firewall distro

ok, i finally decided to config either SmoothWall or IP-corp but, which is better

i'm almost certain i'm going with SmoothWall, are there many differences ?

Edit: & what else other distro's i should consider

 

Smoothwall is crippled unless you buy a commercial license. IPCop is the 100% open-source branch of Smoothwall by some of the original developers.

 

:beer: thankies AT, that was exactly the advise i needed

BTW: sticking to *nix Firewalls, is that correct, or are BSD based firewalls also good ?

 

BSD is included in the generic *nix connotation, as in "Linux/UNIX". But to answer your question, BSD firewalls are also good. A few noteworthy ones are m0n0wall and PFSense.

 

:beer: thankies, i'll look into them, although advanced research will cause delay, but never mind

 

i've just reread the post & originally meant Linux, i totally forgot about UNIX:doh:

 

IPCop is the dog's bollocks...

I deployed IPCop in a 24 user (or PC) scenario and it worked flawlessly. Its an excellent piece of kit. Though I must admit I am not sure that you would see any benefits, what with you being the only user on the network. You'd be better off with a dedicated home-user orientated hardware firewall.

 

very eloquent

what do you mean "dedicated home hardware firewall ?

yeah, but i'm always hopeful i'll meet someone stupid enough to put up with me[ot]nobody's THAT stupid[/ot]i went to cinema to see Ku-Fu Panda last week with my carer & we took her 9 year old daughter to use as an excuse, & i loved it

 

I dunno about that last part. I used to try to run network audits through an office grade hardware SPI firewall. While a PC with a half decent network card can easily handle tens of thousands of network connections at once, the firewall couldn't. I'd exhaust its resources in under 5 minutes of scanning and it would lock up hard, needing a full reboot. IPCop on average will have at least 10x the resources of something like that, even if you use ancient hardware. If you're not doing network scans, peer to peer stuff like Vuse, TOR, P2P, BitTorrent, etc can generate a whole buttload of open sockets, which has basically the same effect.

Also, If you're using your bandwidth to its maximum potential, traffic shaping makes a *huge* impact on overall throughput by buffering the packets for you, passing them as bandwidth is available. So even with a single PC that is a heavy user, you'll notice the difference.

 

Cmon, as a single user, traffic shaping is going to make little difference! Take my current network for example. I share the internet with an house mate, and our router is an extremely low-grade Dynamode Wireless Router. This router offers nothing extraordinary. No traffic shaping, nothing advanced like that. Yet for two users it's more than adequate. It offers everything that I might need, like port forwarding etc. I don't believe that a single user like Donkey42 could possibly need anything more then what I have myself.

Sure IPCop is excellent, but its overkill for Donkey and even myself...

 

my router has traffic shaping & it also has a hardware firewall built in

BTW: my router is here[ot]donkey takes a step back to let AT & mega battle it out with spoons at the ready[/ot]

 

Traffic shaping can make a difference regardless of user count. Really the key factors are how much bandwidth is being utilized and how many sockets will be open at a given time. For instance, if your roomate was using BitTorrent 24x7, and he allowed the maximum upload speeds, the entire network connection would be essentially unusable for you. Being primarily UDP, DNS lookups would likely fail, so you'd be lucky to eek a HTTP requests out there, let alone load a website with frames, or watch a video on YouTube.

My buddy has a Linux PC I built for him and his dad (they're both bachelors, so bought a house together to save on rent). They share it, and they'll routinely leave one session locked and the other will start a separate one on top of it. Sometimes one is torrenting porn while the other is surfing from the same PC. This situation didn't work out well for the reasons I spelled out above. So, I took their old PC (400MHz K6-2 with 64mb RAM), threw a few $4 NICs in it, and wham, IPCop. Setup a simple traffic shaping policy with DNS at the top of the scrap heap, things like FTP and BitTorrent on the bottom. Voila, metered and reliable throughput no matter how bad they're abusing their network.

This example applies even to a single user, since you might want to run BitTorrent in the background while playing games online (or whatever). This isn't feasible without a decent firewall, since the latency on the game packets would be too high to be enjoyable, as the pipe's flooded with torrent packets and everything is contesting the same bandwidth.

So, my question is this. If you already have the means to build a proper firewall (IPCop, m0n0wall, PFSense, Untangle, etc), why not go for it?

 

<drunken nonsense deleted for the good of mankind>

 

Oh? Would you mind pointing out which part, exactly?

8 years of professional IT hasn't been enough to convince me that a shitty firewall is better than a good one, but one day I'll see the light. :doh:

Funny, I don't know where you read the part where I said he "needed" a Linux-based firewall. I simply stated that there are advantages in even a single-user environment.

You never answered my question:

So why not? If you have a crappy PC laying around, it costs around $5-10 tops to throw a few more NICs in it, and the software is free. A cheap plastic router will cost $20-100, so I fail to see the big advantage of using a crap one if you already have a throw-away PC for use as a decent one.

 

Got a little too drunk last night. My last post was insanely harsh so I've deleted it. Apologies...

