IPCop is a free, open-source firewall based on the Linux operating system. It provides an easy way to have a dedicated firewall between your vulnerable computers and the Internet, but without the high cost and low flexibility of hardware routers. IPCop runs perfectly on obsolete hardware and can provide secure access to servers, workstations, and wireless clients alike. It's super-simple to set up, and requires no prior Linux knowledge. The entire setup process takes between 5 and 15 minutes. Once the system is up, it can be administrated via secure web interface. Hardware Requirements If you have an old, worthless system with at least: *24mb RAM *400MB HDD *100MHz CPU *2 Network Cards ...you can use it for IPCop! My firewall is an ancient AT-architecture K6-2~300MHz, 128MB RAM, 4GB HDD with two $5 Realtek network cards, and it's been the best router I've ever had. Fast, flexible, secure, easy to use --- it's the best use you can make of your old junker PC! >>> Get IPCop <<<
A note on the above post: These minimum requirements are for normal firewall usage. But if you will be running advanced services like proxying/content-filtering/VPN/Snort, you may need a bit more CPU power, RAM, and HDD space. Even so, we're talking about maybe a Pentium2 with 64-128mb RAM and a 4GB HDD, so it's not too high-end. Actually even that would be pretty cushy, considering most commercial routers run in the sub 200MHz range (that includes Cisco)! -AT
IPCop is up to 1.4.5. If you're already running it, you can get the patch. Or, if you haven't yet installed it, you can get the full 1.4.5 ISO Image.
Just tell her you're going to "convert it into a useful security appliance". You'll need at least two network adapters, BTW. -AT
yea i got 2, im jus willing to turn myself over to linux, tho i wanna get vmware and run mandriva,longhorn, and osX together eventually at once
Really, IPCop is intended to be run on a standalone system which will act as a dedicated firewall. In other words, once its setup it no longer needs a keyboard, mouse, monitor or even a video card (if the CMOS will allow it to boot without one). It will act as your edge router, protecting the inhabitants of your local area network -- Windows, Linux, Mac, or any other type of system which happens to be behind it. -AT
I'm building one. A local highschool is shelling out full pII systems fully tested and working for $20. Picking one up in around 6 hours if plans follow through. I don't really need another firewall I'm just doing this for expierience.
IPCop v1.4.6 was released today! As usual, this version can be installed as an update from previous v1.4.x installations or with a ready-to-go ISO for a fresh install. Install the update and restart your red interface to initialize the new dnsmasq version. In other words, no reboot required. Download from http://sourceforge.net/project/showfiles.php?group_id=40604 MD5: 753b00658a996de625c779334768d0a6 fcdsl-1.4.6test1.tgz MD5: b83eed991e392dd8346171088aac9fb8 ipcop-1.4.6test1.iso MD5: 99bc31079b1b7be5d94b22d388b04b3b sources-ipcop-1.4.6test1.tgz MD5: d083bb952ccfefa6b3f98ed881dbec45 update-1.4.6test1.tgz.gpg
IPCop 1.4.9 released today. Changelog: __________________________________ Upgrade squid to v2.5.STABLE11 to fix three possible crashes. Fix umount for CAN-2005-2876. Fix the Upload button not working in Norwegian, Swedish and Vietnamese languages. If you are affected by this, temporarily change to a different language to be able to apply this update. Add Traditional Chinese language to web interface. Hide only connect/disconnect buttons when a ppp profile is used but not valid. Hide ppp profile name in all pages when not used. Detect floppy media not present for backup. Make minimal optionfw.cgi work with ping. VPN users, check "Dead Peer Detection action" setting as it was wrongly changed during 1.4.7 upgrade __________________________________ You can grab the full ISO image for installation here. If you've already got IPCop 1.4.8, you can pick up the patch here (no reboot required).
Lol, well only windows really right? bc thats a breeding ground for PC std's...yuck, viruses running rampant in your windows OS as you speak.
IPCop 1.4.10 Released IPCop v1.4.10 is only bug fixes and is released unchanged from 1.4.10test1. As usual, this version can be installed as an update from the previous v1.4.x versions or with a ready-to-go ISO for a fresh install. md5sums 379f9693213cd201788a71d5269ef4c0 ipcop-fcdsl-1.4.10.i386.tgz d4848635eb08e2f131f71fccb8dd9ab7 ipcop-install-1.4.10.i386.iso 0651d7bcb4e4dca4daef7649f472807d ipcop-sources-1.4.10.tgz 4e62d3c4d33bbbd1abf2fd3961615305 ipcop-update-1.4.10.i386.tgz.gpg fcdsl package did not change in 1.4.10 from 1.4.8/1.4.9 Changes made since v1.4.9 are : - upgrade squid to 2.5.STABLE12 CAN-2005-3258 and bug#1405 - permits user to introduce a delay between vpn launch and IPCop 'connection'. The delay allows dyndns updates to propagate. Usefull when a dyndns name is used for the RED name. Avoid error message "We have no ipsecN interface for either....." - make snort use binary login, more resilient, don't exaust inode with random ip logging - allow dmzholes to use ip/mask instead of ip. Simplify blue->green holes management. - fix transparent proxy on blue broken when transparent on green off sf bug #1327461 - add scheduled shutdown/reboot capability to IPCop (within shutdown.cgi page) RFE 1298996 - VPN fix no default values for advanced options when advanced options not used - VPN correctly display advanced options default values when not set SF 1314801 - VPN add enable/disable pluto debugging option - fix aliases randomly sorted on firt use SF 1290492 - upgrade to apache_1.3.34 mod_ssl-2.8.25-1.3.34 mm-1.4.0 - fix atm modem routed ip start with llc encap - fix atm modem routed ip stop (tested with vc encap) - web backup : tighten security (SF 1344032 / 1344047) - web backup : fix hardware settings always exclude from backup, they should only be optionally include on restore - web backup : fix exclude files not working in 1.4.9 resulting with bigger backup each time, now all file include names are displayed on information box - - revert dhcp server changes made in 1.4.9. Some input boxes may be let empty. Web backup made in 1.4.9 are bigger than necessary because they include other backup sets and files which should have been exclude. Backup sets present on hard disk are fixed during the upgrade. Please report any problems in bug tracking system or on devel list. Gilles
IPCop 1.4.11 Released Summary of the too long changes from 1.4.10 to 1.4.11 Web interface backup.cgi - new backup supporting usb key, unencrypted backup removed for security reason - export of backup.key key is crypted wit a 'backup' password needed for reinstall, hostname is include in the exported key file - backup .dat now include hostname and the timestamp of the backup before to reinstall, remove timestamp to the file name you want to use to restore a comment field is available for each backup the comment will be restored on backup upload (if available) - floppy backup display used sized, check that backup is not too big directly display errors if any (bad floppy) ddns - fix typo in local IP network address to fetch real public IP (sf1369617) - fix GET string during fetch real public IP (sf1396470) and use proxy settings - add cjb.net, everydns.net providers and remove hn.org - move freedns and regfish to https exchanges - change URL for zoneedit connections.cgi - Fix icmp bug (sf1373594) - add sorting & filtering of the table - fix minor xhtml compliance issues dhcp.cgi - change duplicate dhcp fixed lease detection (Tapani suggestion) - highlight duplicate MACs - new option need to be created no space 'code nnn=xyz' - allow more char in rootpath/filename options (sf1365534) gui.cgi - fix minor xhtml compliance issues ids.cgi - fix save that erase update signature date - fix stop of ids in 1.4.11rc1 portfw.cgi - fix destination range check (sf1226089) password.cgi - have an uniform policy in setup and web GUI space, ' and " are not allowed 6 characters password is the minimal length in both interfaces pppsetup.cgi - fix minor xhtml compliance issues proxy.cgi - use the proxy port number set in web interface - support squid extension_methods - add an option to repair the cache - fix 'flush cache' option shutdown.cgi - allow a programmed shutdown/reboot update.cgi - include version number in update log message VPN - fix minor xhtml compliance issues - fix CRL dir and filename - move randfile and cakey.pem out of /var/ipcop/ca to remove warnings (need to include in upgrade) - add leftid/rightid