hardware Forums | Easily rip DVDs in Linux

donkey42

thankies AT, that was exactly the advise i needed

BTW: sticking to *nix Firewalls, is that correct, or are BSD based firewalls also good ?

__________________

Anti-Trend

BSD is included in the generic *nix connotation, as in "Linux/UNIX". But to answer your question, BSD firewalls are also good. A few noteworthy ones are m0n0wall and PFSense.

__________________
See My Desktop | Try Linux | Install Linux | Visit My Server | Support Hardware Forums | Easily rip DVDs in Linux

donkey42

thankies, i'll look into them, although advanced research will cause delay, but never mind

__________________

donkey42

i've just reread the post & originally meant Linux, i totally forgot about UNIX

__________________

megamaced

IPCop is the dog's bollocks...

I deployed IPCop in a 24 user (or PC) scenario and it worked flawlessly. Its an excellent piece of kit. Though I must admit I am not sure that you would see any benefits, what with you being the only user on the network. You'd be better off with a dedicated home-user orientated hardware firewall.

__________________
"A computer is like air conditioning: it becomes useless when you open windows". ~Linus Torvalds

donkey42

very eloquentwhat do you mean "dedicated home hardware firewall ?

yeah, but i'm always hopeful i'll meet someone stupid enough to put up with mei went to cinema to see Ku-Fu Panda last week with my carer & we took her 9 year old daughter to use as an excuse, & i loved it

__________________

Anti-Trend

I dunno about that last part. I used to try to run network audits through an office grade hardware SPI firewall. While a PC with a half decent network card can easily handle tens of thousands of network connections at once, the firewall couldn't. I'd exhaust its resources in under 5 minutes of scanning and it would lock up hard, needing a full reboot. IPCop on average will have at least 10x the resources of something like that, even if you use ancient hardware. If you're not doing network scans, peer to peer stuff like Vuse, TOR, P2P, BitTorrent, etc can generate a whole buttload of open sockets, which has basically the same effect.

Also, If you're using your bandwidth to its maximum potential, traffic shaping makes a *huge* impact on overall throughput by buffering the packets for you, passing them as bandwidth is available. So even with a single PC that is a heavy user, you'll notice the difference.

__________________
See My Desktop | Try Linux | Install Linux | Visit My Server | Support Hardware Forums | Easily rip DVDs in Linux

megamaced

Cmon, as a single user, traffic shaping is going to make little difference! Take my current network for example. I share the internet with an house mate, and our router is an extremely low-grade Dynamode Wireless Router. This router offers nothing extraordinary. No traffic shaping, nothing advanced like that. Yet for two users it's more than adequate. It offers everything that I might need, like port forwarding etc. I don't believe that a single user like Donkey42 could possibly need anything more then what I have myself.

Sure IPCop is excellent, but its overkill for Donkey and even myself...

__________________
"A computer is like air conditioning: it becomes useless when you open windows". ~Linus Torvalds

donkey42

my router has traffic shaping & it also has a hardware firewall built in

BTW: my router is here

__________________

Anti-Trend

Traffic shaping can make a difference regardless of user count. Really the key factors are how much bandwidth is being utilized and how many sockets will be open at a given time. For instance, if your roomate was using BitTorrent 24x7, and he allowed the maximum upload speeds, the entire network connection would be essentially unusable for you. Being primarily UDP, DNS lookups would likely fail, so you'd be lucky to eek a HTTP requests out there, let alone load a website with frames, or watch a video on YouTube.

My buddy has a Linux PC I built for him and his dad (they're both bachelors, so bought a house together to save on rent). They share it, and they'll routinely leave one session locked and the other will start a separate one on top of it. Sometimes one is torrenting porn while the other is surfing from the same PC. This situation didn't work out well for the reasons I spelled out above. So, I took their old PC (400MHz K6-2 with 64mb RAM), threw a few $4 NICs in it, and wham, IPCop. Setup a simple traffic shaping policy with DNS at the top of the scrap heap, things like FTP and BitTorrent on the bottom. Voila, metered and reliable throughput no matter how bad they're abusing their network.

This example applies even to a single user, since you might want to run BitTorrent in the background while playing games online (or whatever). This isn't feasible without a decent firewall, since the latency on the game packets would be too high to be enjoyable, as the pipe's flooded with torrent packets and everything is contesting the same bandwidth.

So, my question is this. If you already have the means to build a proper firewall (IPCop, m0n0wall, PFSense, Untangle, etc), why not go for it?

__________________
See My Desktop | Try Linux | Install Linux | Visit My Server | Support Hardware Forums | Easily rip DVDs in Linux

megamaced

<drunken nonsense deleted for the good of mankind>

__________________
"A computer is like air conditioning: it becomes useless when you open windows". ~Linus Torvalds

Anti-Trend

Oh? Would you mind pointing out which part, exactly?

8 years of professional IT hasn't been enough to convince me that a shitty firewall is better than a good one, but one day I'll see the light.

Funny, I don't know where you read the part where I said he "needed" a Linux-based firewall. I simply stated that there are advantages in even a single-user environment.

You never answered my question:
So why not? If you have a crappy PC laying around, it costs around $5-10 tops to throw a few more NICs in it, and the software is free. A cheap plastic router will cost $20-100, so I fail to see the big advantage of using a crap one if you already have a throw-away PC for use as a decent one.

__________________
See My Desktop | Try Linux | Install Linux | Visit My Server | Support Hardware Forums | Easily rip DVDs in Linux

megamaced

Got a little too drunk last night. My last post was insanely harsh so I've deleted it. Apologies...

Moving back on track, there are other reasons why IPCop may not be a good idea for Donkey. A lot of people run IPCop on ancient hardware, but that is a problem in itself because this older hardware is more likely to fail and is certainly not designed to be used 27/4. I've had two old computers give up the ghost whilst running IPCop! In both cases the motherboards just failed. One suffered from leaking capacitors! The electrolyle was all over the motherboard! Not nice!
One answer is to use newer hardware of course, but personally I don't like the idea of using a Pentium 4 based PC for IPCop when that computer is powerful enough for normal use. But I suppose for some that sacrifice is worthwhile if it means they have a rock solid system running IPCop that's reliable.

Another problem with the IPCop solution is power usage. An dusty old Pentium 2 spec PC is going to use far more electricity than a dedicated router. This is bad for two reasons. The most obvious is electricity costs. I don't know exactly how much more expensive running IPCop would be, but it's certainly going to be more expensive than a router. The second issue, and certainly the more important for Al Gore, is the extra burden on the environment! Not that he can talk anyway, what with flying all over the world in private jets, but that's another story

__________________
"A computer is like air conditioning: it becomes useless when you open windows". ~Linus Torvalds