I've just tested IPCop (http://www.ipcop.org/), and I must say it's pretty cool! :) :)

From their web site:
IPCop Linux is a complete Linux Distribution whose sole purpose is to protect the networks it is installed on. By implementing existing technology, outstanding new technology and secure programming practices IPCop is the Linux Distribution for those wanting to keep their computers/networks safe.

# Provide a stable Linux Firewall Distribution.
# Provide a secure Linux Firewall Distribution.
# Provide an opensourced Linux Firewall Distribution.
# Provide a highly configurable Linux Firewall Distribution.
# Provide an easily maintained Linux Firewall Distribution.
# Provide an easily configured Linux Firewall Distribution.
# Provide reliable Support to the IPCop Linux user base.
# Provide an enjoyable environment for the Public to discuss and request assistance.
# Provide stable, secure, and easy to implement upgrades/patches for IPCop Linux.
# Develop an appreciation for both the Linux and Opensource movements in our user base.
# Develop a long lasting relationship with our userbase.
# Strive to adapt IPCop to meet the needs of the Internet of Tomorrow.
# Further develop the Linux Knowledge base of all Project Members and Users.

Here's a partial list of features:
*IPTable network filters
*IDE, SCSI and CF (Disk on a Chip) drive support.
*Quad Network support:
oGREEN — Internal Trusted Network
oBLUE — Wireless Semi-Trusted Network (can be used a second Green)
oORANGE — DMZ for Internet accessed servers
oRED — The Internet connected via:
+Dial modem
+ISDN
+NIC Connected:
#DSL Modem
#Cable Modem

+USB Connected (w/ right driver):
#DSL Modem
#Cable Modem

*Multiple “Real” IP supported on RED when using a Static IP base.
*DHCP client support on RED to receive IP from ISP, also support for a dynamic DNS to be updated as this IP changes.
*DHCP server for GREEN and BLUE to simplify network setup and maintenance.
*NTP server and client for setting IPCop clock and supplying a common clock for internal GREEN and BLUE networks.
*Intrusion Detection for ALL networks (RED, ORANGE, BLUE and GREEN)
*Vitural Private Network (VPN) to allow multiple sites to act as single large network.
*Proxy Support for both Web Surfing and DNS support allow for “faster” connection response on and simplified network setup.
*Administration after initial load is via a secure Web Interface including:
oPerformance Graphics for CPU, Memory and Disk as well as Network throughput
oLog viewing with autorotation.
oMultiple language support.

*Use of older equipment. 386 or better. Version 1.4 has been tested on 486sx25 with 12M of RAM and 273M of hard drive. This was the oldest and smallest we could find we could find at the time of test. It was loaded via the Net Install option and supported a full Cable Modem download speed of 3Mb/s.

Administration is done over an easy-to-understand web interface. And the best is: you can use old hardware for it (e.g. PentiumI with 32MB RAM and 800MB HDD)! :)

Yes, nice read. I was just reading over at the main page while looking for a DNS client for linux. It also support dynmic IP update at ZoneEdit and others. I think, once I have The webserver box stable, this is my next project.

PS. LOL, I didn't realize this thread was old. But would like to get users input though.

I downloaded the ISO for that a while ago. I'm a little chicken to install it as of yet. Do I need to turn off NAT on my stupid little ActionTec DSL router?

I'll be throwing it on a dual P133 IBM PC Server 320. I wonder if it will allow me to turn off the kids' access to the Internet at certain hours.

I downloaded the ISO for that a while ago. I'm a little chicken to install it as of yet. Do I need to turn off NAT on my stupid little ActionTec DSL router?
In fact, IPCop is a replacement for your router. So it's either IPCop or your router.

I'll be throwing it on a dual P133 IBM PC Server 320. I wonder if it will allow me to turn off the kids' access to the Internet at certain hours.Yes.

Hi falko,

In fact, IPCop is a replacement for your router. So it's either IPCop or your router.

Does it mean it's not a reliable or secure firewall? or which other free firewall would you reommend

Thanks.

It's a very reliable and very secure firewall! Why do you think it isn't?:confused:

hi Falko,

I was not trying to suggest that it's not secure. I was rather asking if it's secure. I have tried to install it sometime to compliment my other firewall but latter abandoned the idea.

Thanks.

