IPCop 1.4 Released!

Discussion in 'Networking and Computer Security' started by Anti-Trend, Oct 5, 2004.

  1. Anti-Trend

    Anti-Trend Nonconformist Geek Staff Member

    Likes Received:
    Trophy Points:

    IPCop is a free, open-source firewall based on the Linux operating system. It provides an easy way to have a dedicated firewall between your vulnerable computers and the Internet, but without the high cost and low flexibility of hardware routers. IPCop runs perfectly on obsolete hardware and can provide secure access to servers, workstations, and wireless clients alike. It's super-simple to set up, and requires no prior Linux knowledge. The entire setup process takes between 5 and 15 minutes. Once the system is up, it can be administrated via secure web interface.

    Hardware Requirements
    If you have an old, worthless system with at least:
    *24mb RAM
    *400MB HDD
    *100MHz CPU
    *2 Network Cards

    ...you can use it for IPCop! My firewall is an ancient AT-architecture K6-2~300MHz, 128MB RAM, 4GB HDD with two $5 Realtek network cards, and it's been the best router I've ever had. Fast, flexible, secure, easy to use --- it's the best use you can make of your old junker PC!

    >>> Get IPCop <<<
  2. Anti-Trend

    Anti-Trend Nonconformist Geek Staff Member

    Likes Received:
    Trophy Points:
    A note on the above post: These minimum requirements are for normal firewall usage. But if you will be running advanced services like proxying/content-filtering/VPN/Snort, you may need a bit more CPU power, RAM, and HDD space. Even so, we're talking about maybe a Pentium2 with 64-128mb RAM and a 4GB HDD, so it's not too high-end. Actually even that would be pretty cushy, considering most commercial routers run in the sub 200MHz range (that includes Cisco)!

  3. Sniper

    Sniper Administrator Staff Member

    Likes Received:
    Trophy Points:
    shame, my old PC is now the family PC other wise I would have tried this out :)
  4. Anti-Trend

    Anti-Trend Nonconformist Geek Staff Member

    Likes Received:
    Trophy Points:
    IPCop v1.4.2 update released.
  5. Anti-Trend

    Anti-Trend Nonconformist Geek Staff Member

    Likes Received:
    Trophy Points:
    IPCop 1.4.4 released. Get it here.
  6. Anti-Trend

    Anti-Trend Nonconformist Geek Staff Member

    Likes Received:
    Trophy Points:
    IPCop is up to 1.4.5. If you're already running it, you can get the patch. Or, if you haven't yet installed it, you can get the full 1.4.5 ISO Image.
  7. zRoCkIsAdDiCtInG

    zRoCkIsAdDiCtInG HWF Guitar Freak

    Likes Received:
    Trophy Points:
    awesome, ill get it as soon as i convince my mom to let me run linux on my old windows Me computer
  8. Anti-Trend

    Anti-Trend Nonconformist Geek Staff Member

    Likes Received:
    Trophy Points:
    Just tell her you're going to "convert it into a useful security appliance". You'll need at least two network adapters, BTW. :)

  9. zRoCkIsAdDiCtInG

    zRoCkIsAdDiCtInG HWF Guitar Freak

    Likes Received:
    Trophy Points:
    yea i got 2, im jus willing to turn myself over to linux, tho i wanna get vmware and run

    mandriva,longhorn, and osX together eventually at once
  10. Anti-Trend

    Anti-Trend Nonconformist Geek Staff Member

    Likes Received:
    Trophy Points:
    Really, IPCop is intended to be run on a standalone system which will act as a dedicated firewall. In other words, once its setup it no longer needs a keyboard, mouse, monitor or even a video card (if the CMOS will allow it to boot without one). It will act as your edge router, protecting the inhabitants of your local area network -- Windows, Linux, Mac, or any other type of system which happens to be behind it.

  11. ninja fetus

    ninja fetus I'm a thugged out gangsta

    Likes Received:
    Trophy Points:
    I'm building one. A local highschool is shelling out full pII systems fully tested and working for $20. Picking one up in around 6 hours if plans follow through.
    I don't really need another firewall I'm just doing this for expierience.
  12. Anti-Trend

    Anti-Trend Nonconformist Geek Staff Member

    Likes Received:
    Trophy Points:
    IPCop v1.4.6 was released today!

    As usual, this version can be installed as an update from previous v1.4.x installations or with a ready-to-go ISO for a fresh install. Install the update and restart your red interface to initialize the new dnsmasq version. In other words, no reboot required.

    Download from

    MD5: 753b00658a996de625c779334768d0a6 fcdsl-1.4.6test1.tgz
    MD5: b83eed991e392dd8346171088aac9fb8 ipcop-1.4.6test1.iso
    MD5: 99bc31079b1b7be5d94b22d388b04b3b sources-ipcop-1.4.6test1.tgz
    MD5: d083bb952ccfefa6b3f98ed881dbec45 update-1.4.6test1.tgz.gpg
  13. Anti-Trend

    Anti-Trend Nonconformist Geek Staff Member

    Likes Received:
    Trophy Points:
    IPCop 1.4.9 released today.

    • Upgrade squid to v2.5.STABLE11 to fix three possible crashes.
    • Fix umount for CAN-2005-2876.
    • Fix the Upload button not working in Norwegian, Swedish and Vietnamese languages. If you are affected by this, temporarily change to a different language to be able to apply this update.
    • Add Traditional Chinese language to web interface.
    • Hide only connect/disconnect buttons when a ppp profile is used but not valid.
    • Hide ppp profile name in all pages when not used.
    • Detect floppy media not present for backup.
    • Make minimal optionfw.cgi work with ping.
    • VPN users, check "Dead Peer Detection action" setting as it was wrongly changed during 1.4.7 upgrade

    You can grab the full ISO image for installation here. If you've already got IPCop 1.4.8, you can pick up the patch here (no reboot required).
  14. beretta9m2f

    beretta9m2f Karate-Chop Action Gabe

    Likes Received:
    Trophy Points:
    Lol, well only windows really right? bc thats a breeding ground for PC std's...yuck, viruses running rampant in your windows OS as you speak.
  15. Anti-Trend

    Anti-Trend Nonconformist Geek Staff Member

    Likes Received:
    Trophy Points:
    ...don't get me started. :rolleyes:
  16. Nic

    Nic Sleepy Head

    Likes Received:
    Trophy Points:
    Thanks for the heads up on this AT ill see wether i can hunt down pc were not using
  17. Anti-Trend

    Anti-Trend Nonconformist Geek Staff Member

    Likes Received:
    Trophy Points:
    IPCop 1.4.10 Released

    IPCop v1.4.10 is only bug fixes and is released unchanged from 1.4.10test1.

    As usual, this version can be installed as an update from the previous
    versions or with a ready-to-go ISO for a fresh install.

    379f9693213cd201788a71d5269ef4c0 ipcop-fcdsl-1.4.10.i386.tgz
    d4848635eb08e2f131f71fccb8dd9ab7 ipcop-install-1.4.10.i386.iso
    0651d7bcb4e4dca4daef7649f472807d ipcop-sources-1.4.10.tgz
    4e62d3c4d33bbbd1abf2fd3961615305 ipcop-update-1.4.10.i386.tgz.gpg

