I’ve wanted to setup a serious linux-based firewall for my home network for some time now, and I finally got around to it yesterday.
There are TON of linux router distros out there, but instead of spending 8 hours picking & choosing, comparing & contrasting, nitpicking & debating, I asked someone else ;). Two buddies of mine have a similar setup at their homes: one uses Smooth Wall; one uses IPCop. I arbitrarily chose Smooth Wall (after actually setting it up, though, I think IPCop would have been a better choice–c’est la vie.
The installation is supposed to be quite painless, and it was–for the most part. The documentation and install process was intuitive and easy to follow, but it didn’t work OOTB. I probably only had so much difficulty because of hardware issues (fried NICs?) which is by no means Smooth Wall’s fault. Nevertheless, it took ~5 hours of bang-your-head-against-the-table troubleshooting ’till I could finally unhook the monitor & keyboard, shove it in a corner, and get some sleep.
I was also disappointed with two things that didn’t work as I had expected OOTB:
- DHCP DNS
- VPN
DHCP DNS
One thing that I was very excited about with this new router setup was the built-in DNS server. I run DHCP, so every time I need to remotely connect to a machine, I have to run over and do an `ifconfig` on it (which defeats the purpose of a REMOTE connection :/). Now, I have little network experience, but I ASSumed that when my machines would lease a dhcp address, their hostname would be automatically added to the DNS’s hosts list. Boy–was I wrong.
Well, sure enough, I wasn’t the only person complaining about this. A quick google search for ‘smoothwall dhcp dns’ lead me to “this page describing a fix . While the post looks promising, following the directions turned out to be a complete headache. It was written in 2003, and a lot has changed since then. This dude found another dude’s perl script (which was buggy with no documentation) that was designed to automatically pull the hosts from the dhcpd.leases file (which has changed paths since it was written). If putting the files on the striped-down router box wasn’t hard enough (no CPAN or wget), you couldn’t compile it (no compiler). I think I eventually managed to get it working, but it was all for nothing because the newer version of Smooth Wall uses dnsmasq for the DNS server, and it supports this option by a configuration directive.
Naturally, the configuration file not only doesn’t have this directive by default (as, IMHO, it should), the configuration file doesn’t even exist! Alas, google came to my rescue once more .
So, I created a file at /etc/dnsmasq.conf with the contents as suggested by the aforementioned link:
dhcp-lease=/usr/etc/dhcpd.leases cache-size=5000 filterwin2k
…and that seemed to do the trick. Now, shouldn’t that be the default behavior? ..or is there some sort of security concern in this that I haven’t considered? There’s none that I can think of. *shrug*
VPN
I live in the dorms, and I’ve been experimenting with Back Track enough to realize that there is absolutely no security in that environment (my roommate now encrypts all of his IM traffic because of me). Even ettercap can do some scary MITM attacks on SSL. Therefore, I refuse to do any online banking from the dorms (this really sucks when Washington Mutual fucks up and tries to steal $1000 from your account and you get an “insufficient funds” charge from another other bank because of them). The solution: an encrypted vpn back to my house.
Turns out that the built-in VPN abilities of Smooth Wall are merely designed to connect multiple Smooth Wall computers together. That’s a cool functionality, but NOT what I was looking for.
I eventually ran across Zerina – a openvpn server ‘plugin’ for IPCop. They also have a port for Smooth Wall. It might be difficult to find, but the News section of the site mentions links to download such releases (I got mine from a thread on the Smooth Wall forums–also complimented by these instructions ). The instructions pretty much say, “untar, ./setup, and configure with these instructions.
All and all, I’m VERY impressed with the Zerina project. The setup script was beautiful and simple. The configuration process is intimidating, but the process is well documented and easy to follow (even though the screenshots are of IPCop).
