IPCop or Smoothwall?

Discussion in 'Networking and Computer Security' started by megamaced, Sep 11, 2006.

  1. megamaced

    megamaced Geek Geek Geek!

    Likes Received:
    0
    Trophy Points:
    36
    We (my Landlord and I) decided to settle on a cheap homegrade router to serve our network. The network covers two houses with a maximum 12 computers in each (although usually only about 6 in each). We noticed that the traffic was so intense that the router kept buckling. Basically it's DHCP server wasn't always giving out IP address. The router has no Firewall or Proxy and very limited in what it can do.

    I want more control over the network so I've decided to ditch the router and build an old Pentium 3 spec machine that will run either IPCop or Smoothwall. I've run them both through VMware and I like what they have to offer. Smoothwall has better documentation but IPCop has an extra 'blue zone' which I think I need.

    I've included some diagrams of the proposed network: One with IPCop running 3 zones and one with Smoothwall running two zones. Which setup and firewall do you think is best for my network?

    Can someone go through the pro's and con's of both diagrams?
     

    Attached Files:

  2. Anti-Trend

    Anti-Trend Nonconformist Geek

    Likes Received:
    118
    Trophy Points:
    63
    IPCop. It's a fork of Smoothwall anyway. I'd install the addon engine and the BOT (block outward traffic) module, which will give you access to write advanced firewall rules. I fail to see the advantage of Smoothwall in this environment, so I can't really run you through the pros of that side of the diagram, but you could also implement IPCop with two interfaces in exactly the same manner. The major benefit of configuring the iPrism with two different zones would be that you could easily segregate the two networks, forcing them to act as two individual networks instead of one larger one. Also, the BLUE network zone in IPCop can be used to exclude any PCs which do not have their MAC addresses listed in the zone's allow list. You could also conceivably introduce filtering to one or both zones ala some transparent proxy magic (ala squid) and the Cop+ plugin (ala Dan's Guardian). I don't know if these features are attractive to you, but you can do it.

    Another option would be m0n0wall, although IPCop is probably easier to use depending on your networking background. IPCop does support QoS and traffic shaping, but the Linux kernel's shaper is not as nice as the BSD kernel's shaper. OTOH, since m0n0wall is based on BSD, the hardware support is not as good as IPCop, which is based on Linux.

    So, ultimately, I believe IPCop would be best for you except in the case that traffic shaping is your number one concern. In that case, take a long hard look a m0n0wall before you implement a firewall.
     
  3. megamaced

    megamaced Geek Geek Geek!

    Likes Received:
    0
    Trophy Points:
    36
    Can the addon proxy Squid filter out adverts?

    I've downloaded a few addons but I am not sure how to log in to IPcop through SSH :)

    How can I access the IPcop console remotely?

    Thanks

    EDIT: Just re-read your post - do I need to install the 'addon engine' before I install any addons? Where is the addon engine?
     
  4. Anti-Trend

    Anti-Trend Nonconformist Geek

    Likes Received:
    118
    Trophy Points:
    63
    Squid is the ubiquitous proxy server for UNIX. It is the proxy used for most network appliances and content filters in the world which utilize proxy technology. So, in short, yes. :) But it is not squid's primary function, and there are many reasons why this would be impractical to implement.
    SSH is disabled on the IPCop by default, in favor the of the web interface over AES-256 (though only 128 in IE -- that browser stinks). You can enable SSH access in System --> Remote Access. But DO NOT enable SSH1, as it has had a history of security problems.
    >>> Addons for IPCop Firewall <<<
     
  5. megamaced

    megamaced Geek Geek Geek!

    Likes Received:
    0
    Trophy Points:
    36
    But what I don't understand is how I move those addons onto the IPCop hard drive!

    Do I have to share a folder on the IPCop server or can the IPCop server access an NFS share on my main computer? :confused:
     
  6. megamaced

    megamaced Geek Geek Geek!

    Likes Received:
    0
    Trophy Points:
    36
    Okay never mind that, i've Googled it!

    I want to ask you about Proxy servers though. I read on the IPCop wiki that the bigger the proxy cache, the more memory is needed. Also, if the cache is set too big then the server will spend more time trying to manage it and less time fetching webpages. Thus slowing down the internet for everybody on the network

    What size cache would you recommend for a server with a P3 ~700MHz, 128MB RAM and 3.2GB HDD? Do you have any general advice or experience with Proxies that you would like to share? :)
     
  7. Anti-Trend

    Anti-Trend Nonconformist Geek

    Likes Received:
    118
    Trophy Points:
    63
    My advice: Don't use a proxy unless you have good reason to do so, e.g. you want web content filtering or have a connection with extremely high latency. Otherwise I'd just leave the proxy disabled and use the IPCop as a router/firewall.
     
  8. megamaced

    megamaced Geek Geek Geek!

    Likes Received:
    0
    Trophy Points:
    36
    Why do you advise against using a proxy? I thought proxies were supposed to 'speed up' the retrieval of web pages?
     
  9. Anti-Trend

    Anti-Trend Nonconformist Geek

    Likes Received:
    118
    Trophy Points:
    63
    Nah, it's nonsense. I don't mean to come on too strongly here, but I do work with proxies for a living.

    The speed up may be true of larger files, more specifically those which are retrieved often, but it's rarely true for vast & varied content. The situation where a caching proxy is a good idea is, like I stated earlier, when your connection has abysmal latency (but relatively good burst speeds). Then you wouldn't notice an appreciable decrease in performance the first time somebody downloads a web page, but the next time it would be as fast as they could download it from the proxy server (which is much closer and has better bandwidth than the Internet connection).

    In your case you'd just be adding more latency, not decreasing it. Basically a proxy introduces much more handling of the traffic than a router or bridge. Look at the following example. It's a bit of an over-simplification, but I think it might help to get the point accross. Keep in mind that inter-kernel IO is a multitude faster than IO between the kernel and userland (e.g. software):

    Router:

    INTERNET -> NIC -> [kernel network stack] -> NIC -> [end user]


    Proxy:

    INTERNET -> NIC -> [kernel network stack] -> [squid proxy] -> [cache on HDD] -> [kernel network stack] -> NIC -> [end user]



    ..get the idea? :)
     
  10. megamaced

    megamaced Geek Geek Geek!

    Likes Received:
    0
    Trophy Points:
    36
    Thanks for your help :good:
     
  11. Anti-Trend

    Anti-Trend Nonconformist Geek

    Likes Received:
    118
    Trophy Points:
    63
    NP dude! :) Squid is a fantastic proxy, and it performs extremely well for a proxy. But it will still introduce latency and complexity by its very nature, so it's best to keep things as simple as possible. If you need content filtering and such however, squid & Dan's Guardian would be the first thing I'd look into. You can get that functionality for free with the COP+ package for IPCop. :good:
     
  12. megamaced

    megamaced Geek Geek Geek!

    Likes Received:
    0
    Trophy Points:
    36
    Have you tried the F@H addon for IPCop? I am going to install it once the server is up and running but I am a bit worried about the effects this could have on performance for the rest of the network.
     
  13. Anti-Trend

    Anti-Trend Nonconformist Geek

    Likes Received:
    118
    Trophy Points:
    63
    It's a UNIX platform, so since it sets the 'nice' value for F@H as high as possible, all other system processes get a higher priority. This said, it still uses ram and CPU cycles, so it could increase latency slightly. It will also stress the hardware full-time and cause excess heat, so I really wouldn't recommend such a trivial thing for a production system.
     
  14. megamaced

    megamaced Geek Geek Geek!

    Likes Received:
    0
    Trophy Points:
    36
    Okay, thanks for the advice!

    I'll probably implement F@H on my desktop PC then.
     
  15. Anti-Trend

    Anti-Trend Nonconformist Geek

    Likes Received:
    118
    Trophy Points:
    63
    BTW, it might please you (and your landlord) to know that your DIY firewall is actually spec'd higher than a $2500 Cisco PIX firewall:

    PIX-515E TECHNICAL SPECIFICATIONS

    • Processor: 433-MHz Intel Celeron Processor
    • Random access memory: 64 MB or 128 MB of SDRAM
    • Flash memory: 16 MB
    • Cache: 128 KB level 2 at 433 MHz
    • System bus: Single 32-bit, 33-MHz PCI
     
  16. Anti-Trend

    Anti-Trend Nonconformist Geek

    Likes Received:
    118
    Trophy Points:
    63
    Hey Megamaced, here are three very basic proposals for your network deployment. It's up to you which will suit the need the best! Let me know if you need any additional proposals and I'll work something up.
     

    Attached Files:

  17. megamaced

    megamaced Geek Geek Geek!

    Likes Received:
    0
    Trophy Points:
    36
    Graphs two and three would probably be more suitable. I want the network to be 'plug and play' in a sense, so when a new tenant moves in all they have to do is plug in the network cable and away they go. This would not be possible for the 'blue' household in graph one.

    Graph two is probably the best way to go but I didn't think it was possible to assign two network cards to the GREEN network? I think I tried it before and it wouldn't let me. That's why I opted for the blue network - to run as an additional green-like network.

    Graph three solves the Green / Blue network issue but what of the internet speed for the second house? Will they notice any lag having to go through an additional switch?

    Thanks in advance
     
  18. Anti-Trend

    Anti-Trend Nonconformist Geek

    Likes Received:
    118
    Trophy Points:
    63
    No, it's just a layer-2 switch -- store & forward. If the switch is adding latency, you need a new switch. :)
     
  19. megamaced

    megamaced Geek Geek Geek!

    Likes Received:
    0
    Trophy Points:
    36
    Right well I think i've covered everything for now. I am just waiting for the computer parts to arrive and then I'll build it and get it connected to the network.

    In the meantime I am still playing around with IPCop using VMware. It's best that I totally familiarise myself with it before I use it in production

    I'll let you know how it goes :)
     
  20. Anti-Trend

    Anti-Trend Nonconformist Geek

    Likes Received:
    118
    Trophy Points:
    63
    OK, and I'll be glad to help if you have issues, though I don't anticipate any. I use IPCop for my own network, and also for several production networks I've setup. If it helps, here are the plugins I typically use:

    Net-Traffic, BlockOutTraffic, IPTraf, and RedMAC
     

Share This Page