Configuring IPCop Firewalls 114
Ravi writes "IPCop is a GPLed firewall solution targeted at Small Office/Home Office network. It is favored by many for its ease of configuration and setup and its support for a variety of features that you would expect to have in a modern firewall. IPCop is famed for letting users setup a sophisticated firewall for ones network without ever having to write an iptables rule themselves." Read the rest of Ravi's review.
| Configuring IPCOP Firewalls - Closing borders with Open Source | |
| author | Barrie Dempster and James Eaton-Lee |
| pages | 230 |
| publisher | Packt Publishing |
| rating | 8.5 |
| reviewer | Ravi |
| ISBN | 1-904811-36-1 |
| summary | A practical book that takes a hands on approach in setting up and configuring IPCop firewall on ones network |
Configuring IPCop Firewalls published by Packt Publishing is authored by two people Barrie Dempster and James Eaton-Lee and is divided into 11 chapters. The first chapter gives a brief introduction to firewalls and explains technical concepts such as OSI reference model, an introduction to TCP/IP and a brief outline of the parts that comprise a network. Even though I did not find anything new in this chapter, I realized that this is meant for people who are new to the world of computer networks and aims to bring them up to date with the various technologies associated with it. A network administrator intending to pick up skills in configuring and setting up IPCop, can circumvent this chapter and go to the second chapter which gives an introduction to IPCop and its different features. The authors have explained the concepts in an easily understood way with the aid of necessary screen-shots. One of the salient features of IPCop is its web based interface which allows one to configure all aspects of it from a remote location. In fact, IPCop is designed to be controlled from a remote location and serves all its configuration parameters via the Apache web server.
In the second chapter, one gets to know all the features of IPCOP including the different services it offer. One thing that struck me while going through this book was that the authors are fully immersed in explaining the configuration aspects of IPCop which is done entirely via the web interface. Other than the first, third, and 10th chapter, where the readers are made to digest some theory, the rest of the book is as a how-to. I found this to be ideally suited for people who are the least bothered about theory and just want to set up IPCop and get on with what they were doing.
In the third chapter, we are introduced to the unique feature used by IPCop to segregate the network depending upon its vulnerability. And in the succeeding chapter, the authors walk one through installing IPCop. Here each and every installation step is explained with the help of a screenshot which makes understanding the procedure much more intuitive.
The chapter titled "Basic IPCop Usage" gives a good introduction to the web interface provided by IPCop. Reading this chapter, I was able to get a good feel for the IPCop interface. More specifically, you learn how to configure IPCop to provide different services such as DHCP server, support for Dynamic DNS, editing the hosts file and so on. The IPCop interface is quite rich in functionality even providing options to reboot or shutdown the machine remotely. In this chapter, apart from the introduction to the web interface, the authors have also provided a few tips related to logging in to the remote machine running IPCop using SSH.
Put in simple terms, IPCop is a specialized Linux distribution which contain a collection of tools which revolve around providing robust firewall capabilities. The tools bundled with IPCop range from the ubiquitous iptables, services such as DNS, and DHCP, to tools which specialize in intrusion detection such as snort.
The sixth chapter titled "Intrusion Detection with IPCop" explains the concept of intrusion detection and how one can use snort IDS bundled with IPCop to effectively find out what is passing through our network and thus isolate any harmful packets.
The book moves on to explain how to use IPCop to set up a virtual private network (VPN). By way of an example, the authors explain how to setup a VPN between two remote networks with each end having a IPCop firewall in place. This chapter covers different VPN scenarios such as host to net, net to net connections as well as configuring IPCop to detect the Certifying Authority certificates.
The 8th chapter is a rather short one which explains how to effectively use proxying and caching solutions available in IPCop to manage the bandwidth.
One of the biggest advantages of IPCop is that it is possible to extend it to provide additional features by way of add-ons. Add-ons are generally developed by third parties and are usually developed with an aim to provide a feature that the developers of IPCop have missed. There are a whole lot of add-ons available for IPCop. The 9th chapter introduces the most popular add-ons available for IPCop such as SquidGuard — a content filtering add-on, LogSend — an add-on which send the IPCop logs to remote email accounts, AntiSpam, integrating ClamAV anti virus solution and more. The authors have also explained how to install and enable these add-ons using the IPCop web interface.
The tenth chapter titled "Testing, Auditing and Hardening IPCop" has more of a theoretical disposition where the authors list some of the common attributes towards security and patch management and also some of the security risks and a few common security and auditing tools and tests.
One thing I really like about this book is the practical approach taken by the authors in explaining how to accomplish a certain task. Each section is accompanied by the relevant screenshots of the web interface with a brief explanation of the options available. The book is well designed with a number of tips provided in each section highlighted in big square brackets which makes it quite eye catching. Even though I found the book a bit short on theory, it is an ideal resource which provides a hands on approach to people who are more interested in installing and setting up IPCop firewall solutions in ones network rather than pondering about the theoretical concepts of the same.
Ravi Kumar likes to share his thoughts on all things related to GNU/Linux, Open Source and Free Software through his blog on Linux.
You can purchase Configuring IPCOP Firewalls - Closing borders with Open Source from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Find it here (Score:5, Informative)
Update on the link (Score:1, Informative)
If you read Slashdot... (Score:5, Informative)
Re:IPCop versus SmoothWall (Score:2, Informative)
I was a paying user of Smoothwall, and the founder was still a total douchebag to me. I was reselling the product to some clients, having had such a good experience with the product in house (my small company of 6 people). There was quite a bit of angst trying to get him to take care of some relatively simple things in the ordering chain...like provide an actual physical product to the client.
Yes, I know it was downloadable. Yes, I know the point of open source/pseudo open source software. But if you're selling a *product*, at least *try* to act like you're an actual fulfillment channel.