parameters to extend interoperability with other peers - remove 'raw' debug option, not usable (too much data) - add overridemtu option - allow %defaultroute as local name for this side of VPN (sf1418529) - correctly enable creation of Roadwarriors (sf1436828) - add subjectAltName (rfe sf1365911) - add a pkcs12 import while creating a connection - allow use of DN,FQDN,IP for authentication (sf #1418533) - compression+vhost can work together: disable check - set compression off by default for better compatibilty - Fix unneeded test preventing using more than once a cert (sf1171139) - add aggressive mode option (rfe sf1359865) - PFS advanced option was not cleared when saving params in basic GUI - Integrate vpn-watch from Daniel Berlin (used for net-to-net only) - Fix certificate export with IE and Opera, now the box to register to disk really open - Check the subjectaltname field and filter error output With access on vpn configuration page controlled by admin password, it was possible to include html code in this field html code was executed because of error display without filtering of subjectaltname. Connection - fix reconnection done even in manual and pure RED setting - fix Ping disable option only working correctly with RED interface up (SF 1373822) - restart squid during rc.updatered (should fix sf1077113) - allow selection of only pap or only chap with fritzdsl to be effective Various - fix 'single' mode booting used for password recovery (sf1349440) - fix kernel displaying inexistant partitions with unpartionned fat device (integrated in 2.4.33) - fix syslogd and klogd users and start now syslogd as syslogd uid Building - support build from precompiled toolchain package - to work with very old or brand new distribution - to spare build time - package available when the building machine is a i586 or a i686 You can upload the corresponding prebuild toolchain with ./make.sh gettoolchain If you want to build your own package, do ./make.sh clean && ./make.sh toolchain - supply a collection of all needed packages sources used to build in an .iso - split compilation log in differents stages log files - strip from chrooted /tool/strip - initrd is rebuild every time the installer is more recent - during compilation, disable ipsec.secrets generation to workaround with a kernel >2.6.11.x on the running machine for a potential empty entropy pool problem - at the end, move .iso and *.tgz from build/install to root dir instead of coyping to save place on disk Support Latin-2 for rrdtool Upgraded packages - dhcp-3.0.4, - dnsmasq-2.33 and remove ipv6 support we don't use, - gnupg-1.4.5 and trim unused features, - hdparm-6.6 (mainly support ATA7 detection), - iana-etc 2.10, - iptables-1.3.5,(pool extension no more available,string extension is reverted to code in v1.3.3) - ipac-ng-1.31, - libpng-1.2.12, - squid-2.5.STABLE14 plus patch, - openswan-1.0.10, - vlan.1.9. (cosmetic) Fix openssl compiled previously for 486 (sf bug #1363150) Add Afrikaans,Gujarati,Japanese,Persian (Farsi),Slovak langages to web interface and installer Installation - support installation from usb key - support restoration from usb key and network (http/ftp) - display version on first screen message - no more need of scsi floppy to support scsi cdrom/disk when not booting from floppy - explain 'no echo for password' message - use syslinux-3.11 - fill URL box with http:// as it may not easy to type : on unmapped keyboard - keep the URL in case the file is not found (easier to understand what was previously wrong) - Fix SiS965L chipset detection - Fix mptscsih configuration during install Please report any problems in IPCop sourceforge bug tracking system or on devel list. Gilles
IPCop 1.4.13 Released! IPCop 1.4.13 was released today. Here's the complete release announcement, wrapped in "code" tags so it doesn't take a whole page by itself. Code: PCop is a friendly firewall solution protecting networks running on linux. It will be geared towards home and SOHO users. Interface is task based. Hardware requirement could be very minimal and grow with services used. This release update a few tools due to security issues, fix bugs and update some drivers. You are encouraged to update from previous releases as soon as you can. IPCop v1.4.13 is released inchanged from 1.4.13rc1. As usual, this version can be installed as an update from previous v1.4.x versions or with a ready-to-go ISO or usb bootable images