Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Linux Business

Live-CD Firewall Solutions? 49

paRcat asks: "My company isn't huge, and up until now has done well enough hosting all of our websites/email/etc. We've done all of this over one T1, but recently added another circuit for that rare instance of a fibercut. So since then I have been researching different options for configuring the existing Linux firewall (debian+iptables) to allow using the second circuit for load-balancing and failover. The issues I'm running into mostly have to do with recompiling the kernel using certain patches and creating semi-elaborate routes. Faced with these options, I'm wondering if there are any open source firewall projects out there that will behave happily with the above scenario. Do any free projects actually give this level of connectivity without being overly difficult in the configuration? I've gone the compile-your-own kernel route in the past, but now I'd just like to drop in a premade solution. A configurable live-CD would be perfect."
This discussion has been archived. No new comments can be posted.

Live-CD Firewall Solutions?

Comments Filter:
  • IP Cop (Score:2, Interesting)

    From what I've read, it's great for a drop-in firewall, and it's on a live cd. ;)
  • Firewall LiveCDs (Score:4, Informative)

    by Anonymous Coward on Sunday August 07, 2005 @03:39PM (#13265301)
    Several LiveCD Firewalls [frozentech.com]. Check out m0n0wall first.
  • bonding (Score:3, Informative)

    by Keruo ( 771880 ) on Sunday August 07, 2005 @03:39PM (#13265305)
    bonding is better way to go with multilink
    atleast if the operator on both of the links is same
    you'll end up with one ip and both links in use, or you can configure the other to be failover

    see /usr/src/linux/Documentation/networking/bonding.tx t for more information
  • M0n0wall (Score:4, Interesting)

    by Saiyine ( 689367 ) on Sunday August 07, 2005 @03:40PM (#13265308) Homepage
    What about M0n0wall [m0n0.ch]?
    • Ok,

      I'm going to clock in here with my experience to date with m0n0wall which has been fantastic ( no I don't own shares in anything to do with m0n0wall *grin* - wish I did !! ).

      I have to say that from my experience to date with it, m0n0wall is without a doubt one of, if not THE, leading firewall platforms currently available in the open source world, and it's fair to say that I've had a thing or two to do with firewalls and security in general over the past 20+ odd years.

      with years and years of hands on des
      • Wow, this is about the most detailed and informative post I have seen on Slashdot in quite a while. That's a great description of the features and advantages of m0n0wall.

        It sucks that you haven't gotten a mod point yet for this, but I hope it will come your way. Meanwhile, I'll lend this reply with my Karma Bonus to try to draw attention to it. Good luck with that business venture of the firewall servers.
      • That was an excellent review of m0n0wall!! I downloaded it immediately after reading it. You should submit it to DistroWatch!

        I've been using IPCop [ipcop.org] w/ Cop+ [sourceforge.net] for content filtering. I don't suppose m0n0wall would have an add-on to do the same?

    • if you're gonna run it on a PC, check out pfSense [pfsense.com] instead... it forked from m0n0wall awhile ago and is doing some great stuff.
  • If the second circuit is through the same provider, I would think it's likely going through the same physical conduits as the first one, so I am not sure you're protected from the accidental fiber cut.
  • OpenBSD's CARP (Score:4, Informative)

    by nuxx ( 10153 ) on Sunday August 07, 2005 @03:58PM (#13265422) Homepage
    Sounds to me like you want to use OpenBSD's carp [openbsd.org]. Nice, open-source, easy to configure firewall fail-over solution.
    • exactly what I was going to suggest

      also pf syntax is a lot easier to understand than iptables
      • That I agree with completely... iptables seems like such a nightmare. It may be flexible, but it's horribly obtuse. pf just makes sense straight away.
    • I'd recommend an OpenBSD solution, more for the elegance of pf's route-to [openbsd.org] command for load balancing incoming and outgoing connections. CARP is good for multiple machines acting as a single gateway, but not for one machine with multiple links. Route-to is what I use for simple multi-provider load balancing installations, where one provider offers a small netblock (typically a /27 or /28), and the other providers are just ADSL/Cable with a single static IP address. BSD also offers OpenOSPF, so you can quickl
    • Comment removed based on user account deletion
  • if you can live with the shame of having a BSD system, the answer is monowall. It just works. The downside is you can't run seti@home on your firewall.
  • DistroWatch has everything what you need (not only for firewalls):

    http://www.distrowatch.com/ [distrowatch.com]
  • I use Devil Linux [devil-linux.org], Works quite nicely. I hand edit the rules, but it comes with shorewall and is compatible with firewall builder. Comes with a nice config utility too.
  • Don't you actually want something like quagga or zebra which can do fallover like you want? My guess would be to just look into this, then see what you can work out of it. Granted.. it isn't a "LiveCD" but then again... why do you want a firewall on a livecd?
  • Check out Astaro at http://www.astaro.com/ [astaro.com]. Full featured firewall, competitive with Checkpoint, but not 100% free as in beer. Price is certainly reasonable though, plus it's incredibly easy to install and manage.
  • Well....