Moving back on track, there are other reasons why IPCop may not be a good idea for Donkey. A lot of people run IPCop on ancient hardware, but that is a problem in itself because this older hardware is more likely to fail and is certainly not designed to be used 27/4. I've had two old computers give up the ghost whilst running IPCop! In both cases the motherboards just failed. One suffered from leaking capacitors! The electrolyle was all over the motherboard! Not nice!
One answer is to use newer hardware of course, but personally I don't like the idea of using a Pentium 4 based PC for IPCop when that computer is powerful enough for normal use. But I suppose for some that sacrifice is worthwhile if it means they have a rock solid system running IPCop that's reliable.

Another problem with the IPCop solution is power usage. An dusty old Pentium 2 spec PC is going to use far more electricity than a dedicated router. This is bad for two reasons. The most obvious is electricity costs. I don't know exactly how much more expensive running IPCop would be, but it's certainly going to be more expensive than a router. The second issue, and certainly the more important for Al Gore, is the extra burden on the environment! Not that he can talk anyway, what with flying all over the world in private jets, but that's another story

 

AaaaWwww, i was enjoying the polite disagreement

BTW: yeah, i am that sad

 

Conclusion -
Alcohol is a bad idea in an electrical environment......
:chk:

 

Indeed. I need to install childlock software that automatically disables my PC when it detects my intoxication

 

Thanks for your candor, but no apologies necessary.

On a personal note, I welcome rational, well thought out disagreement, since it only benefits both of us if there's any technical merit to your argument at all. That may sound like a martyr's tone, but it's the hand-to-God truth. If you think you're right, stick to your guns. It's not about ego -- at least, shouldn't be -- it's ultimately about learning and in doing so, instructing others.

I've used nothing but older hardware for my own firewalls, since for the small scale of my network anything more than that would be a ridiculous waste of resources. But honestly, old hardware doesn't need to be unstable. My first dedicated Linux-based firewall was a 300MHz K6 with 96mb RAM, and it was even an AT-architecture machine. I got it for free from somebody who was throwing it out (apparently it wouldn't run WinME very well for some reason), and it was my firewall for at least 3 years before I had a cap on the mobo go bad and the thing was pretty much done. It still worked, but would reboot every few days or so. That may be good enough behavior for a D-Link router, but not good enough for me. So I replaced it with another free piece of legacy hardware. This time it was Fred who gave me my upgrade to a 400MHz K6-2 w/265mb RAM, and even ATX architecture this time. That things been going for 11 months so far with zero problems.

So that being said, what makes cheap routers more immune to capacitor or power-supply failure than other consumer-grade hardware like PCs? Truth is, even cheap motherboards are often better constructed than most routers. I used to work for a networking security company that made a lot of "embedded hardware appliances" which cost upwards of $10,000. We saw a lot of bad power supplies. I mean, a lot. And you know what? From what I heard, we weren't even the worst in the industry by far. Besides, our hardware was essentially an embedded x86-compatible PC with less than impressive specs running a very old custom build of FreeBSD. "Hardware firewall" maybe sounds cooler and more bulletproof than it really is.

Just to give a real world illustration, my dad just had a capacitor fail in an embedded modem/router he was using as a bridge, literally yesterday. I helped him pick out a new single-function modem/bridge and connect it to his IPCop firewall, built from an old Compaq K6-2. Suffice it to say, the Compaq has been a lot more stable than the "hardware firewall" sitting next to it.

That's typically the arrangement for business I've built firewalls and routers for in the past. It's worth it for them to just buy a few hundred bucks worth of solid hardware, and if it's a bit overkill, so be it. Some like the really small size/power footprint normally associated with embedded though, and for them I built around Soekris parts. Not as fast or cost-effective as off-the-shelf parts, but small and pretty cool-looking.

Honestly, this is a bit overhyped from personal experience. If anybody does any hardcore studies on this I'd like to see it. All I have is personal anecdote, which I will relate now. But basically, I can't tell the difference on my power bill for my low-end K6-2 rig to run 24x7 than to turn on a lightbulb for a few hours a day, or run an oscilating fan, or watch a little TV. The system is so close to idling 99% of the time that Linux is sending idle calls to the CPU most of the time anyway, and any CPU since the 80486 is going to be able to use very little juice in that state. Ironically, a lot of home routers use those cheap "brick" wall AC/DC adapters since the units are too small to do the conversion internally. Those things have a nasty habit of drawing 100% of their rated wattage 100% of the time, whether or not the attached device is using it, whether or not its even on. So again, power efficiency is not a universal property of cheesy plastic routers either.

 

Now for my two pennies worth:
I hate my modem/router! With a vengeance. It is utter crap! Yes, it is the widely spread, widely used Netgear DG834GT.

The only thing going for these routers is the space they take. which is about two-and-a-half-cigarette-packs-worth

With all respect to the old hardware firewall machines, they still take space. The same as 10 routers. Although this sounds lame, in my current set-up I have not got the space, even for a microATX box. Maybe a shuttle type body.... and they hardly roll around in the street.
AT would remember advising me not to use an M300 compaq laptop as a possible firewall.

Yes, I could put it in the loft (an idea I was playing around with until I had to re-arrange my loft... long story, don't ask) or in the garage but then I would have to start hard-wiring. I am not bout to do this in a hurry. So, for this reason only, I could not go for this sort of solution. My work station is so tiny, it hardly fits my Soprano case. So, having the :swear: router sitting neatly on top is ideal.