What is Digg?54 Comments
- duke_nate, on 10/12/2007, -3/+19Or you can just use the simple NAT/Firewall that is on jsut about any DSL or Cable internet connection these days.
- Lagged2Death, on 10/12/2007, -0/+13Many people advocate going the "old-PC-as-a-firewall" route, and I'm sure it has advantages.
One issue that is often neglected when considering doing such a thing, though, is the cost of the electricity to run it. PCs vary pretty widely in their electric consumption; at an idle, they may draw anywhere from 50W to 200W or so. Suppose the firewall PC draws 100 Watts: 100W x 24 hours/day x 365 days/year = 876 KWH. Depending on local electric rates, that's in the neighborhood of US$70 to US$105 worth of electricity.
It can actually be _cheaper_ to buy a router/NAT/firewall/WAP box than to use an old PC for a year.
Of course, there may be other reasons (like ultimate configurability, update-ability, the ability to use the firewall machine for other things too, etc) in favor of using an old PC. - Lagged2Death, on 10/12/2007, -0/+6"...not everyone knows that it's easy to create a personal firewall for a FreeBSD (or PC-BSD or DesktopBSD) system. This article shows how even a casual home user can get a firewall up and running in about ten minutes."
Is there really a lot of overlap between "FreeBSD" and "casual home user?"
Not that there's anything wrong with that. This looks like a great resource, but browsing through it, all I could think was "This looks like 100x as much work as installing ZoneAlarm for Windows." I want OSS to thrive, but jeepers, this is the sort of thing that keeps people away. - gabbagabbahey, on 10/12/2007, -0/+5Is anyone else wondering how many casual home users of FreeBSD there are? Let alone ones who don't already know how to set up a firewall on their system.
- culbeda, on 10/12/2007, -1/+6"Just NAT/Firewall isn't safe if you have more than one computer on the private LAN."
For the average home user, in combination with AV software, it's plenty. Anything beyond that is likely to be wasted and they wouldn't know how to configure it properly in the first place. I can't TELL you how many "security experts" who THINK they can manage a firewall open up the smb/nmap or other important ports just to get something working.
And most of the basic DSL/Cable routers now have IPS (Intrusion Prevention) and ALL of the current ones do stateful packet inspection. Your biggest risk with the hardware devices is uPNP. Enable uPNP at your own risk, because it can be easily exploited.
Some tips:
1) For WiFi, use WPA and only on a relatively new wireless access point. If your WAP doesn't support WPA, ditch it. Odds are, it can be compromised in minutes and all the mac filtering and SSID "hiding" in the world won't protect you.
2) Most of the newer firewalls have predefined the services you're likely to open so you don't have to look them up. Save yourself some grief and pick up a new firewall.
3) If you need to secure a business (even a home office) and you're unsure HOW to do it. Find someone who actually knows what they're doing. Don't call a friend who "knows computers" unless they do this for a living. Odds are, they can help you with your backups and other risk areas. - Aero1, on 10/12/2007, -4/+8http://www.smoothwall.org/
- calpaully, on 10/12/2007, -2/+6If you have an old computer around, you could install this standalone linux-based firewall - it worked great for me for over a year. http://smoothwall.org/
sorry, posted the same time as Aero1 - ThunderIT, on 10/12/2007, -0/+4those are usually limited in the number of sessions they can handle at once (due to their extremely limited amount of ram), if you have more than just 2 or 3 machines, and are using lot of connections (ie, bit torrent running on multiple machines), then a dedicated machine is always better than your little home router
also, some of those routers are limited to 10 or so port forwards, if you have like 8 machines and need to forward 20 or more ports, a real firewall is always nice. - Madh2orat, on 10/12/2007, -0/+3A simple solution is to get a router that is compatible with DD-Wrt, such as a linksys, or a buffalo, (there are many other as well). I have a linksys wrt54g v2.2, as well as a version 5, both running dd-wrt in a WDS configuration. I havent had any problems, after i figured out how to get everything configured. My favorite feature is the very nice GUI, It has access to many of the advanced functions, and if you do need to get shell access, you can telnet or ssh into it.
Real men dont need GUI's, I am not a real man. - inactive, on 10/12/2007, -1/+4Walmart + Linksys Router for $50 = Good enough.
- vheissu, on 10/12/2007, -0/+3Although the site is down... http://www.m0n0.ch/wall
Made the switch from smoothwall a while ago and dont plan going back any time soon. - jsmucker, on 10/12/2007, -0/+3And also IPCOP
http://ipcop.org/modules.php?op=modload&name=phpWiki&file=index&pagename=IPCopScreenshots - Nerevar, on 10/12/2007, -0/+3That or ClarkConnect. Both are very good. http://www.clarkconnect.com/
- invar9, on 10/12/2007, -0/+2I have tried a LOT of firewalls myself, linksys, d-link, smoothwall, the best one I have found yet is endian http://www.endian.it/ it gives the ease of use like smoothwall and the security of IPCOP. You can have several different zones and it is extremely easy to set up. and the community version is free.
- spdorsey, on 10/12/2007, -0/+2I'd rather not use a separate PC for a firewall if I don't have to. What's the cheapest way to get a low-cost firewall without paying for the power on a separate PC, but still having a robust system?
I use my router right now. Seems to work fine, but I don;t worry about malware, as I use OS X and my 3 Win computers don't touch the internet unless I'm gaming.
-------------------S - Bedonder, on 10/12/2007, -0/+2If you are going to the trouble of using FreeBSD and PF why would you not use OpenBSD? It is the most secure BSD and probably the most secure OS for a PC.
- Vouksh, on 10/12/2007, -0/+2The last bit is for me. I'm using a Dell someone left here (i guess we built them one) and I put Gentoo on it. I use it for a teamspeak server, and a webserver for my dad, as well as a file storage box (has a 250 GB and an external 120 along with the 40 GB boot drive). Since I set it up as a DMZ anyways, I loaded IPTables on it.
If your like me, go the old-POS-as-a-firewall route. otherwise, let your Cable/DSL router handle it. - motang, on 10/12/2007, -0/+1Cool and informative article, thanks.
- spdorsey, on 10/12/2007, -0/+1That's cool, I have a linksys wireless router - one of the models that was mentioned on DIGG a few months back that could be re-firmwared to work better. Perhaps I'll look into that. THANKS!
-------------S - SpaceBass, on 10/12/2007, -0/+1Stevepride,
I'm shamlessly plugging, which I've done too much of today anyway...
but here's a link to a an article about setting up IPcop
http://www.archatechs.com/blog/files/pimpin2.html
and here's a link to securing WiFi and using IPcop to help
http://www.archatechs.com/blog/files/network3.html
I too am a Security Now fan, but this site that is anti-Gibson is worth pointing out:
http://grcsucks.com/
I like to get both sides to anything... - SpaceBass, on 10/12/2007, -0/+1IPcop and the BlockOutTraffic mod can do something similar....pretty granular control over network traffic.
http://www.archatechs.com/blog/files/network3.html - spitenmalice, on 10/12/2007, -0/+1http://pfsense.com/
- Goosemaster, on 10/12/2007, -0/+1I would point out that m0n0wall is more static routing and traffic management more than a jack of all trades. While it can let you lock down everything, it lacks deep packet inspection and active services liek IPS and such.
That said, I feel that is the PERFECT implementation for embedded pcs.
I use m0n0wall with a soekris 4801+1641 as my gateway and love it. Paired with a few access points, it performs flawlessly. The key is, I use it to focus on network segmentation and traffic management, in addition to having software firewalls on my machines.
For something more powerful, I would recommend most of the solutions recommended above.
My absolute favorite is Astaro though. It's free supportless, and only $49 for a year for personal use, and it is practically enterprise class. Routing, proxy'ing, IPS/IDs etc, email spam cehcker, virus checker (all on the box so it never hits you and you can download the flagged message anyway from it if you wish)
Sadly astaro gets no mention at all sometimes:( - vheissu, on 10/12/2007, -0/+1m0n0wall will run on a soekris or WRAP embedded platform. Not exactly cheap though. Theres also a plethora of WRT54G projects that let you dump a pretty robust firmware on a $50 linksys box.
- elusive, on 10/12/2007, -1/+2"Everyone knows that you should be behind a firewall whenever you go online."
Not if you aren't running any services (are not listening on any ports). I don't think most people actually understand what a firewall does and does not do. - Aethra, on 10/12/2007, -0/+1I've been looking for a way to turn an old PC into a firewall. On the university campus we are not allowed routers (regardless of the configureation). This is one way I can keep my security and circumvent the "no routers" rule. I've seen the other ways listed above too.
- suprfli, on 10/12/2007, -0/+1in all seriousness, i'm trying to figure out why i would want to bother trying to "find an old computer", install BSD and configure a firewall when i can go to my local retail chain electronics store and pay $20 for a linksys or d-link firewall that uses a fraction of the energy and is simple to administer.
- tenderstorm, on 10/12/2007, -0/+1Mac OS X got FreeBSD ipfw firewall built in. If you are not aware of some feature then it does not mean that it's not there...
http://www3.sympatico.ca/dccote/firewall.html - tenderstorm, on 10/12/2007, -0/+1Most guys talking here about ROUTERS (smoothwall, pfsense, m0n0wall, ipcop, etc..). Article talks about PERSONAL FIREWALL- personal computer got only one NIC (Network Interface Card)- you don't need NAT (Network Address Translation). If you don't know what are you talking about, then just shut up and read tutorial.
Create file /etc/rc.d/pf_rules with content:
---------------------------------------------------------------------------
#!/bin/sh
#
# Copyright (c) 2006 Dominique Goncalves
# Copyright (c) 2006 Andrei Kolu
#
# See COPYING for licence terms.
#
# Create a basic pf.conf.
# Block everything by default,
# Allow everything on lo0,
# Do not create rules on some interface ie: plip0,
# Allow all tcp and udp connections to outside with keep state flags,
# Allow icmp on all interfaces.
#
# PROVIDE: pf_rules
# REQUIRE: netif
# BEFORE: pf
. /etc/rc.subr
name="pf_rules"
rcvar=`set_rcvar`
start_cmd="create_rules"
required_files="$pf_rules"
create_rules ()
{
echo "Creating $pf_rules."
echo "scrub in all" > $pf_rules
echo "block drop all" >> $pf_rules
echo "pass quick on lo0 all" >> $pf_rules
echo 'table persist file "/etc/blacklist"' >> $pf_rules
echo "pass out inet proto icmp all icmp-type echoreq keep state" >> $pf_rules
echo "pass in proto tcp from any to any port www flags S/SA synproxy state" >> $pf_rules
for inf in `ifconfig -l` ; do
if `echo $inf | egrep -v 'lo|plip|gif|tun' 1>/dev/null` ; then
echo "pass on $inf proto icmp all" >> $pf_rules
echo "pass out on $inf proto {tcp,udp} from ($inf) to any keep state" >> $pf_rules
echo "pass in on $inf proto tcp from any to ($inf) port 22 keep state" >> $pf_rules
echo "pass in on $inf proto tcp from any to ($inf) port {139,445,631} keep state" >> $pf_rules
echo "pass in on $inf proto udp from any to ($inf) port {137,138,631} keep state" >> $pf_rules
echo "block on $inf from to any" >> $pf_rules
fi
done
}
load_rc_config $name
run_rc_command "$1"
---------------------------------------------------------------------------
Enable PF in /etc/rc.conf:
---------------------------------------------------------------------------
pf_rules_enable="YES"
pf_enable="YES"
---------------------------------------------------------------------------
/etc/blacklist:
---------------------------------------------------------------------------
# The files /etc/blacklist list IP addresses, one per
# line. Any lines beginning with a # are treated as comments and ignored.
# In addition to being specified by IP address, hosts may also be specified
# by their hostname. When the resolver is called to add a hostname to a
# table, all resulting IPv4 and IPv6 addresses are placed into the table.
# IP addresses can also be entered in a table by specifying a valid inter-
# face name, a valid interface group or the self keyword, in which case all
# addresses assigned to the interface(s) will be added to the table.
#
evil.address.com
---------------------------------------------------------------------------
Reboot. Enjoy. - freq, on 10/12/2007, -0/+1Havnt you heard?
It is official; Netcraft confirms: *BSD is dying. - SpaceBass, on 10/12/2007, -0/+1Most guys talking here about ROUTERS (smoothwall, pfsense, m0n0wall, ipcop, etc..). Article talks about PERSONAL FIREWALL-
Important distinction...
But you can bolt some stuff on to Smoothwall, IPcop, etc to create an outbound firewall. Supposed that doesnt do much for a worm on your LAN trying every IP in a class C range, but it keeps you from being used for something like a DDOS attack or spreading that worm outside of your network.
Personally, I find software firewalls to be obnoxious and pc/hardware/external ones to be a pain to manage...but they do have a place and if I ran any windows boxes I might actually enable mine on IPcop :) - Scourge, on 10/12/2007, -0/+1NetBarrier X4 is a great mac firewall
- BladeMelbourne, on 10/12/2007, -0/+1RedHat and Fedora come with iptables by default.
The installation program (Anaconda?) asks you to configure the firewall using a graphical client.
You could also use apt, synaptic, yumex or pirut to install iptables or a firewall configuration utility.
I like iptables because I can script all the commands and back them up elsewhere.
Mac comes with a Firewall - it is under Sharing in System Preferences.
Windows XP comes with a firewall. It's not very intuitive though.
I'm not sure if you meant that apt is a firewall program - it isn't for those who are reading this thread. - eonblue, on 10/12/2007, -0/+1modem's do not do nat or firewall. Some ISP's have been giving out private ip addresses though.
- dbr_onix, on 10/12/2007, -0/+1Windows
http://www.simtel.net/product.download.mirrors.php?id=53687
Linux > Debian
sudo apt-get install firestarter
Red Hat/Fedora
su -l; yum install firestarter
Gentoo (Not sure, not used it really)
emerge firestarter
(I like Firestarter for desktop firewall type things on 'nix, SPF on WIndows)
OS X -
Preferences, go to the search bit, type firewall (It's in a tab under sharing I think), click it on, select any applications you want though (I normally just let SSH though)
This article seems way beyond a "casual user", something like m0n0wall seems a bit more at the casual users level, but really, most users wouldn't benifit from something like this over a normal router.
fwbuilder looks quite nice though..
- Ben - SpaceBass, on 10/12/2007, -0/+1b/c there is a difference between NAT- which protects you from the outside world and a Firewall (to borrow the parlance of our times :) ) which protects the outside world from you.
Basically, if a machine on your network got infected with a 'worm', then it would probably attempt to affect other machines on the same Local Area Network/subnet/network/term du jour/whatever....but a personal firewall or network firewall might prevent it from going outside...to the "real world"
I guess, in general, watching the traffic your machine sends out is of some value....you can see what services or, forbid, "Malware" [Gibson 1990] :p has requested some connection... but its a lot of work. Its pop-ups, or config files, or host file editing, or setting up IPcop with BOT (insert my shameless plug here)
The net, pun intended, result is a lot of management. But its a very good way of protecting, essentially, others.
If you are confident in the surfing habits of people on your local network, consider something like BOT with IPcop or even a Linksys WRT54g with hacked firmwar...oh wait, out of the 'box' that doesnt do much different than what Linksys ships with.... :)
Its a lot of effort to monitor outbound traffic from each machine...maybe worth it, maybe not....but the real issue with this post is: who really runs BSD? Mac users put your hands down, we don't really count....Linux users, you also don't count (and I am among you)...
BSD is like a cult unto its own...its derived from networking and UN*X gurus who have an amazing skill set...but I mean, who runs it on the desktop? Who?
[insert flame here]
/eof - GMorgan, on 10/12/2007, -1/+1A second rate solution is enough for most people. Most people use Windows after all.
- s1rk3ls, on 10/12/2007, -1/+1"Not if you aren't running any services (are not listening on any ports). I don't think most people actually understand what a firewall does and does not do."
Whether you are running any services or not... if you are using Windows it definitely should be behind a firewall. Even if you are running some flavor of *nix, it's still best to be behind a firewall.
It doesn't matter how much you know, or think you know about your computer, or your sexual partners, in both cases you should still always use protection. - elusive, on 10/12/2007, -0/+0Nope. I know I don't have any ports open. And I can verify it at any time. This is on a laptop, mind you, not a server.
If I were running windows I might be more inclined to run a firewall because I don't know how to check that all ports are closed easily and services seem to start up without anyone telling them to. - stevepride, on 10/12/2007, -0/+0I do have an old machine as was considering just such a move. I listen religiously to Steve Gibson's Security Now and played a bit with Ubuntu. I really liked it but couldn't decide on making it some sort of NAS or firewall.
Now I use a standard Linksys NAT/router but would like more fort forwarding features for my BT needs. Also, the netstat episode of Security Now really got me jazzed about watching the traffic of my standard Windows LAN.
Is there anything simple for Ubuntu that can do both NAS and NAT with network monitoring features like TCPview? - fatdog789, on 10/12/2007, -1/+1Here's an easy way to get a desktop firewall in 2 minutes (Windows only):
1) Go to either sygate.com or zonelabs.com. Download the free version of their firewall. 1 minute on broadband.
2) Install. Restart if necessary (not required with sygate, may be required with zonealarm). 1 minute.
Linux (Debian-based) distros:
1) apt (firewall program). Wait for it to finish. 1-10minutes.
Linux (Mandriva/RedHat/Suse):
1) Search the install disks for the firewall program. 1 min-3 hours
2) Install using whatever method your distro uses to install. 1-10 minutes.
Mac:
You're screwed on this point, but on the plus side, nobody in the real world cares enough about your OS to try and hack it. Security by obscurity. - VisionDream, on 12/19/2007, -0/+0Want to read more about building fire wall?
http://www.sourceofarticles.com , http://www.somearticles.com , http://www.koolarticles.com http://www.bizarticles.net and http://www.articlesreader.com - kuehlschrank, on 10/12/2007, -2/+2A real so called desktop firewall should at least differentiate between applications. For example, I want only Firefox to access the internet, not [evil program of your choice]. Danger doesn't only come from outside.
- kuehlschrank, on 10/12/2007, -1/+1Please define "network nazi". When education prevents the inside danger... why use a firewall at all? :)
- soundphan, on 10/12/2007, -0/+0I'm pretty sure iptables are part of the Linux kernel (2.4 & 2.6) so if you have a tux you should have iptables ...course I guess you could compile the kernal without it... but why?!!?
- MrSelfDestruct, on 10/12/2007, -1/+1There's no ***** way I would prefer to spend a metric ***** of hours in front of an old computer and then have it buzzing and whining all day long, failing at any minute instead of just buying a small, silent piece of equipment called a broadband router.
But then again, I wouldn't get to edit all those configuration files. After all, those are meant to be interesting and funny right? Why else would people use these operating systems? - mihaiv, on 01/01/2009, -0/+0Netactview ( http://netactview.sourceforge.net ) works on linux and is a similar with Tcpview.
- Heembo, on 10/12/2007, -1/+0Gents, what happened to router modding? Buy a cheapie old linksys router and learn how to update the crappy linksys software with 3rd party open source software to get every router advanced feature you can think of in a somewhat simple interface? I thought everyone was doing it these days... ;-)
- tenderstorm, on 10/12/2007, -1/+0I use PC-BSD (FreeBSD for desktop) distribution on my computers as primary operating system and can do anything you do in windows or linux. I can upgrade my os to latest stable release or latest testing from command line by compiling from source code without breaking anything. If I lazy enough then I wait for PC-BSD next binary patch from autoupdate feature. I can use THREE different firewalls(PF, IPFW, IPF) if I want and they all just works. I got IPv6 support built-in and with ALTQ I got QoS features also.
You would be surprised to hear how many BSD users are out there.
I call Linux a "cult" because most fresh linux users use Linux only because it is C00L and l33t and hate windows. BSD users love their operating system and may use Linux, Windows- whatever is suitable for some task..
I used all major operating systems(linux, os/2, windows, etc...) and only OS that is not failed soo far is FreeBSD/PC-BSD. You milage may wary.... - GMorgan, on 10/12/2007, -1/+0A lot of Linksys routers don't do PPPoA so if your in the EU chances are a Linksys router won't work for you.
-
Show 51 - 52 of 52 discussions
The Digg Toolbar for Firefox lets you Digg, submit content, and keep track of Digg even when you're not on the Digg site. Download the official 
© Digg Inc. 2009
— Content created and posted by Digg users is