    Netboz is a solution... it runs off a CD and has many of the popular options.

    instead of running it off of the CD, I suggest that you use one of the pre-configured firewall options that installs off of your hard drive. These are just as easy to configure, but host a lot more options and mods.

    Smoothwall Express - http://www.smoothwall.org/ [smoothwall.org]

    or even better yet, IPCOP at http://www.ipcop.org/ [ipcop.org]
  • You might be interested in Wolverine [coyotelinux.com], the more feature-rich, commercial cousin of Coyote Linux (which I have used contentedly for several years).
  • by josepha48 ( 13953 ) on Sunday August 07, 2005 @07:54PM (#13266302) Journal
    FreeBSD includes a utiltiy called cdboot, which makes makeing boot cd's really easy. Then in the ports their is freesbie also which makes a cdrom of a freebsd system.

    I started there with FreeBSD and have trimmed my cdrom to about 64Meg cdrom, with dhcp, dns, httpd ( to monitor the firewall ) and ssh to make changes when needed ) and it works out well. I can make changes to the system as needed then the next cdupdate I include those changes in the cdrom. Its worked for about 2 years now.

  • PFSense (Score:3, Informative)

    by I'mJVC ( 459082 ) on Sunday August 07, 2005 @08:42PM (#13266425)
    Check out PfSense, originally based off M0n0wall, I've found it to have the best balance between features, stability and ease of use.

    Right now it offers both Live CD or HD install option, and it's nearing a stable (1.0) release, try it...

    http://www.pfsense.com/ [pfsense.com]
  • You could use www.ipcop.org
    work great with all nice plugins..
  • Ok,

    I'm going to clock in here with my experience to date with m0n0wall which has been fantastic ( no I don't own shares in anything to do with m0n0wall *grin* - wish I did !! ).

    I have to say that from my experience to date with it, m0n0wall is without a doubt one of, if not THE, leading firewall platforms currently available in the open source world, and it's fair to say that I've had a thing or two to do with firewalls and security in general over the past 20+ odd years.

    with years and years of hands on des
  • I have a similar scenario. We have a T1 for our primary Internet access and I purchased business-class cable as backup. Both routes come into NICs on the same linux iptables firewall server. I have a VERY simple script that I use to manually switch the gateway when problems happen. It's not automated, and it doesn't address load balancing, but it's quick and it works.

    Obviously I have my DNS records set up to use the secondary route if the primary is unavailable. It wouldn't be too hard to add a watchdo
  • Firewalls and redundancy have traditionally been two different things. My suggestion is to get a real router and to get a BGP feed from both your providers. This can also be done by software on a linux box but it won't be as stable or easy to support. A Cisco 2600 might be good enough for you. If your providers are going to be giving you're a full Internet routing table then you should have 512MB RAM. Also have both of your providers advertise your /24 subnet, anything smaller will be filtered out.

    I
  • My company isn't huge, and up until now has done well enough hosting all of our websites/email/etc

    I fail to understand this. Why would anyone want to do hosting themselves, when there's a gigantic market with good, professional and cheap third parties?

    Flexibility? How many times is the website altered? Does this weight against the uptime of a professional data center?

    • Many administrators choose to host their own sites because of custom server configurations.

      Often it is very hard to get a web hosting provider to compile in a custom module, or adjust a .ini setting that is necessary for your application.

      Then there are situations like I am currently experiencing. My website runs perfectly on my development server that I maintain. Often times at the hosted site my pages will mysteriously load up blank. Wait a few seconds and reload and the page loads fine.

      Support says there
  • http://www.jtan.com/jtanoss/cdboot/ [jtan.com]

    This is probably the answer you are looking for.

    IPTABLES is shit, really, if you want legible firewall rules, built on a secure OS, try Ipfilter/PF on Open/Net BSD.

Genius is ten percent inspiration and fifty percent capital gains.

Working...