LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 01-15-2009, 01:15 PM   #1
drokmed
Member
 
Registered: Dec 2005
Location: St Petersburg, FL, USA
Posts: 219

Rep: Reputation: 30
Is slackware good for a stand-alone firewall?


Hi all,

Veteran UNIX/Linux dude here since the 70's, haven't tried slackware in about 6? years. For the past few years, I've used Debian for my custom corporate multi-nic firewalls. My firewalls run things like shorewall, squid, dansguardian, dnsmasq, webmin, psad, fwsnort, nmap, iftop, ntop, etc.

Here is my corporate firewall howto, if you are interested in how it's done in Debian:

http://www.abazaba.org/debian/firewall.html

HOWEVER.........

As you can guess, Debian STABLE has some VERY old packages. The dansguardian package version is from 2005! Lenny/testing is better, but still can lag a year or more for packages.

I'm tired of old packages. I want to run current packages. I also want to run a current kernel and libraries. I've decided I want to download and compile the latest and greatest for my firewall. However, I want a distro that is solid, and isn't going to break my firewall. I want a distro where I can download and install the latest firewall stuff, and have a reliable platform.

This IS for production use. All the employees here depend on 100% reliability. So far, Debian has served us flawlessly for years, but I'm tired of old packages. I'm the IT Director, so I get to pick and choose what we use.

I'm currently considering slackware, gentoo, freebsd and openbsd.

I'm curious if anyone here runs a custom dedicated firewall on slackware (no, not some lame personal firewall, I'm talking multi-NIC dedicated firewalls). I'd especially love it if anyone here runs things like squid/dansguardian on their slackware firewall.

Thanks for reading
 
Old 01-15-2009, 01:40 PM   #2
drokmed
Member
 
Registered: Dec 2005
Location: St Petersburg, FL, USA
Posts: 219

Original Poster
Rep: Reputation: 30
I guess I should add: this is a headless server (firewall). I couldn't care less about a gui, audio, etc. Command line only (as it should be). I want to keep cpu and memory usage at a minimum. Disk space is cheap, so not too worried about that. I'll keep source code for everything.

If I do end up building a slackware firewall, and it fits my requirements nicely, then I'll update the above firewall howto document to slackware.
 
Old 01-15-2009, 05:16 PM   #3
mRgOBLIN
Slackware Contributor
 
Registered: Jun 2002
Location: New Zealand
Distribution: Slackware
Posts: 999

Rep: Reputation: 229Reputation: 229Reputation: 229
I've been running Slackware as a firewall in schools and businesses for many years... always stable and never had any problems (that I can remember) that weren't hardware related.

I run mail servers(Postfix), web servers, ftp servers(pure-ftpd), Dansguardian, Squid and many others services on them.

As long as you are happy building your own packages and don't expect to be able to "apt-get" your way through things I'm sure you'll find it more than satisfactory.

I think you'll find that many of the things people complain about with Slackware are actually it's strengths.
 
Old 01-15-2009, 05:45 PM   #4
amani
Senior Member
 
Registered: Jul 2006
Location: Kolkata, India
Distribution: Debian 64-bit GNU/Linux, Kubuntu64, Fedora QA, Slackware,
Posts: 2,766

Rep: Reputation: Disabled
Slackware can be adapted for the purpose, but it will be better to use a hardened distro meant to be used as a firewall. There are a few slack based ones as well.

See www.distrowatch.com for more details
 
Old 01-16-2009, 11:05 AM   #5
drokmed
Member
 
Registered: Dec 2005
Location: St Petersburg, FL, USA
Posts: 219

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by amani View Post
Slackware can be adapted for the purpose, but it will be better to use a hardened distro meant to be used as a firewall. There are a few slack based ones as well.

See www.distrowatch.com for more details
That's why I'm also considering OpenBSD, although I'm confident in my ability to secure my firewall, and have to consider the differences between bsd and slackware.
 
Old 01-16-2009, 11:12 AM   #6
drokmed
Member
 
Registered: Dec 2005
Location: St Petersburg, FL, USA
Posts: 219

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by mRgOBLIN View Post
I've been running Slackware as a firewall in schools and businesses for many years... always stable and never had any problems (that I can remember) that weren't hardware related.

I run mail servers(Postfix), web servers, ftp servers(pure-ftpd), Dansguardian, Squid and many others services on them.

As long as you are happy building your own packages and don't expect to be able to "apt-get" your way through things I'm sure you'll find it more than satisfactory.

I think you'll find that many of the things people complain about with Slackware are actually it's strengths.
Thanks, that is the type of feedback I'm looking for. If you've run them for years (in a production environment) with no problems, it's probably a good platform.

apt-get is great, sure, but no, I'm fine with fetching and compiling myself. It's been years since I did any compiling, I guess I'm overdue. It will be nice to build my own kernel again, and tweak everything just right.

I just downloaded the slackware dvd, giving it a go. I have two machines I can experiment on. One will be the full install, the other minimalistic. There goes my weekend!

Thanks
 
Old 01-17-2009, 02:54 AM   #7
saulgoode
Member
 
Registered: May 2007
Distribution: Slackware
Posts: 288

Rep: Reputation: 155Reputation: 155
If I may be so bold as to offer up couple of tips and points of possible concern (please don't be offended if you feel I am stating the obvious).

Eventually, you will probably want to subscribe to the slackware-security mailing list to be notified when security updates are available. If you don't want to subscribe (especially during your trial period), you can just visit the Changelog periodically. There are some tools available for automating upgrades but I have never found them to be necessary -- typically about a half dozen updates appear every month (mostly Mozilla-related ), and it is not that difficult to keep up to date.

If you install a package and are unsure if you have installed its dependencies, you can find out the dependencies by running 'ldd' on the binaries and/or libraries in the package. If you are installing binaries, it is not a bad idea to execute the binary to ensure that the requisite libraries are installed. For example (admittedly a dumb one), if you installed the OpenSSH package but failed to install the Secure Sockets Layer libraries, running 'sshd' would inform you of this fact; whereas you otherwise might not find out until Inetd tried to start 'sshd' (yes, it should be noted that Slackware ships with Inetd, not Xinetd).

Also, note that the CRON that ships with Slackware (Dillon's CRON) is a simpler version than the CRON provided with Debian. There is no /etc/crontab environment configuration and jobs use /bin/sh (rather than the user's shell specified in /etc/passwd).

Last edited by saulgoode; 01-17-2009 at 10:17 AM.
 
Old 01-17-2009, 08:25 AM   #8
dguitar
Member
 
Registered: Jun 2005
Location: Portland, ME
Distribution: Slackware 13, CentOS 5.3, FBSD 7.2, OBSD 4.6, Fedora 11
Posts: 122

Rep: Reputation: 17
Slackware would make a great firewall device - if you know what you are doing.

If this truely is production and you aren't 100% sure what you are doing, you may want to hire someone / buy a device. Another option of course is using a distro designed for this, such as IPCop, ClackConnect, pfSense(based off FBSD, my personal favorite) or the many others out there.

Can someone point out to me Slackware based distros designed to be standalone firewall/routers? I've never heard of any.
 
Old 01-17-2009, 08:48 AM   #9
bgeddy
Senior Member
 
Registered: Sep 2006
Location: Liverpool - England
Distribution: slackware64 13.37 and -current, Dragonfly BSD
Posts: 1,810

Rep: Reputation: 231Reputation: 231Reputation: 231
Quote:
Can someone point out to me Slackware based distros designed to be standalone firewall/routers? I've never heard of any.
SentryCD is a Slackware based firewall distro. I've not used it myself.
 
Old 01-17-2009, 09:50 AM   #10
drokmed
Member
 
Registered: Dec 2005
Location: St Petersburg, FL, USA
Posts: 219

Original Poster
Rep: Reputation: 30
Hi saulgoode! I see you are on this forum too

Thanks for the above, that is a ton of very useful information, and no, I didn't know any of it. I may be new to slackware, but not linux. Keep 'em coming

Quote:
Originally Posted by dguitar View Post
Slackware would make a great firewall device - if you know what you are doing.
I agree. I think it will make a great firewall device. Respectfully, please take a look at my firewall howto I wrote for Debian (link above), and tell me if you think I know what I'm doing (I'm not trying to be rude). It's in both pdf and odt format. I may be new to slackware, but I do have some experience building complex firewalls on other distro's. This has been a personal pet project of mine for years.