for a fresh install. Update is split in two parts due to space limits on small configurations. Install the two updates and reboot mandatory. Kernel-2.4.34 is provided. This kernel update may cause trouble with unofficial add-ons not compiled for this kernel. An iso for alpha is provided again for 1.4.13 release. It is intended that starting from 1.4.13, alpha version will be released in the same timing as i386 version. No update from alpha v1.4.0 version will be published as the gap is too much important. You would have to backup and install again. Files are available on 'IPCop' package at https://sourceforge.net/project/showfiles.php?group_id=40604 If you want to compile from sources, a new .tgz is supplied that gathered all external sources from Ipcop. You don't need to load that package from sourceforge on your own. On a new CVS tree, ./make.sh getothersrc will do that for you and check file integrity before to untar all sources packages in cache directory. md5sums e24f5723a267c327e2240a34b33f4e72 ipcop-1.4.12-update.i386.tgz.gpg 2e318e3d7aeffa8d208f3d34f23985cd ipcop-1.4.13-update.i386.tgz.gpg 1136d7089780bb13ef94ee541f535939 ipcop-1.4.13-fcdsl.i386.tgz 760448fcb78fce2fb09eac2d42d99434 ipcop-1.4.13-install-cd.i386.iso b5804e91a9e6ae60f7a6d078c6c0e852 ipcop-1.4.13-install-pxe.i386.tgz 02a4aecc802bde1cbf98ed1eecabbbc5 ipcop-1.4.13-install-usb-fdd.i386.img.gz 68117aec6bff42ef735d915e0d9858f9 ipcop-1.4.13-install-usb-hdd.i386.img.gz 02c55db115e88f669c39dbcb6984e154 ipcop-1.4.13-install-usb-zip.i386.img.gz e3b71a0a391f43aa55ea216bfdb9fe08 ipcop-1.4.13-othersrc.tar.bz2 31606992a72fea290ad13e41e7bcda3b ipcop-1.4.13-othersrc.tar.bz2.md5 a9cc96e2ba0b83b25b6338e00c7c0b15 ipcop-1.4.13-sources.tgz Three different usb images are available to boot from usb as some bios may boot with one format and not others: - fdd is an unpartionned usb key - hdd is partionned like an hard disk - zip is partionned like a zip (work with real usb zip device too) - pxe is a package ready to use for pxe boot (instructions inside) Please report any problems in bug tracking system or on devel list. Summary of changes Installation - fix initrd not build with raid device - allow to pass parameters on boot line to the installer: swapfilesize and lang parameters are implemented - split the boot information page in three nice pages - add memtest option on cd or pxe boot - fix memory requirement on network install. This is now 12MB like with cd install Building - rename big package with all external sources package from source to othersrc name. This is no more an iso, just a tar.bz2 that will be uncompressed on cache directory when loaded with ./make.sh getothersrc - changes files names with $VERSION always in second position to sort in http://prdownloads.sourceforge.net/ipcop (SF make this directory no more reachable actually) - backport KVER trick from 1.5 so that we no more need to adjust src/ROOTFILES every time kernel version is upgraded. - compilation work again on alpha but testing is needed - rename cache/iptables-fixed to iptables-fixed-for-1.4 to prevent conflict when same cache is used with both versions - strace is compiled but not include (could be used in ./make.sh shell or copied manually) - exclude blue drivers from drivers.img, this let 250kB free to include new drivers for install from green card - kbd gzip files without timestamp, files are smaller and md5 no more vary at each compilation Due to the very small gain, modified files are not include in update (only on new install) Add Bulgarian, Catalan and Urdu langs to web interface Update apache to 1.3.37 Update dhcp to 3.0.5 Update e1000 driver to 7.3.15 (out of kernel version) Update fcron to 3.0.1, this should allow to reset cron timestamp when the clock is set back from the future. Update gnupg to 1.4.6 CVE-2006-{6169,6235}, don't link with libusb Patch gzip for CVE-2006-433{4,5,6,7,8} Update openssh to 4.5p1 (update sshd_config to listen to IPv4 only with 'AddressFamily inet') Update openssl to 0.9.7l CVE-2006-{2937,2940,3738,4339,4343} Upgrade pulsar driver to 4.0.22 (There is a new function that display line speed, snr and attenuation just after sync) Update rp-pppoe to 3.8 (now pppoe change UID to nobody after start) Patch tar for CVE-2006-6097 (remove GNUTYPE_NAMES support) Update tg3 to 3.66d (out of kernel version) Upgrade unicorn to 0.9.3 (support new pci card) Add velocityget driver (VIA gigabit driver) Upgrade wireless_tools to 28 Enable wanpipe with 2.3.4-3 version (S514 should work now with one setting, S518 should work in the futur) Upgrade linux kernel to 2.4.34+Wireless Extension 18 - remove compilation timestamp include in source code of some modules, - gzip modules without timestamp, This make everyone that compile same sources to produce exactly same modules with same md5 Fix crash in restartsquid depending of vpn configuration SF # 1545498 - writehasharray was allowed to write empty line. setup - fix new netcard allocation once an RED ethernet interface has been up. RED_DEV interface was not set down by rc.netaddress.down. So rmmod RED_DRIVER fail to unload the driver. - stop firewall after rc.netaddress.down call to allow start just after amedynusbadsl - fix rc.amenynusbadsl start as detection based on 'ADSL USB modem' only detect the modem plugged in and not if the module is loaded or not - support '103 MADSLU' modem - remove speedtouch support with this module, this may be confusing rc.connectioncheck - refresh ppp/secrets when switching to another profile sf #1557321 rc.netaddress.up rc.network - shift firewall start from rc.network to rc.netaddress.up to fix SF #1565164 bug This allow to update ORANGE and BLUE specific rules when those interfaces are added/removed rc.red - fix a warning on atm module cleanup - on stop, only stop a 'RED is modem' interface when 'RED is modem' is selected - add support of wanpipe-serial - wanpipe-adsl is not yet ready general-functions.pl - add 'use Net::SSLeay;' so that addons could call FetchPublicIP - add NextIP function aliases.cgi - fix setaliases when toggling enable/disable button and alias name was blank - fix status checkbox on the editing page always enabled from an existing entry (sf #1611456) connections.cgi - Give color priority to vpn over red, green, blue, orange. - fix gre protocol display Output from ip_conn_track_gre (patch iptables 1.3.5?) changed by removing some fields (protocol & version). ddns.cgi - Support namecheap.com, RegisterFly.com and dnsmadeeasy service providers - Fix selfhost.de mandatory fields and log message - make OVH use same code as others and use https dhcp.vgi - transmit the hostname to reuse it as a 'comment' in newly created fixed lease - enhance the determination for IP address used while importing a fixed lease - RFE #1572801, allow all combination of array, record in option definition - fix : it was possible to update an option definition with a false definition - fix : it was possible to add more than one option per option definition. ids.cgi - handle error message from rules update Allow to read the error message when refreshing the rules at a too short intervale time. After downloading rules, a delay is instaured before next download is open. Display this message that is more explicit (but in english). pppsetup.cgi - add wanpipe-adsl and wanpipe-serial interface wanpipe-serial should work with S514 proxy.cgi - add missing check for LOGGING input - add an option to allow real separation from BLUE to GREEN when used as transparent proxy shutdown.cgi On some fast machines, there was not enought time to change to index.cgi before apache has been shut down. Handle that a different way. Start the helper in background and make the helper slower than the page to refresh. status.cgi - fix disk usage display when the devicename is to long vpnmain.cgi - allow more characters in the PSK. Only the single quote cannot be used (sf#1556707) wireless.cgi Add a pale grey add image to represent disabled state. All pages Log when referer is bad on web interface VPN - warn 'vpn incompatible use of defaultroute' as local VPN hostname breaks Net2Net with PSK sf#1548065 - vpn-watch: --rereadsecrets is necessary with shared keys - vpn-watch: Handle the case where the 'pipe' had been left alone for some reason Nota bene : IPCop 1.4.11 release nnounce did not reach marc archive system for unknow reason but is readable on www.ipcop.org or on sourceforge maling list archive http://sourceforge.net/mailarchive/forum.php?thread_id=30330058&forum_id=2904 You can download the standalone 1.4.13 installer here. If you're already running an earlier version of IPCop, simply use the links on the update page.
Hi AT, I would really love to work with this stuff but before setting it up on a different peace of hardware I would love to try it out... Is there any VM Ware software that would let me work with this on XP HOME??Thanks Regards, Karan