The only additional step that I added to the configuration process was in the “Advanced Server Options” of the OpenVPN tab in Smooth Wall’s web interface (it can only be accessed if your OpenVPN Service is stopped). In this impressive set of extensive options, I checked the “Redirect gateway on Red” box. By default, your OpenVPN connection will merely tunnel through the data that goes to your virtual ‘local’ network–not external addresses like yahoo.com. By enabling this option, it makes ALL of your internet traffic tunnel through the VPN (which is necessary for my online banking).
Now that I’ve got those two suckers fixed, I’m just going to stare at the real-time MRTG traffic statistics of my home network for a few hours. Awesome. ^_^
Related Posts
Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡
WAAAAAAAAAAAAAOOOOOOOOOOOOOO AAAAAAAAAAAAAAAAAAOOOOOOOOOOO OOOOOOOOOOOOOOOOOOOOOOOOOOO OOOOOOOOOOOOOOOOOOOOOOOOOOO OOOOOOOOAAAAAAAAAAAAAAOOOOOO OOOOOOOAAAAAAAAAAAAAAAOOOOOO OOOOOOAAAAAAAAAAOOOOOOOOOOAA AAAAAA
Haha, smoothwall. Go pfSense or go home.
@Curly Brace
I’d be willing to try pfSense. Like I said, I didn’t do any research into comparing different firewall solutions; I just picked one fairly arbitrarily.
Also, just because some software uses FreeBSD as its base does NOT mean that it’s good software. The same is true for anything else–including linux.
I have tried IPCop, Smoothwall, and pfSense for both home and office networks. pfSense definitely gets my vote, not because it runs on FreeBSD but because of the tools that pfSense gives you.
For the last year I have been running a pfSense as a gateway and firewall for an office network of about 50 desktops and 20 servers. It started simple and has gradually become more complex as our needs have grown. The web interface is well designed and makes it easy to configure each feature when you need it. Any feature that you are not using stays out of your way. So if you want to use it for a small network it won’t overwhelm you.
pfSense is not perfect. I wish its IPSEC VPN was better. It will work if both ends of the VPN are on the public internet, but it will fail if either end is inside a private network and the VPN is trying to cross a gateway. I have also struggled with IPSEC to Cisco routers that use advanced features that pfSense doesn’t have.
But most of it works exactly the way we want. Our machine does this for us:
* 3 separate LANs with firewall rules controlling which of our machines can connect to each other. These are separate VLANs which pfSense understands.
* A DMZ with servers that some of our customers can connect to but are isolated from our LAN.
* A wireless network for visitors to our office with firewall rules so they can reach the internet but not our LAN.
* 2 separate connections to the public internet with automatic failover between them; if one fails our users don’t notice and just keep working through the other.
* OpenVPN connections so that remote machines connect automatically to our office and firewall rules to protect our office if a remote machine is compromised.
* DHCP and DNS servers for all these different branches.
* A transparent HTTP proxy so we can track all the web pages that our users visit. Our policy is to allow people to browse where and when they like just as long as it doesn’t interfere with their work. The HTTP proxy keeps a log so we can check our staff aren’t spending all day on facebook.
* Traffic graphs and system logs that make it easy to see what is passing through the machine. For detailed debugging we can drop to the command line and use tools like darkstat, nmap, and tcpdump.
Thanks for your input jonty!
Actually, I recently switched to IPCop. pfSense is on my list of firewalls to try, but IPCop is entirely sufficient for my needs right now.
As for the IPSec requiring 2 public facing IP addresses, I believe this is a protocol “problem”–not pfSense. Anyway, once we switch to ipv6 and have 51 octillion unique, internet IP addresses per person, this won’t be a problem :). Personally, I just use openvpn instead of IPSec. It works great behind any crazy NAT setup you’re plugged into.
Also, I haven’t checked, but I’d be surprised if any of the features you mentioned above weren’t available in IPCop.
Cheers!
Speaking from experience, I had bteter luck with hardware req with Smoothwall (derivative I believe of IPcop??). I actually started with ipcop and spent waaaay to many hours reading the forum, wiki, et al trying to figure out what I was doing wrong. Tried Smoothwall and was up in less then half an hour. my $0.02 keep the change.