Quote:
Originally Posted by bgeddy
SentryCD is a Slackware based firewall distro. I've not used it myself.
I've tried a number of the "ready made" firewalls. They are all fine, but none of them do everything I want to do. That's why, years ago, I set out to learn to build my own. I enjoy the challenge of building my own. It makes me better at learning the innards of each package installed.

Thanks everyone for your feedback, this is good stuff. I built the first machine, and started building my packages. So far, so good. I love how clean and simple slackware makes things. At last, I can run the latest and greatest

I'm going to work on this first box all weekend, and will post some updates here. I appreciate everyone's help!

Regards
 
Old 01-17-2009, 12:49 PM   #11
bgeddy
Senior Member
 
Registered: Sep 2006
Location: Liverpool - England
Distribution: slackware64 13.37 and -current, Dragonfly BSD
Posts: 1,810

Rep: Reputation: 231Reputation: 231Reputation: 231
Quote:
I've tried a number of the "ready made" firewalls. They are all fine, but none of them do everything I want to do. That's why, years ago, I set out to learn to build my own. I enjoy the challenge of building my own. It makes me better at learning the innards of each package installed.
Yes - me too. I have setup a Slackware box to act as a router / firewall / DHCP /DNS /proxy server with iptables, dnsmasq and squid. Although this only served a network of around six clients it was a great learning experience and it worked very well.
 
Old 01-17-2009, 02:37 PM   #12
tuubaaku
Member
 
Registered: Oct 2004
Distribution: Slackware, Mint
Posts: 122

Rep: Reputation: 16
I run a "lame personal" headless Slackware setup with iptables, dnsmasq, squid, and dan's guardian. I'll be interested to read about your experience, especially if you want to write up a Slackware howto.
 
Old 01-18-2009, 01:05 AM   #13
rworkman
Slackware Contributor
 
Registered: Oct 2004
Location: Tuscaloosa, Alabama (USA)
Distribution: Slackware
Posts: 2,378

Rep: Reputation: 936Reputation: 936Reputation: 936Reputation: 936Reputation: 936Reputation: 936Reputation: 936Reputation: 936
Most of the things you mention using in your howto are available as add-ons at SlackBuilds.org, and there are a few others that I think you'll find useful (ulogd and perhaps xtables-addons as a couple of examples). I don't have anything quite as complex as what you need in production use, but I'm close - I've got a router/firewall serving dhcp with dhcpd integrated with bind (instead of using dnsmasq as a combination solution for those two), httpd, vsftpd, squid, nfsd, samba, and perhaps a few other things. For a small/medium network, the convenience of a single multi-purpose server outweighs any "security" concerns, especially if the httpd stuff is pretty much just static content.

Long story short, I think you'll find that Slackware is a very good solution for what you want, although it's certainly not the only one that would be acceptable. I personally wouldn't use Gentoo for this purpose, as there seems to be too much potential for breakage due to the "rolling release" concept (although I'll concede that I'm not terribly familiar with Gentoo, so perhaps I'm at least a bit off the mark with that). If I were going to use a BSD for this, I'd go with OpenBSD, although again, that's largely because I'm already a bit familiar with it, plus I *know* that its security record is good.
 
Old 01-18-2009, 01:40 PM   #14
drokmed
Member
 
Registered: Dec 2005
Location: St Petersburg, FL, USA
Posts: 219

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by rworkman View Post
Most of the things you mention using in your howto are available as add-ons at SlackBuilds.org, and there are a few others that I think you'll find useful (ulogd and perhaps xtables-addons as a couple of examples).
Hi there, thanks, I'll take a look at ulogd and xtables-addons. I did indeed find almost all of the packages I need on slackbuilds. I didn't find shorewall, psad and fwsnort, but they appear to support slackware directly in source. I'm going to make slack packages for those, and post them on my website. So far, I like slackware.