Nice product, utter a-hole of a founder.
Re:IPCop versus SmoothWall (Score:2, Informative)
Copfilter... (Score:3, Informative)
I'm using IPCop and Copfilter on a LinITX PC for a client and so far he's very happy with the results. LinITX is a mini-ITX PC slightly larger than a Linksys "blue box" router with built-in video/USB/AT (so you don't have to configure it via serial console!), three Ethernet ports, a flash disk slot, room for a 2.5" HDD internally, and 2 on-board IDE controllers - you can even temporarily hook up a generic internal CD-ROM drive for install purposes.
-b.
Re:IPCop versus SmoothWall (Score:4, Informative)
In terms of hardware, I was using a Pentium-166, which had *tons* of horsepower for this application (either IPCop or SmoothWall). The only thing was that it was older hardware, and about once a month it would sporadically die
SmoothWall was a compacted Linux distribution, which allowed for the usual Linux apps to be added. Want to your your own ntpd for your home-LAN? No problem. Perhaps some fancy dchp-configuration options - again, no problem.
-sparkyradar
imho (Score:2, Informative)
I personally vastly prefer PfSense over any of them for nearly all applications. http://pfsense.com/ [pfsense.com]
Re:IPCop vs DD-WRT (Score:1, Informative)
Re:Other options (Score:3, Informative)
As for hardware config, I'm running a 1GHz P3 that I swiped out of a friend's PC that he was upgrading (long ago - a socket 370). It's got 256MB of RAM, and a 4GB disk, as well. This setup is *way* more than enough to run IPCop. One of it's advantages is a small system footprint, so it can run on things like the soekris [soekris.com] boards. The newest model - the 4801 - is a 266MHz AMD Geode CPU w/ 128MB of RAM. That system is also fairly peppy for IPCop.
Another friend of mine is running on a P90 and 32MB of RAM. With the proxy features turned on, he'd hit the swap space pretty hard. He has since turned the proxy features off and is running a cable-modem connection into his whole house with it (about 8-10 devices).
I'm sure Smoothwall and m0n0wall are similar in their system requirements.
For me, IPCop is just much easier to figure out and use. I was considering getting the book, but I'm not so sure now that I've read the review. I've pretty much figured everything out.
uptime (Score:2, Informative)
Re:The Truth (Score:3, Informative)
Well, if you can afford it, and don't mind learning IOS, great. Reading the replies thus far, it seems the home-user would prefer something else, although that something else seems to include everything but the kitchen sink.
Maybe it's me, but my idea of firewall is something that I manage over a serial cable that isn't doing anything else but handling traffic, and perhaps logging to an external box. A web server, DNS, DHCP, ClamAV, SquidGuard, etc. etc. etc., might be handy, but those are standard network services and belong elsewhere.
Seems like a good enough book, though. My vote is still with pf on a *BSD system. The pf FAQ [openbsd.org] is as well-written as any book, and the examples provided should allow even the novice user to be up and running in minutes. Pick up a Soekris box [soekris.com] and Bob's yer uncle.
Re:Other options (Score:2, Informative)
Currently I run two at our private school, one is an old ibm e-series celeron 800 and the other is a p3-450. I moved up in processor speed because the current two machines fit in my rack better.
Both perform flawlessly and continuous uptime would be over a year if we didn't have a long power-outtage a couple months ago. I just checked the cpu graph on the celeron 800 machine and the highest it hit was 15% in the past 24 hours. So that tells me that I could have a slower cpu and be ok. Obviously, it all depends on how many computers you'd be putting behind the ipcop.
I suspect that if you had a problem before with IPcop failing then it was most likely a hardware issue. A clean install is practically foolproof for anyone with even minor geek knowledge.
IPcop also works pretty well as a vmware virtual machine. There are a couple of vm images available for it this way too.
Re:pfSense (Score:1, Informative)
I use both and never experienced a breach on one of them so I cannot give first person experience accounts on their security level. From a sysadmin point of view pfSense looks to me more stable and less prone to update failures, while ipCop supports more devices (I had problems with some wireless NICs under pfSense) but lacks multiple DMZs and other sometimes useful features.
Form a user point of view the IpCop folks should seriously consider grabbing some ideas from the extremely well designed and documented pfSense web interface: the IpCop interface simply sucks for multiple reasons, from the horrible logo to the absolute lack of visual integration with many extensions.
Other than these aspects I find both to be good products.
Re:Other options (Score:3, Informative)
If, however, you want to do any kind of proxying (Squid for example) or run larger services off of the firewall and you have some old spare machine to use than something like IPCop maybe the right way to go.
I like keeping a powerful and flexible firewall (monowall) as a unit by itself. If later, I want to add web proxying, I can always put that on a separate box, and simply set the firewall to only allow web requests from the proxy.
But there are plenty of cases, where I've recommended something like Smoothwall/IPCop.
pf please (Score:2, Informative)
But if your firewalls need to have multiple nic's and such, running carp and pfsync, doing all sorts of funky stuff on each, then the web based things suck. The best ive seen is pfsense, but it still suffers from the whole concept of internal/external nic's instead of just letting me sort that shit out.
I use FreeBSD for all my firewalls now, with the exception of one pair of firewalls which I use openbsd with, only because obsd has the 'carpdev' option and FreeBSD does not, meaning I cant carp external IP addresses properly ( FreeBSD looks for the NIC with an IP on the same subnet as the desired carp IP ).
If you are looking after a semi complex network then IMO dont use IPCOP/Pfsense style setups, as nice as they may for some things.
Been using IPCop for a while... (Score:2, Informative)
OpenVPN AddOn (Score:1, Informative)