    fcdsl package did not change in 1.4.10 from 1.4.8/1.4.9

    Changes made since v1.4.9 are :
    - upgrade squid to 2.5.STABLE12 CAN-2005-3258 and bug#1405
    - permits user to introduce a delay between vpn launch and IPCop
    The delay allows dyndns updates to propagate. Usefull when a dyndns name
    used for the RED name. Avoid error message "We have no ipsecN interface
    for either....."
    - make snort use binary login, more resilient, don't exaust inode with
    random ip logging
    - allow dmzholes to use ip/mask instead of ip. Simplify blue->green holes
    - fix transparent proxy on blue broken when transparent on green off sf bug
    - add scheduled shutdown/reboot capability to IPCop (within shutdown.cgi
    page) RFE 1298996
    - VPN fix no default values for advanced options when advanced options not
    - VPN correctly display advanced options default values when not set SF
    - VPN add enable/disable pluto debugging option
    - fix aliases randomly sorted on firt use SF 1290492
    - upgrade to apache_1.3.34 mod_ssl-2.8.25-1.3.34 mm-1.4.0
    - fix atm modem routed ip start with llc encap
    - fix atm modem routed ip stop (tested with vc encap)
    - web backup : tighten security (SF 1344032 / 1344047)
    - web backup : fix hardware settings always exclude from backup, they should
    be optionally include on restore
    - web backup : fix exclude files not working in 1.4.9 resulting with bigger
    each time, now all file include names are displayed on information box
    - - revert dhcp server changes made in 1.4.9. Some input boxes may be let

    Web backup made in 1.4.9 are bigger than necessary because they include
    other backup sets and files
    which should have been exclude. Backup sets present on hard disk are fixed
    during the upgrade.

    Please report any problems in bug tracking system or on devel list.

  18. Anti-Trend

    Anti-Trend Nonconformist Geek Staff Member

    Likes Received:
    Trophy Points:
    IPCop 1.4.11 Released

    Summary of the too long changes from 1.4.10 to 1.4.11

    Web interface
    - new backup supporting usb key, unencrypted backup removed for security
    - export of backup.key
    key is crypted wit a 'backup' password needed for reinstall,
    hostname is include in the exported key file
    - backup .dat
    now include hostname and the timestamp of the backup
    before to reinstall, remove timestamp to the file name you want to use to
    a comment field is available for each backup
    the comment will be restored on backup upload (if available)
    - floppy backup
    display used sized,
    check that backup is not too big
    directly display errors if any (bad floppy)

    - fix typo in local IP network address to fetch real public IP (sf1369617)
    - fix GET string during fetch real public IP (sf1396470) and use proxy
    - add cjb.net, everydns.net providers and remove hn.org
    - move freedns and regfish to https exchanges
    - change URL for zoneedit

    - Fix icmp bug (sf1373594)
    - add sorting & filtering of the table
    - fix minor xhtml compliance issues

    - change duplicate dhcp fixed lease detection (Tapani suggestion)
    - highlight duplicate MACs
    - new option need to be created no space 'code nnn=xyz'
    - allow more char in rootpath/filename options (sf1365534)

    - fix minor xhtml compliance issues

    - fix save that erase update signature date
    - fix stop of ids in 1.4.11rc1

    - fix destination range check (sf1226089)

    - have an uniform policy in setup and web GUI
    space, ' and " are not allowed
    6 characters password is the minimal length in both interfaces

    - fix minor xhtml compliance issues

    - use the proxy port number set in web interface
    - support squid extension_methods
    - add an option to repair the cache
    - fix 'flush cache' option

    - allow a programmed shutdown/reboot

    - include version number in update log message

    - fix minor xhtml compliance issues
    - fix CRL dir and filename
    - move randfile and cakey.pem out of /var/ipcop/ca to remove warnings (need
    to include in upgrade)
    - add leftid/rightid parameters to extend interoperability with other peers
    - remove 'raw' debug option, not usable (too much data)
    - add overridemtu option
    - allow %defaultroute as local name for this side of VPN (sf1418529)
    - correctly enable creation of Roadwarriors (sf1436828)
    - add subjectAltName (rfe sf1365911)
    - add a pkcs12 import while creating a connection
    - allow use of DN,FQDN,IP for authentication (sf #1418533)
    - compression+vhost can work together: disable check
    - set compression off by default for better compatibilty
    - Fix unneeded test preventing using more than once a cert (sf1171139)
    - add aggressive mode option (rfe sf1359865)
    - PFS advanced option was not cleared when saving params in basic GUI
    - Integrate vpn-watch from Daniel Berlin (used for net-to-net only)
    - Fix certificate export with IE and Opera, now the box to register to disk
    really open
    - Check the subjectaltname field and filter error output
    With access on vpn configuration page controlled by admin password, it
    was possible to include html code in this field
    html code was executed because of error display without filtering of

    - fix reconnection done even in manual and pure RED setting
    - fix Ping disable option only working correctly with RED interface up (SF
    - restart squid during rc.updatered (should fix sf1077113)
    - allow selection of only pap or only chap with fritzdsl to be effective

    - fix 'single' mode booting used for password recovery (sf1349440)
    - fix kernel displaying inexistant partitions with unpartionned fat device
    (integrated in 2.4.33)
    - fix syslogd and klogd users and start now syslogd as syslogd uid

    - support build from precompiled toolchain package
    - to work with very old or brand new distribution
    - to spare build time
    - package available when the building machine is a i586 or a i686
    You can upload the corresponding prebuild toolchain with
    ./make.sh gettoolchain
    If you want to build your own package, do
    ./make.sh clean && ./make.sh toolchain
    - supply a collection of all needed packages sources used to build in an .iso
    - split compilation log in differents stages log files
    - strip from chrooted /tool/strip
    - initrd is rebuild every time the installer is more recent
    - during compilation, disable ipsec.secrets generation to workaround with a
    kernel >2.6.11.x on the running machine for a potential empty entropy pool
    - at the end, move .iso and *.tgz from build/install to root dir instead of
    coyping to save place on disk

    Support Latin-2 for rrdtool
    Upgraded packages
    - dhcp-3.0.4,
    - dnsmasq-2.33 and remove ipv6 support we don't use,
    - gnupg-1.4.5 and trim unused features,
    - hdparm-6.6 (mainly support ATA7 detection),
    - iana-etc 2.10,
    - iptables-1.3.5,(pool extension no more available,string extension is
    reverted to code in v1.3.3)
    - ipac-ng-1.31,
    - libpng-1.2.12,
    - squid-2.5.STABLE14 plus patch,
    - openswan-1.0.10,
    - vlan.1.9. (cosmetic)
    Fix openssl compiled previously for 486 (sf bug #1363150)

    Add Afrikaans,Gujarati,Japanese,Persian (Farsi),Slovak langages to web
    interface and installer

    - support installation from usb key
    - support restoration from usb key and network (http/ftp)
    - display version on first screen message
    - no more need of scsi floppy to support scsi cdrom/disk when not booting
    from floppy
    - explain 'no echo for password' message
    - use syslinux-3.11
    - fill URL box with http:// as it may not easy to type : on unmapped
    - keep the URL in case the file is not found (easier to understand what was
    previously wrong)
    - Fix SiS965L chipset detection
    - Fix mptscsih configuration during install

    Please report any problems in IPCop sourceforge bug tracking system or on devel list.

  19. Anti-Trend

    Anti-Trend Nonconformist Geek Staff Member

    Likes Received:
    Trophy Points:
    IPCop 1.4.13 Released!

    IPCop 1.4.13 was released today. Here's the complete release announcement, wrapped in "code" tags so it doesn't take a whole page by itself.

    PCop is a friendly firewall solution protecting  networks running on linux.
    It will be geared towards home and SOHO users. Interface is task based.
    Hardware requirement could be very minimal and grow with services used.
    This release update a few tools due to security issues, fix bugs and update
    drivers. You are encouraged to update from previous releases as soon as you
    IPCop v1.4.13 is released inchanged from 1.4.13rc1.
    As usual, this version can be installed as an update from previous v1.4.x
     versions or with a ready-to-go ISO or usb bootable images for a fresh
    Update is split in two parts due to space limits on small configurations.
    Install the two updates and reboot mandatory.
    Kernel-2.4.34 is provided. This kernel update may cause trouble with
    add-ons not compiled for this kernel.
    An iso for alpha is provided again for 1.4.13 release.
    It is intended that starting from 1.4.13, alpha version will be released in
    same timing as i386 version. No update from alpha v1.4.0 version will be
    published as the gap is too much important. You would have to backup and
    install again.
    Files are available on 'IPCop' package at
    If you want to compile from sources, a new .tgz is supplied that gathered
    external sources from Ipcop.
    You don't need to load that package from sourceforge on your own. On a new
    tree, ./make.sh getothersrc will do that for you and check file integrity
    to untar all sources packages in cache directory.
    e24f5723a267c327e2240a34b33f4e72  ipcop-1.4.12-update.i386.tgz.gpg
    2e318e3d7aeffa8d208f3d34f23985cd  ipcop-1.4.13-update.i386.tgz.gpg
    1136d7089780bb13ef94ee541f535939  ipcop-1.4.13-fcdsl.i386.tgz
    760448fcb78fce2fb09eac2d42d99434  ipcop-1.4.13-install-cd.i386.iso
    b5804e91a9e6ae60f7a6d078c6c0e852  ipcop-1.4.13-install-pxe.i386.tgz
    02a4aecc802bde1cbf98ed1eecabbbc5  ipcop-1.4.13-install-usb-fdd.i386.img.gz
    68117aec6bff42ef735d915e0d9858f9  ipcop-1.4.13-install-usb-hdd.i386.img.gz
    02c55db115e88f669c39dbcb6984e154  ipcop-1.4.13-install-usb-zip.i386.img.gz
    e3b71a0a391f43aa55ea216bfdb9fe08  ipcop-1.4.13-othersrc.tar.bz2
    31606992a72fea290ad13e41e7bcda3b  ipcop-1.4.13-othersrc.tar.bz2.md5
    a9cc96e2ba0b83b25b6338e00c7c0b15  ipcop-1.4.13-sources.tgz
    Three different usb images are available to boot from usb as some bios may
     with one format and not others:
    - fdd is an unpartionned usb key
    - hdd is partionned like an hard disk
    - zip is partionned like a zip (work with real usb zip device too)
    - pxe is a package ready to use for pxe boot (instructions inside)
    Please report any problems in bug tracking system or on devel list.
    Summary of changes
    - fix initrd not build with raid device
    - allow to pass parameters on boot line to the installer:
      swapfilesize and lang parameters are implemented
    - split the boot information page in three nice pages
    - add memtest option on cd or pxe boot
    - fix memory requirement on network install. This is now 12MB like with cd
    - rename big package with all external sources package from source to
      name. This is no more an iso, just a tar.bz2 that will be uncompressed on
      cache directory when loaded with ./make.sh getothersrc
    - changes files names with $VERSION always in second position to sort in
      http://prdownloads.sourceforge.net/ipcop (SF make this directory no more
      reachable actually)
    - backport KVER trick from 1.5 so that we no more need to adjust
      every time kernel version is upgraded.
    - compilation work again on alpha but testing is needed
    - rename cache/iptables-fixed to iptables-fixed-for-1.4 to prevent conflict
    when same cache is used with both versions
    - strace is compiled but not include (could be used in ./make.sh shell or
    copied manually)
    - exclude blue drivers from drivers.img, this let 250kB free to include new
    drivers for install from green card
    - kbd gzip files without timestamp, files are smaller and md5 no more vary
    at each compilation
      Due to the very small gain, modified files are not include in update (only
    on new install)
    Add Bulgarian, Catalan and Urdu langs to web interface
    Update apache to 1.3.37
    Update dhcp to 3.0.5
    Update e1000 driver to 7.3.15 (out of kernel version)
    Update fcron to 3.0.1, this should allow to reset cron timestamp when the
      is set back from the future.
    Update gnupg to 1.4.6 CVE-2006-{6169,6235}, don't link with libusb
    Patch gzip for CVE-2006-433{4,5,6,7,8}
    Update openssh to 4.5p1 (update sshd_config to listen to IPv4 only with
     'AddressFamily inet')
    Update openssl to 0.9.7l CVE-2006-{2937,2940,3738,4339,4343}
    Upgrade pulsar driver to 4.0.22 (There is a new function that display line
     speed, snr and attenuation just after sync)
    Update rp-pppoe to 3.8 (now pppoe change UID to nobody after start)
    Patch tar for CVE-2006-6097 (remove GNUTYPE_NAMES support)
    Update tg3 to 3.66d (out of kernel version)
    Upgrade unicorn to 0.9.3 (support new pci card)
    Add velocityget driver (VIA gigabit driver)
    Upgrade wireless_tools to 28
    Enable wanpipe with 2.3.4-3 version (S514 should work now with one setting,
     S518 should work in the futur)
    Upgrade linux kernel to 2.4.34+Wireless Extension 18
    - remove compilation timestamp include in source code of some modules,
    - gzip modules without timestamp,
    This make everyone that compile same sources to produce exactly same modules
     with same md5
    Fix crash in restartsquid depending of vpn configuration SF # 1545498
    - writehasharray was allowed to write empty line.
    - fix new netcard allocation once an RED ethernet interface has been up.
      RED_DEV interface was not set down by rc.netaddress.down. So rmmod
      fail to unload the driver.
    - stop firewall after rc.netaddress.down call to allow start just after
    - fix rc.amenynusbadsl start as detection based on 'ADSL USB modem' only
      the modem plugged in and not if the module is loaded or not
    - support '103 MADSLU' modem
    - remove speedtouch support with this module, this may be confusing
    - refresh ppp/secrets when switching to another profile sf #1557321
    rc.netaddress.up rc.network
    - shift firewall start from rc.network to rc.netaddress.up to fix SF
    #1565164 bug
      This allow to update ORANGE and BLUE specific rules when those interfaces
      are added/removed
    - fix a warning on atm module cleanup
    - on stop, only stop a 'RED is modem' interface when 'RED is modem' is
    - add support of wanpipe-serial
    - wanpipe-adsl is not yet ready
    - add 'use Net::SSLeay;' so that addons could call FetchPublicIP
    - add NextIP function
    - fix setaliases when toggling enable/disable button and alias name was
    - fix status checkbox on the editing page always enabled from an existing
     (sf #1611456)
    - Give color priority to vpn over red, green, blue, orange.
    - fix gre protocol display
    Output from ip_conn_track_gre (patch iptables 1.3.5?) changed
    by removing some fields (protocol & version).
    - Support namecheap.com, RegisterFly.com and dnsmadeeasy service providers
    - Fix selfhost.de mandatory fields and log message
    - make OVH use same code as others and use https
    - transmit the hostname to reuse it as a 'comment' in newly created fixed
    - enhance the determination for IP address used while importing a fixed
    - RFE #1572801, allow all combination of array, record in option definition
    - fix : it was possible to update an option definition with a false
    - fix : it was possible to add more than one option per option definition.
    - handle error message from rules update
    Allow to read the error message when refreshing the rules at a too short
     intervale time. After downloading rules, a delay is instaured before next
     download is open. Display this message that is more explicit (but in
    - add wanpipe-adsl and wanpipe-serial interface
      wanpipe-serial should work with S514
    - add missing check for LOGGING input
    - add an option to allow real separation from BLUE to GREEN when used as
      transparent proxy
    On some fast machines, there was not enought time to change to index.cgi
     apache has been shut down. Handle that a different way. Start the helper in
     background and make the helper slower than the page to refresh.
    - fix disk usage display when the devicename is to long
    - allow more characters in the PSK. Only the single quote cannot be used
    Add a pale grey add image to represent disabled state.
    All pages
    Log when referer is bad on web interface
    - warn 'vpn incompatible use of defaultroute' as local VPN hostname breaks
      Net2Net with PSK sf#1548065
    - vpn-watch: --rereadsecrets is necessary with shared keys
    - vpn-watch: Handle the case where the 'pipe' had been left alone for some
    Nota bene :
    IPCop 1.4.11 release nnounce did not reach marc archive system for unknow
    reason but is readable on www.ipcop.org or on sourceforge maling list
    You can download the standalone 1.4.13 installer here. If you're already running an earlier version of IPCop, simply use the links on the update page.
  20. Karanislove

    Karanislove It's D Grav80 Of Luv

    Likes Received:
    Trophy Points:
    Hi AT, I would really love to work with this stuff but before setting it up on a different peace of hardware I would love to try it out... Is there any VM Ware software that would let me work with this on XP HOME??Thanks

Share This Page