Quote:
Originally Posted by rworkman View Post
I don't have anything quite as complex as what you need in production use, but I'm close - I've got a router/firewall serving dhcp with dhcpd integrated with bind (instead of using dnsmasq as a combination solution for those two), httpd, vsftpd, squid, nfsd, samba, and perhaps a few other things.
Years ago, I used bind with dhcpd. It's overkill for my purposes, not to mention a pain to setup, so I replaced it with dnsmasq. I'm also considering replacing squid with tinyproxy... squid is overkill as well. I used to host server stuff like samba on my box, but we have plenty of boxes, so I moved all server stuff to different machines. No offense to samba fans, but it sucks compared to windows servers. Windows outperforms, and is much easier to configure.

Quote:
Originally Posted by rworkman View Post
For a small/medium network, the convenience of a single multi-purpose server outweighs any "security" concerns, especially if the httpd stuff is pretty much just static content.
Not just for security, but for reliability, minimizing disruptions. When needed, I can reboot the firewall without disrupting internal people accessing servers, and can also reboot the servers without disrupting people connecting to the Internet. Just trying to keep user satisfaction higher (and no, I don't reboot often, but it happens).

Quote:
Originally Posted by rworkman View Post
Long story short, I think you'll find that Slackware is a very good solution for what you want, although it's certainly not the only one that would be acceptable. I personally wouldn't use Gentoo for this purpose, as there seems to be too much potential for breakage due to the "rolling release" concept (although I'll concede that I'm not terribly familiar with Gentoo, so perhaps I'm at least a bit off the mark with that). If I were going to use a BSD for this, I'd go with OpenBSD, although again, that's largely because I'm already a bit familiar with it, plus I *know* that its security record is good.
I agree. I think slackware will make a fine platform. I like slackware, and don't mind manually updating things, but there is a lot to be said for simplifying the update process. I'll give Gentoo a try too. If it proves to be just as reliable, can run just as recent software, yet simplifies updates, it will be a fine choice too.

I'm not sure about the BSD's. True, they are more secure, but they are not linux, and are a different beast altogether. It's been years since I messed with the BSD's, so I'll probably take another look.

One thing is for sure, I would never build a production firewall on ubuntu, fedora or suse (I've done it actually). That six month madness of upgrading (and breaking) stuff is just plain suicide for any network administrator. Gentoo may get added to that list if it breaks stuff too, we'll see.

Great feedback, thanks!
 
Old 01-18-2009, 02:35 PM   #15
acummings
Member
 
Registered: Jul 2004
Distribution: Slackware
Posts: 615

Rep: Reputation: 50
Hi drokmed, and everyone,

BTW, (BSD's) PC-BSD -- I'm only aware it exists nowadays (not had time to check it out)

Just curious here -- I'm guess that, smoothwall distro would be optional in your case since you have the expertise needed to create your own stand alone firewall.

I've not used smoothwall since the early days of its 2.0 version.

But I wonder what you thoughts are about that distro.

At smoothwall used to have forums and mods too.

Today I'm on (at&t) DSL modem and also

a router:
http://support.dlink.com/products/vi...uctid=WBR-2310

And each Slackware box on my small lan has its own single interface firewall.

I'm novice, perhaps intermediate (I've not sufficient sys admin experience to setup as per your stand alone firewall howto for Debian), not without more learning curve and time that I likely will not have (time) for a while.

But, firewall, security, *is* an area of interest for me.

Some years back when it was at the 2.0 version, back then on dialup, I used the next

They (in the distro itself) used to use Perl quite a lot

http://distrowatch.com/table.php?dis...ion=smoothwall

http://smoothwall.org/

http://forum.redwall-firewall.com/vi...a06cb5c0759977

--
Alan.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Stand alone FIrewall ? Gortex Linux - Networking 3 02-15-2006 07:00 PM
A good stand-alone console email client mlsfit Linux - Software 5 10-04-2005 11:51 PM
Choose Linux stand in internet Cafe, is it good idea? and why? Khmer Linux - General 2 08-26-2005 03:12 AM
stand-alone firewall box? hoover93 Linux - Security 1 10-21-2004 02:19 AM
I can't stand Slackware crashes Bamse123 Slackware 11 08-17-2004 02:01 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 10:17 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration