punkwalrus (punkwalrus) wrote,
punkwalrus
punkwalrus

Linux - Review: IPCop

With the increased attention that Linux is getting as far as security, it's no wonder that more and more Linux-based distros are offering "all-in-one" networking packages. There's Knoppix-STD, which is an excellent Live CD security tool, which while it can be installed to the hard drive, doesn't offer much help for the newbie. Newbies more and more are hearing about "use an old disused computer and build a Linux firewall," but most of them don't have the time or patience to learn Linux, networking, and all that junk. They just want something that can be set up and work! They have that old 486DX2 with 16mb RAM sitting around with an 1.2 gb hard drive and extra NIC, and they want to use it! Sure, they could get a geek friend to set up a Gentoo or Slackware setup on that box, but then again, they'd have to rely on the help of that same geek friend when they want to change something. What then? And who's going to patch the kernel from time to time? What we need is something that's almost "set it and forget it" for the average user.

Enter IPCop.


I was also going to try Smoothwall Express, but the requirements were too high for the spare box I had. Not that Smoothwall is unreasonable; it only requires a Pentium 150 with 64mb RAM. But I had something even lower to contend with...

Poor Gryphon. Gryphon harkens back to the days when I named all my computers after characters from Lewis Carrol's "Alice and Wonderland." At the time I got it, it was the first computer I ever built from scratch (c 1997). It's a GigaByte motherboard with an AMD K5-133 chip in it. At the time, it was called "Pentium Class," but in reality, most OS's but Win95 see it as an overclocked i486 running at 133mhz. Over the years, parts have been swapped in and out of it. Currently, it's repository for "the nearly dead" in hardware. It has 32mb of EDO RAM, three hard drives of 1.2, 1.6, and 3.0 GB, as well as a "hi-speed" 6x CD-ROM. Most recently, it's had OpenBSD and Slackware on it. Gentoo was to be next, but I ran into the hurdle of the fact the BIOS doesn't have "boot to CD-ROM" option, and Gentoo doesn't have boot floppies. I was going to use the old savior standby, TomsRtBt, and write about how I did that (there's no good, step-by-step, EZ How-to FAQ on that, just a lot of dead projects and RTFM bourgeoisie out there), but then someone on Madpenguin was working with IPCop and having problems. I looked at the site, and was intrigued.

The download is only 22mb, which I burned to a mini-cdr. From there I made a boot floppy that would let me mount to the CD-ROM, and do the install from there. The first problem I ran into was the boot floppy would crash at "Error 0x10." The FAQ said this was a corrupted floppy, so I imaged it again on another floppy. This also said "Error 0x10." I was burning the image via dd on my Linux box, did I have the settings wrong? No. So I decided to see if the floppy drive was bad, and I burned a copy of TomsRtBt. Floppy drive was fine. Huh. So I imaged a third floppy, and that worked! Two bad floppies, what are the odds? Well, they did come from the same box. After that, the install went pretty much as the documentation states. It found both my NICs (a PCI 3com Etherlink III and an ISA 3905tx), but did not find my modem (which may be the motherboard, if I recall correctly, it always did have problems with the serial connections).

Now, as a side note, most "EZ-Routers" for the home (like Linksys, Netgear, 3Com, etc.) define your router interfaces as "zones." The Red zone is for the "unfriendly" side of the network, usually your DSL or cable modem that leads to the Internet. The Green zone is for your LAN, or "behind the firewall." Sometimes you'll see Orange or Yellow zones, which are for "DMZ" servers; servers that you want people in the red zone to access, so you have to remove it from your masquerading. Kind of like the info booth in front of the Renaissance Festival. Those who have CCNA or MCSE Network certs may think dividing your network into zones is oversimplified and obtuse. But they are a positive boon for newbies. The White zone, by the way, is for immediate loading and unloading of passengers only.

In my case, the Red zone was a direct connection to my Linksys router, making a new 192.168.1.x subnet in the Green zone (making this my third subnet in the house). The Red zone interface got 192.168.0.13 from the DHCP on my Linksys. I had no Orange Zone (I only had 2 NICs), and I did not park in the White zone ("It's really the only sensible thing to do, if it's done safely. Therapeutically there's no danger involved.").

It then told me to reboot, and my router was ready to go. Almost. I tried to run it headless, but the #$@!&* BIOS doesn't have an "ignore errors if keyboard is not present" option, because it was designed by the insane. When I hooked the monitor back up to it, the BIOS actually said, "Keyboard not found: press F1 to continue or the 'delete' key to setup." ARG! So I left a keyboard hooked up to it. Thank goodness I found the PS2<=>AT keyboard adapter.

Now here's a cool thing, and this shows that people who wrote this stuff care and are thinking: when the OS is ready to go, it beeps a tune (okay, like 4-5 rising notes) via the motherboard speaker. It also does that when shutting down (descending notes). So if you run it headless, you know it's done rebooting. I wonder if it also beeps when it has an error? I'll have to try and find out.

The features IPCop has is amazing. You have DHCP, masquerading, iptables-based firewall, Snort-based IDS, squid cache proxying, VPN, DYNDNS, port forwarding, traffic monitors and graphs, and the whole thing can be run via a web interface. Well, almost everything. Under the hood, you have Linux Kernel 2.4.22 (after the updates), and /etc/issue states "Red Hat 7.3" is the base distro they start with. This system had 3 hard drives, but IPCop only partitioned and formatted one of them, /dev/hda, which it formatted into four partitions: one for root, one for boot, one of /var/logs (very smart), and one for swap. They are all called weird things, like /dev/harddrive1 and such. On the local side, there is no GUI, and only four logins; root, admin, user, and setup. But who's logging in via the console anyway?

Well, let's say you do want to. The major drawback I see from this install is that the web-based configuration tools have no customization for the firewall. If you want to block some specific ports, you are forced to either do some funky kludge with port forwarding or squid, or you have to ssh into the box, and manually edit iptables yourself. The ssh server is not enabled by default, you have to set it up on the web page, and then somehow find out that they put ssh on port 222 instead of the standard 22. There's a good reason for this, when you finally find out about it; it's put out of the way in case you do some port forwarding to a ssh server behind the firewall. I should have Read The Fine Manual before I checked the ssh scripts. Me = dumbass.

But honestly, not many small businesses or home offices will ever need to touch anything like this, and a lot of the $69 - $149 SOHO routers out there, like my Linksys or Netgear, are not much better as far as features are concerned. Plus, most of them don't have great things like Squid web cacheing, IDS, or have nifty graphs and logs to look at. If you already have an old PC with 2 NICs and a working hard drive, you should be good to go.

Updating the router is really easy. They are done as tar.gz modules, and currently, the site has 9 updates for the latest 1.3 version of IPCop. All you have to do is download them onto a computer on the IPCop green network, go to the IPCop router web page, and follow the directions, which only asks you to upload each patch one at a time (through your browser), in consecutive order, and even tells you if you have to reboot the server (like for OpenSSL and Kernel security updates). I had to reboot 3 times, which on Gryphon, was about 3 minutes downtime for each reboot (newer computers will be much faster).

Backing up is even easier. The trouble with old hardware is sometimes it fails. Maybe you dragged out that old 486 from the bottom of the office closet, without knowing that the reason it was there in the first place was that it was known, years before you started, as "the flakey PC" because of its tendency to turn off randomly due to a short in the power supply. Oh no! And after you did all the configs! Well, no sweat, there's a feature in place that lets you back up your settings. So that when you move it to a new PC, or just want the duplicate settings on firewall #2, the setup has a feature where you can take that saved floppy and, wala! Your config files are automatically installed when your second system starts. Neat!

But now for the big question: how secure is it? Well, first I tried the latest version of nmap, and it only found port 113, which is on for a reason. Other ports? None. Look at this scan:

[root@pippi root]# nmap -vv -F -sV -O 192.168.0.13
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-05-26 22:12 EDT
Host 192.168.0.13 appears to be up ... good.
Initiating SYN Stealth Scan against 192.168.0.13 at 22:12
The SYN Stealth Scan took 53 seconds to scan 1217 ports.
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Interesting ports on 192.168.0.13:
(The 1216 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE VERSION
113/tcp closed auth
Too many fingerprints match this host to give specific OS details
TCP/IP fingerprint:
SInfo(V=3.50%P=i686-pc-linux-gnu%D=5/26%Time=40B54ECE%O=-1%C=113)
T5(Resp=Y�=Y%W=0�K=S %Flags=AR%Ops=)
T6(Resp=Y�=Y%W=0�K=O%Flags=R%Ops=)
T7(Resp=Y�=Y%W=0�K=S %Flags=AR%Ops=)
PU(Resp=N)
Nmap run completed -- 1 IP address (1 host up) scanned in 67.666 seconds
[root@pippi root]#

Next, I tried the granddaddy of all the brute force scanners, Nessus. It found nothing. Zilch. Nada. The big round wheel of negative cheese.

Wow. Even my Linksys router did worse, with an open port 80 (its admin page). My OpenBSD box showed more vulnerabilities, one major one because of a found Etherleak

All in all, your router really is Linux. You can configure it just like any other Linux distro, like fine kernel tuning, add more services like NAS, have it play some funky tune when you get DOS attacked, whatever. It's a simple router/NAT/firewall for the average Joe, or infinitely scalable for the geek hacker.

I'll give is a B, maybe even a B . I didn't give it an A because of the lack of GUI flexibilty of the firewall, but this Linux "Router-in-a-box" distro might replace my Linksys when it dies as a main point of protection between me and the Big, Bad Internet.
Subscribe

  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 1 comment