Yes, it's secure and reliable. :)

Its a good distro for firewalling. But if you really want to stay EVEN more secure, use distros (this may get me in trouble for EVEN mentioning this ;) ) such as backtrack linux and the hackthissite gentoo live cd <-- hard to find. I know that i will get some dirty looks by saying this, but i have used the HTS live cd to search for security vulnerabilities in the past. It has about 50 programs that promote port scanning and the such, and they are all in the popular network languadges. It also comes with 200+ tutorials, so that you will never be stuck. To you the programs properly, you must scan/search/look for, a certain hole or "glitch" or vulnerability. The best way to go are with scanners that pick up real time info on what data is being transferred via the servers. Me and my friends have realized that if you use this on you're own system, you can fix up alot of problems very quick. Oh and Hackthissite was hacked and all its users passwords were stolen, so it proves that you can never be too safe ;). And the HTS live cd can be found on pirate bay.org.

Hey people, I'm very much interested in on this topic and want to contribute a little.
Talking about ipcop, I think in my opinion it's the only firewall I was able to setup and play with. My quest for knowledge on firewalls came when I decided to host my own server (web/ftp/email/hosting) at home. For sometime, I couldn't find any ready made distro/firewall like ipcop so i tend to go with smoothwall express (http://www.smoothwall.org ).It was brilliant but they wouldn't support my Alcatel USB modem. I tried all the patches and everything, yet the same. I got their latest version of express codenamed Grizzly, which for some reason worked after one patch but it was a beta version and they've been quiet slow with update and more stable version.

Then I found IPCOP, it met all my needs and was easy to intall. Falko as you can see, I dropped you and email but you asked if i could put it up here. I don't know which forum is the best to post my stuff. Can you help?

IPCOP all the way but I'll give HTS a shot, if i find a copy.

Thanks guys for your good work.

Falko as you can see, I dropped you and email but you asked if i could put it up here. I don't know which forum is the best to post my stuff. Can you help?

What kind of help do you need?

I have an IPCOP box working fine. On the orange I've connected a box which will be my server. I installed Fedora Core 5 and assigned ipaddress 192.168.1.1 and on the Orange interface on the IPCOP the ip is 192.168.1.0 all with subnetmask of 255.255.255.0.

My question: when I try to connect to the internet it report an error : page cannot be found.

I put my IPCOP ip as the gateway to see if that will solve the problem but to my dismay, it's still the same error. I do not know if I have to do something somethere to fix this error.

If i get help with this I can go on to install my server this weekend. Can I also use you howto guide for fedora core 5 x86_64 for just a x86 install as you mentioned that you'll need a tweak.

Thanks

I have an IPCOP box working fine. On the orange I've connected a box which will be my server. I installed Fedora Core 5 and assigned ipaddress 192.168.1.1 and on the Orange interface on the IPCOP the ip is 192.168.1.0 all with subnetmask of 255.255.255.0.
You cannot use 192.168.1.0 as IP address, it's reserved (network address), the same goes for 192.168.1.255 (broadcast address). Use another one.

I like IP-Cop to.I used it quite some time ago and it works great on a very old computer (~300MHz/~196MB RAM/~100 computers).The only thing I'd need is an interface for setting/changing Ip Tables firewall rules.
Does anyone know of an extension for IP-Cop (or some other way),which makes it possible?

Leszek - The only thing I'd need is an interface for setting/changing Ip Tables firewall rules. Does anyone know of an extension for IP-Cop (or some other way),which makes it possible?

--------------------------------------------------

Answer ... you need these two addons … for your IPCOP

1. BlockOutTraffic-3.0.0-GUI-b2

This addon is complicated & confusing in its rule writing ... but unlike its title suggests ... it is not just for blocking Out-Bound-Traffic. This addon has no major bugs … installs perfectly on most versions of IPCOP … and is a complete by-directional rule writer. As an extra BONUS (one of the few that can) … this addon handles every kind of IP format range. You can be very specific with your rules. Many have asked similar questions about how to block certain IP-ranges within their intranets. With this addon you can rule in or out almost anything.

Note. For those taking this addon to the extreme … IP-Tables may only handle about 2500 rules before the rules go crazy … found this out personally using “BlockOutTraffic-3.0.0-GUI-b2” and “Iptablesgui-ipcop-0.1.0.

2. Iptablesgui-ipcop-0.1.0

With this addon you can see … in near real-time (as fast as you can click it)… exactly how your rules appear in IP-Tables. Modify the rules in BlockOutTraffic and then view this addon to see how they look. This is a very handy addon, overall … less any outside connections attempts (see below).

--------------------------------------------------

Iptablesgui --- For the more serious IPCOP users … References to an update within the cgi page … that doesn’t exist from the parent company … could be removed. Removing the update reference calls from the page increases the refresh speed of the page a little … and perhaps improves security of your IPCOP as well.

After you have successfully installed “Iptablesgui-ipcop-0.1.0” …

If you leave your iptablesgui.cgi … default, the way it is … when you refresh the Iptablesgui page …

… your IPCOP will try to make a connection to … 87.169.30.220 "p57A91EDC.dip0.t-ipconnect.de"

If you modify “iptablesgui.cgi” … IPCOP will not make any UN-necessary outside connections when refreshing the Iptablesgui page!!! Below … is a copy of “iptablesgui.cgi” with REM Statements “#” inserted before the update checks.

cd /home/httpd/cgi-bin
edit “iptablesgui.cgi”

Start modification … Replace the entire contents with …
--------------------------------------------------




#!/usr/bin/perl
#
################################################## ##############################
#
# IPCop iptables Web-Iface
#
# Copyright (C) 2007 Olaf (weizen_42) Westrik
#
# This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110, USA
#
#
# Dieses Programm ist freie Software. Sie können es unter den Bedingungen der GNU General Public License, wie von der Free Software Foundation veröffentlicht, weitergeben und/oder modifizieren, entweder gemäß Version 2 der Lizenz oder (nach Ihrer Option) jeder späteren Version.
#
# Die Veröffentlichung dieses Programms erfolgt in der Hoffnung, daß es Ihnen von Nutzen sein wird, aber OHNE IRGENDEINE GARANTIE, sogar ohne die implizite Garantie der MARKTREIFE oder der VERWENDBARKEIT FÜR EINEN BESTIMMTEN ZWECK. Details finden Sie in der GNU General Public License.
#
# Sie sollten ein Exemplar der GNU General Public License zusammen mit diesem Programm erhalten haben. Falls nicht, schreiben Sie an die Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110, USA.
#
################################################## ##############################
#
# For support post / read in http://www.ipcop-forum.de
#
# $Id: iptablesgui.cgi 161 2007-05-18 14:07:45Z weizen_42 $
#
# 2007-03 created by weizen_42
#

use strict;

# enable only the following on debugging purpose
use warnings;
use CGI::Carp 'fatalsToBrowser';

use LWP::UserAgent;

require '/var/ipcop/general-functions.pl';
require "${General::swroot}/lang.pl";
require "${General::swroot}/header.pl";

my $version = 'v0.1.0';
my $debug = 0;

##########
##################################################
## checking for new version
##my $addonname = 'iptablesgui';
##my $onlineversion = '';
##my $onlinelink = '';
##my $timestamplastcheck = '/var/ipcop/iptablesgui/lastcheck';
##my $flagdonotcheck = '/var/ipcop/iptablesgui/noversioncheck';
##################################################
##########

my $option_table = '';

my %cgiparams=();
$cgiparams{'ACTION'} = ''; # refresh
$cgiparams{'TABLE'} = 'filter'; # filter / mangle / nat / raw
$cgiparams{'CHAIN'} = '';
&Header::getcgihash(\%cgiparams);


if ( $cgiparams{'ACTION'} eq $Lang::tr{'refresh'} )
{
}
$cgiparams{'CHAIN'} = '' if ( $cgiparams{'TABLE'} eq 'BOT_FAQ_#11' );


&Header::showhttpheaders();
&Header::openpage($Lang::tr{'iptablesgui title'}, 1, '');
&Header::openbigbox('100%', 'left');

# Found this usefull piece of code in BlockOutTraffic AddOn 8-)
# fwrules.cgi
###############
# DEBUG DEBUG
if ( $debug )
{
&Header::openbox('100%', 'left', 'DEBUG');
my $debugCount = 0;
foreach my $line (sort keys %cgiparams) {
print "$line = $cgiparams{$line}<br />\n";
$debugCount++;
}
print "&nbsp;Count: $debugCount\n";
&Header::closebox();
}
# DEBUG DEBUG
###############

##########
##################################################
##
## Check for new version
##
##&checkfornewversion($addonname, $version);
##if ( $onlineversion ne '' )
##{
## &Header::openbox('100%', 'left', $Lang::tr{'info'});
## print <<END
##<table width="100%"><tr>
##<td>$Lang::tr{'iptablesgui newversion'} <a href="$onlinelink" target="_blank"><b>$onlineversion</b></a></td>
##</tr></table>
##END
##;
## &Header::closebox();
##}
##################################################
##########


foreach my $table ( ("filter", "mangle", "nat", "raw", "BOT_FAQ_#11") )
{
if ( $cgiparams{'TABLE'} eq $table )
{
$option_table = $option_table ."<option value='$table' selected='selected'>$table</option>";
}
else
{
$option_table = $option_table ."<option value='$table'>$table</option>";
}
}

&Header::openbox('100%', 'left', $Lang::tr{'iptablesgui title'});

print <<END
<form method='post' action='$ENV{'SCRIPT_NAME'}'><table width='100%'>
<tr><td width='20%' class='base'>Table:</td><td colspan='3'><select name='TABLE'>$option_table</select></td></tr>
<tr><td width='20%' class='base'>Chain:&nbsp;<img src='/blob.gif' alt='*' /></td><td colspan='3'><input type='text' name='CHAIN' value='$cgiparams{'CHAIN'}' size='20' /></td></tr>
</table>
<hr />
<table width='100%'>
<tr>
<td width='70%' class='base' valign='top'><img src='/blob.gif' alt='*' />&nbsp;$Lang::tr{'this field may be blank'}</td>
<td width='30%'><input type='submit' name='ACTION' value='$Lang::tr{'refresh'}' /></td>
</tr>
</table>
<hr />
END
;

my $output = '';
if ( ($cgiparams{'TABLE'} eq 'BOT_FAQ_#11') || ($cgiparams{'CHAIN'} eq '') )
{
$output = `/usr/local/bin/iptableswrapper $cgiparams{'TABLE'} 2>&1`;
}
else
{
$output = `/usr/local/bin/iptableswrapper chain $cgiparams{'TABLE'} $cgiparams{'CHAIN'} 2>&1`;
}
$output = &Header::cleanhtml($output);

(my @lines) = split(/\n/, $output);

print "<pre>";
foreach my $line ( @lines )
{
$line = substr($line, 0, rindex($line, ' ', 120)) . "\n" . substr($line, rindex($line, ' ', 120)) if ( length($line) > 120 );
print $line ."\n";
}
print "</pre>";

print <<END
<hr />
<table width='100%'>
<tr>
<td>&nbsp;</td>
<td align='right'>
<b><small><a href="http://www.ban-solms.de/t/IPCop.html" target="_blank">iptablesgui $version</a></small></b>
</td>
</tr>
</table>
</form>
END
;
&Header::closebox();

&Header::closebigbox();
&Header::closepage();

##########
##################################################
##sub checkfornewversion
##{
## my $addon = shift;
## my $version = shift;
## $onlineversion = '';
##
## if ( -e $flagdonotcheck )
## {
## return;
## }
##
## # only check if we are online and last check was some time ago
## if ( (! -e '/var/ipcop/red/active') || (-e $timestamplastcheck) && (int(-M $timestamplastcheck) < 5) )
## {
## return;
## }
##

###workaround to suppress a warning when a variable is used only once
## my @dummy = ( $General::version );
## undef (@dummy);
##
## my $ua = LWP::UserAgent->new;
## $ua->timeout(120);
## $ua->agent("Mozilla/4.0 (compatible; IPCop $General::version; $version)");
## my $content = $ua->get("http://ipcop-addons.ath.cx/version/$addon");
##
## if ( $content->is_success )
## {
## # compare the versions, format is v1.2.3
## $content->content =~ /v(\d+).(\d+).(\d+)/;
## my $ver1 = $1;
## my $ver2 = $2;
## my $ver3 = $3;
##
## $version =~ /v(\d+).(\d+).(\d+)/;
##
## if ( ($ver1 > $1) || (($ver1 == $1) && ($ver2 > $2)) || (($ver1 == $1) && ($ver2 == $2) && ($ver3 > $3)) )
## {
## $onlineversion = "v$ver1.$ver2.$ver3";
##
## $content->content =~ /http(.*)/;
## $onlinelink = "http$1";
## }
## else
## {
## # no news, recheck in a couple of days
## system("touch $timestamplastcheck");
## }
## }
##}
##################################################
##########




--------------------------------------------------
End modification … Replace the entire contents with …

Snort Rule Sets ... 2008.09.01 ... Labeled SOSI (so they all group together alphabetically)

____________


These (downloadable attachment files) are Snort rule sets for IPCOP and / or any other LINUX system using the SNORT sensor.


The following reference websites have / had (completewhois appears to have been shutdown) interesting IP-ranges to block and / or monitor. Unfortunately the bogon lists from completewhois maybe dated these days.


Be advised that the Russian and Israeli IPdeny country block sets may be far too restrictive (besides that it negates the use of the fine Russian Business Network Host List (RBN) rule set from www.emergingthreats.net) ... for many users .... ie. false positives.

The 'sid:' rule numbers used in these sets do not conflict with the default Snort rule 'sid:' ranges nor the numbers used in rule sets from www.emergingthreats.net.

I have cherry picked (what I believe to be) the worst proxy antagonists on the net referenced from http://www.ipdeny.com . Perhaps it's a little hasty blocking an entire country because of a few questionable hits ... but rather safe then sorry. As for China and its satellites ... what's the point of letting them in?

Truth be known, a vanilla IPCOP takes care of most threats through the use of IPTABLES (with an exception to privileged ports 53, 67 and 68 … which your own service provider may likely 'try to' exploit ...

The usual disclaimer ... no guarantees to accuracy ... use at your own risk. (common sense ...I suppose … but don't let that scare you ... they work great). Recommended for private use only.

Enjoy … happy and safe secure surfing … :) Elixa




Original Sources ...
____________


http://www.completewhois.com/

http://www.ipdeny.com/

2008/08/31

<<<<<<<< - ALL UPDATED
<<<<<<<< - ADDED HONG KONG

http://www.spamhaus.org/

Spamhaus DROP List 8/14/08 - (c) 2008 The Spamhaus Project

http://www.team-cymru.org/

Team Cymru Bogon List v4.2 2008-05-27


Snort Rule sets ...
____________

sosi-active_bogon.rules
sosi-cidr_bogon.rules
sosi-country-arab.rules
sosi-country-china.rules
sosi-country-hong-kong.rules
sosi-country-iran.rules
sosi-country-iraq.rules
sosi-country-israel.rules
sosi-country-korea.rules
sosi-country-pakistan.rules
sosi-country-russian.rules
sosi-country-singapore.rules
sosi-country-taiwan.rules
sosi-country-thailand.rules
sosi-country-turkey.rules
sosi-spamhaus_drop.rules
sosi-team_cymru_bogon.rules


Rule View - As seen from Guardian (guardian_ipcop_1.4.16.tgz)

guiports-1.6.2.tar.gz

From www.h-loit.de (www 'dot' h-loit 'dot' de) *(German only)

Reposted here for those who cannot download from original source and …

Included modification info below that is necessary for installation
into IPCOP v1.4.20 ... updated to IPCOP v1.4.21

This addon is a prerequisite to samba-0.2.1.tar.gz

To use samba-0.2.1.tar.gz the default IPCOP access port must be changed from
port 445 to something else … easily accomplished by using guiports-1.6.2.tar.gz

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

Copy guiports-1.6.2.tar.gz


to /tmp/bot1/ (example)

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

Enter terminal command:


tar -zxvf guiports-1.6.2.tar.gz

(before next step ... see modification below)


./install -i

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

For ... IPCOP v1.4.20 ... updated to IPCOP v1.4.21


edit 'install' ... line 245

change '1.4.18' to '1.4.21'

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

To view and use the addon go to IPCop/System/Gui Settings/




Enjoy ;-)

samba-0.2.1.tar.gz


From www.h-loit.de (www 'dot' h-loit 'dot' de) *(German only)

For those who cannot download from original source … good luck ... as 18 mb was too large to upload here.

Included modification info below that is necessary for installation into IPCOP v1.4.20 ... updated to IPCOP v1.4.21

To use samba-0.2.1.tar.gz the default IPCOP access port must be changed from port 445 to something else … easily accomplished by using guiports-1.6.2.tar.gz

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

Copy samba-0.2.1.tar.gz


to /tmp/bot1/ (example)

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

Enter terminal command:


tar -zxvf samba-0.2.1.tar.gz

(before next step ... see modification below)


Command had to be executed from the console. (local machine)


./install -i

during install enter ... for example * (your personal network range) ... 192.168.0.0/16

later ... in the gui (global settings, advanced view) ...

... allow ... 192.168.0.0/16 *(your personal network range ... could be different)
... deny ... 0.0.0.0/0 *(these settings keep access limited to your personal network)

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

For ... IPCOP v1.4.20 ... updated to (IPCOP v1.4.21)


edit install ... line 705

change '2.4.34' to '2.4.36'

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

To view and use the addon go to IPCop/Services/Samba Server/


Check 'enable Samba Server ?' ...
... click 'save' ... then click 'start'.

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

To login into the SWAT settings use the username and password for root user of IPCOP.

If using BlockOutTraffic 3.0.0 - Build 3 ...
Port 901 had to be opened ... 'IPCop access'

Default shared folder 'files'

Default username and password for shared folder 'samba:samba'




Enjoy ;-)

this may sound stupid, but I cannot seem to find the link to download the ISO for IPCop!! When I go to ipcop.org, and click the download tab, i see the tgz files... ipcop-1.4.21-update.i386.tgz.gz and ipcop-1.4.21-sources.tgz...

could somebody point me to the right direction?
my apologies...

Here You go: http://heanet.dl.sourceforge.net/sourceforge/ipcop/ipcop-1.4.20-install-cd.i386.iso