Live-CD Firewall Solutions?

paRcat asks: "My company isn't huge, and up until now has done well enough hosting all of our websites/email/etc. We've done all of this over one T1, but recently added another circuit for that rare instance of a fibercut. So since then I have been researching different options for configuring the existing Linux firewall (debian+iptables) to allow using the second circuit for load-balancing and failover. The issues I'm running into mostly have to do with recompiling the kernel using certain patches and creating semi-elaborate routes. Faced with these options, I'm wondering if there are any open source firewall projects out there that will behave happily with the above scenario. Do any free projects actually give this level of connectivity without being overly difficult in the configuration? I've gone the compile-your-own kernel route in the past, but now I'd just like to drop in a premade solution. A configurable live-CD would be perfect."

IP Cop

[Jsutton1027w]

From what I've read, it's great for a drop-in firewall, and it's on a live cd. ;)

Re:IP Cop

[SeeTheLight]

But, does it have load-balancing and failover features in it?

Re:IP Cop

[paRcat]

as far as i can figure out... no, not without patching. i looked at ipcop before submitting the article. ;)

Re:IP Cop

[flipper65]

I have to agree, we have been using IPCop for over a year and are very happy with it.

I suggest that you implement load balancing and failover in your router.

Firewall LiveCDs

[Anonymous Coward]

Several LiveCD Firewalls [frozentech.com]. Check out m0n0wall first.

Re:Firewall LiveCDs

[Chicago Wolves]

I highly recommend m0n0wall as well. It satisfies all of my firewall needs. I'm running it on a box that I found lying near a trash bin. 400Mhz AMD K6III, 64MB of RAM, CD-ROM, 1.44MB floppy, and a 200 watt power supply. Take a look at http://www.m0n0.ch/wall/ [m0n0.ch] for more info. It also has a nice webGUI that can be accessed from a connected computer. Take a look at these installation instructions first. http://www.m0n0.ch/wall/installation_cdrom.php [m0n0.ch]

Re:Firewall LiveCDs

[Chicago Wolves]

Kill yourself...

bonding

[Keruo]

bonding is better way to go with multilink
atleast if the operator on both of the links is same
you'll end up with one ip and both links in use, or you can configure the other to be failover

see /usr/src/linux/Documentation/networking/bonding.tx t for more information

M0n0wall

[Saiyine]

What about M0n0wall [m0n0.ch]?

Re:M0n0wall - you're crazy if you DON'T try it !!

[dezb]

Ok,

I'm going to clock in here with my experience to date with m0n0wall which has been fantastic ( no I don't own shares in anything to do with m0n0wall *grin* - wish I did !! ).

I have to say that from my experience to date with it, m0n0wall is without a doubt one of, if not THE, leading firewall platforms currently available in the open source world, and it's fair to say that I've had a thing or two to do with firewalls and security in general over the past 20+ odd years.

with years and years of hands on des

Re:M0n0wall - you're crazy if you DON'T try it !!

[silicon not in the v]

Wow, this is about the most detailed and informative post I have seen on Slashdot in quite a while. That's a great description of the features and advantages of m0n0wall.

It sucks that you haven't gotten a mod point yet for this, but I hope it will come your way. Meanwhile, I'll lend this reply with my Karma Bonus to try to draw attention to it. Good luck with that business venture of the firewall servers.

Re:M0n0wall - you're crazy if you DON'T try it !!

[chronicon]

That was an excellent review of m0n0wall!! I downloaded it immediately after reading it. You should submit it to DistroWatch!

I've been using IPCop [ipcop.org] w/ Cop+ [sourceforge.net] for content filtering. I don't suppose m0n0wall would have an add-on to do the same?

Re:M0n0wall

[TheMysteriousFuture]

if you're gonna run it on a PC, check out pfSense [pfsense.com] instead... it forked from m0n0wall awhile ago and is doing some great stuff.

fiber cut

[wotevah]

If the second circuit is through the same provider, I would think it's likely going through the same physical conduits as the first one, so I am not sure you're protected from the accidental fiber cut.

OpenBSD's CARP

[nuxx]

Sounds to me like you want to use OpenBSD's carp [openbsd.org]. Nice, open-source, easy to configure firewall fail-over solution.

Re:OpenBSD's CARP

[bonezed]

exactly what I was going to suggest

also pf syntax is a lot easier to understand than iptables

Re:OpenBSD's CARP

[nuxx]

That I agree with completely... iptables seems like such a nightmare. It may be flexible, but it's horribly obtuse. pf just makes sense straight away.

Re:OpenBSD's CARP

[anticypher]

I'd recommend an OpenBSD solution, more for the elegance of pf's route-to [openbsd.org] command for load balancing incoming and outgoing connections. CARP is good for multiple machines acting as a single gateway, but not for one machine with multiple links. Route-to is what I use for simple multi-provider load balancing installations, where one provider offers a small netblock (typically a /27 or /28), and the other providers are just ADSL/Cable with a single static IP address. BSD also offers OpenOSPF, so you can quickl

Re:

[account_deleted]

Comment removed based on user account deletion

m0n0wall

[M1FCJ]

if you can live with the shame of having a BSD system, the answer is monowall. It just works. The downside is you can't run seti@home on your firewall.

Re:shame?

[Slashcrap]

yes, I can live with the shame of having a rock-solid, Unix-based operating system such as FreeBSD (m0n0wall is FreeBSD-based). Grow up, boy!

I think he was probably referring to the shame caused by the inevitable accusations of necrophilia that afflict anyone who dabbles in "BSD".

Or maybe the total loss of a sense of humour.

Summary of distros

[bohlke]

DistroWatch has everything what you need (not only for firewalls):

http://www.distrowatch.com/ [distrowatch.com]

Devil Linux

[Anubis350]

I use Devil Linux [devil-linux.org], Works quite nicely. I hand edit the rules, but it comes with shorewall and is compatible with firewall builder. Comes with a nice config utility too.

Quagga/Zebra?

[Sedorox]

Don't you actually want something like quagga or zebra which can do fallover like you want? My guess would be to just look into this, then see what you can work out of it. Granted.. it isn't a "LiveCD" but then again... why do you want a firewall on a livecd?

Re:Quagga/Zebra?

[pyrrhonist]

why do you want a firewall on a livecd?

Because even 1337 h4><0r5 with m4d 5|<1llz can't write to it.

Astaro

[Glamdrlng]

Check out Astaro at http://www.astaro.com/ [astaro.com]. Full featured firewall, competitive with Checkpoint, but not 100% free as in beer. Price is certainly reasonable though, plus it's incredibly easy to install and manage.

Netboz, Smoothwall, and IPCOP

[Zakir]

Well....

Netboz is a solution... it runs off a CD and has many of the popular options.

instead of running it off of the CD, I suggest that you use one of the pre-configured firewall options that installs off of your hard drive. These are just as easy to configure, but host a lot more options and mods.

Smoothwall Express - http://www.smoothwall.org/ [smoothwall.org]

or even better yet, IPCOP at http://www.ipcop.org/ [ipcop.org]

Wolverine

[tverbeek]

You might be interested in Wolverine [coyotelinux.com], the more feature-rich, commercial cousin of Coyote Linux (which I have used contentedly for several years).

is FreeBSD an option?

[josepha48]

FreeBSD includes a utiltiy called cdboot, which makes makeing boot cd's really easy. Then in the ports their is freesbie also which makes a cdrom of a freebsd system.

I started there with FreeBSD and have trimmed my cdrom to about 64Meg cdrom, with dhcp, dns, httpd ( to monitor the firewall ) and ssh to make changes when needed ) and it works out well. I can make changes to the system as needed then the next cdupdate I include those changes in the cdrom. Its worked for about 2 years now.

PFSense

[I'mJVC]

Check out PfSense, originally based off M0n0wall, I've found it to have the best balance between features, stability and ease of use.

Right now it offers both Live CD or HD install option, and it's nearing a stable (1.0) release, try it...

http://www.pfsense.com/ [pfsense.com]

Ipcop..

[btk667]

You could use www.ipcop.org
work great with all nice plugins..

m0n0wall has to be seen to be beleived !!

[dezb]

Ok,

I'm going to clock in here with my experience to date with m0n0wall which has been fantastic ( no I don't own shares in anything to do with m0n0wall *grin* - wish I did !! ).

I have to say that from my experience to date with it, m0n0wall is without a doubt one of, if not THE, leading firewall platforms currently available in the open source world, and it's fair to say that I've had a thing or two to do with firewalls and security in general over the past 20+ odd years.

with years and years of hands on des

Re:m0n0wall has to be seen to be beleived !!

[baadger]

Dupe comment [slashdot.org]?

Re:m0n0wall has to be seen to be beleived !!

[dezb]

Yea, sorry - didn't think my first reply worked and tried to put it in the main area, need more practice!

Dez

Simple Man's Solution

[stan_freedom]

I have a similar scenario. We have a T1 for our primary Internet access and I purchased business-class cable as backup. Both routes come into NICs on the same linux iptables firewall server. I have a VERY simple script that I use to manually switch the gateway when problems happen. It's not automated, and it doesn't address load balancing, but it's quick and it works.

Obviously I have my DNS records set up to use the secondary route if the primary is unavailable. It wouldn't be too hard to add a watchdo

BGP

[snizfast]

Firewalls and redundancy have traditionally been two different things. My suggestion is to get a real router and to get a BGP feed from both your providers. This can also be done by software on a linux box but it won't be as stable or easy to support. A Cisco 2600 might be good enough for you. If your providers are going to be giving you're a full Internet routing table then you should have 512MB RAM. Also have both of your providers advertise your /24 subnet, anything smaller will be filtered out.

I

OT: hosting your own website?

[cerberusss]

My company isn't huge, and up until now has done well enough hosting all of our websites/email/etc

I fail to understand this. Why would anyone want to do hosting themselves, when there's a gigantic market with good, professional and cheap third parties?

Flexibility? How many times is the website altered? Does this weight against the uptime of a professional data center?

Re:OT: hosting your own website?

[lunitin]

Many administrators choose to host their own sites because of custom server configurations.

Often it is very hard to get a web hosting provider to compile in a custom module, or adjust a .ini setting that is necessary for your application.

Then there are situations like I am currently experiencing. My website runs perfectly on my development server that I maintain. Often times at the hosted site my pages will mysteriously load up blank. Wait a few seconds and reload and the page loads fine.

Support says there

http://www.jtan.com/jtanoss/cdboot/

[twoblink]

http://www.jtan.com/jtanoss/cdboot/ [jtan.com]

This is probably the answer you are looking for.

IPTABLES is shit, really, if you want legible firewall rules, built on a secure OS, try Ipfilter/PF on Open/Net BSD.