Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 01-25-2007, 12:15 AM   #1
Registered: Nov 2005
Location: New Jersey, USA
Distribution: SuSE
Posts: 492

Rep: Reputation: 31
Firewall Distro - install additional software?

I'm going to be setting up a firewall/router. Originally I bought a Soekris net4501, but decided to use an older desktop for the task.

So, I'll probably end up using SuSE for the base distro, as I haven't been able to find a suitable pre-tailored firewall distro.

The requirements which aren't met by most firewall distros are:
1) Need to be able to install additional software, such as NRPE daemon for Nagios, rkhunter, etc.
2) Would REALLY like to have shell access, it makes me feel more comfortable.
3) Need to be able to customize logging via syslog{I]ng[/I] - i.e. log both locally and to a LAN host.
4) This will be a headless server after initial setup, so I need to be able to administer everything remotely.
5) I do NOT want administration over the WAN without a workaround unless I have to. I would consider Webmin with a restricted user and HTTPS, but would prefer having to SSH into a LAN server (will have SSH passed thru firewall to one server) and then back into the firewall.
6) SMTP support.

Any ideas? Recommendations? Is this complex enough that I should just build one from the ground up with SuSE?
Old 01-25-2007, 08:04 PM   #2
Registered: May 2001
Posts: 29,358
Blog Entries: 55

Rep: Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545
Which firewall distro's did you review? Because I don't see the problem. IMHO, and by my taxonomy, none of the points you posted are of real concern wrt aspects of security. And none should be a problem with (FW) distro's that can be installed on a HD. If you are more comfortable building one up using SuSE, then why not? Any way you choose it's GNU/Linux and that spells flexibility and such...
Old 01-27-2007, 12:20 AM   #3
Registered: Nov 2005
Location: New Jersey, USA
Distribution: SuSE
Posts: 492

Original Poster
Rep: Reputation: 31
I've decided to just build one from SuSE.

I looked into IPcop, m0n0wall, etc. and none of them support a real way to install software. Even with HDD installation, they all have SSH disabled, and no real way to install additional software.

I already have working configurations of everything I need, as well as a plethora of admin scripts, for SuSE, so I'll just go with that.

The main issue that I'll have to tackle is setting up a relatively easy administration interface for configuration of the firewall. I can't seem to find any popular CLI/Ncurses tools (though I haven't done a full search yet). I'll probably start with webmin and, if need be, write my own admin tool and GPL it.
Old 01-29-2007, 03:25 PM   #4
Senior Member
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 233Reputation: 233Reputation: 233
I'd be very interested to see it when it's ready.

I'm currently using SmoothWall Express 2 & I've been considering looking seriously at IPCop. One of my concerns is the ability to easily install new software w/o worrying about breaking things. I decided shortly after I started using SWE that it is too much of an integrated pkg. for me to mess w/ safely.

About the only non-standard tweaks I have made are to dnsmasq.conf to block a variety of advertising & malware sites.

I would strongly recommend considering dnsmasq for your DHCP/DNS server -- its domain to IP mapping (read "blocking") syntax is little more complicated than that of a hosts file, yet it maps (blocks) whole domains as well as single hosts. (If you've ever encountered a 45,000 line, let alone a 450,000 line ad etc. blocking hosts file, you will appreciate the savings & simplicity.)

It also serves the FW's hosts file as if it were a "master" hosts file. This is especially convenient if you use DHCP to serve fixed IP addresses, you can then put the assignments, including aliases, in the the FW's hosts & have them available across your network w/o the hassle of maintaining a copy on each box.

I take it you want to understand your FW by building it, rather than analyzing someone else's work that you picked as a starting point. I assume that re-working IPCop, for instance, would be more work & less fun than starting from a SuSE base.

I believe all the IPCop code is GPL'ed, so you might be able to adapt their web interface.

I am curious, btw, did IPCop really fail all 6 of your criteria? Since I am thinking of moving to it, any insight would be appreciated.

One last Q: why SMTP? For a full mail server, or something else?
Old 01-30-2007, 12:47 AM   #5
Registered: Nov 2005
Location: New Jersey, USA
Distribution: SuSE
Posts: 492

Original Poster
Rep: Reputation: 31
Well, it's done and running. I have everything finished, except for the VPN, which (given that I have a dynamic IP and the client is behind NAT) will take some work.

I went with IPcop. There's an option in the web interface to enable SSH, and this gets me a root command line on the machine. The only major issue that I ran into is the pack of a package manager. If I can find out what distro (if any) it was based on, perhaps I can install rpm or apt. For now, I'm going to be setting up GCC on it for some basic installation... though the filesystem is organized differently from the SuSE that I'm used to.

There are some good addons packages for IPcop, though as far as my quick research could tell, there's no widely accepted package manager. As long as I can get GCC on it (and the required libraries), it will be a bit of a pain, but I can live with it.

Right now I'm using the IPcop default DHCP server (which supposedly can have options added in the config file manually), but in the future I plan on adding a DNS server when I migrate to DNS and LDAP for the LAN.

To specifically answer your last questions:
Getting all of the information on IPcop wasn't easy. Eventually, I decided to just give it a shot, and it worked. I had the base SuSE system installed, and was really liking it, but after coming up dry in my search for a firewall GUI (I can handle the configuration initially by hand, but if I just want to open one port to test something, a GUI is much easier) that also handles NAT, I decided to give IPcop a shot.

Once I found the SSH option for IPcop, things moved smoothly...

Yes, I run a full mailserver using SMTP and IMAP. Given my dynamic IP, a mail server has a few issues - primarily the fact that it's not redundant (anything sent directly may have issues if there's a hiccup) and that since it doesn't reverse-validate, most big ISP's reject the mail.

I solved this by forwarding all of my email accounts to a POP address at my ISP, then using fetchmail every 2 minutes to pull the mail down to my server. Mail is stored locally and accessed either with Thunderbird via IMAP or with squirrelmail as a web gateway. For outgoing, all of my mail clients send via SMTP (with Cyrus SASL auth), which then relays via my ISP's server (once again with SASL auth).

The only big issue in this was getting sending to work remotely... the LAN that my remote client is on blocks port 25, so I just forwarded port 10008 on the WAN to 25 on the server.
Old 02-01-2007, 08:54 AM   #6
LQ Newbie
Registered: Jan 2003
Posts: 7

Rep: Reputation: 0
Try Endian

Check out Endian


It is based on IPCop, includes a considerable number of features, and is SSH accessable.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Introduce additional modules / drivers during distro install karloslambchop Linux - Hardware 1 08-27-2006 02:43 PM
Additional software of my Ubuntu system pete_007ke Ubuntu 9 08-12-2006 04:07 PM
Installing additional Distro paul85 Linux - Newbie 2 08-01-2005 10:06 PM
additional firewall measures Syncrm Linux - Networking 1 04-18-2002 10:09 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:58 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration