Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Configuring IPCop Firewalls

samzenpus posted more than 7 years ago | from the protect-ya-neck dept.

Book Reviews 114

Ravi writes "IPCop is a GPLed firewall solution targeted at Small Office/Home Office network. It is favored by many for its ease of configuration and setup and its support for a variety of features that you would expect to have in a modern firewall. IPCop is famed for letting users setup a sophisticated firewall for ones network without ever having to write an iptables rule themselves." Read the rest of Ravi's review.

Configuring IPCop Firewalls published by Packt Publishing is authored by two people Barrie Dempster and James Eaton-Lee and is divided into 11 chapters. The first chapter gives a brief introduction to firewalls and explains technical concepts such as OSI reference model, an introduction to TCP/IP and a brief outline of the parts that comprise a network. Even though I did not find anything new in this chapter, I realized that this is meant for people who are new to the world of computer networks and aims to bring them up to date with the various technologies associated with it. A network administrator intending to pick up skills in configuring and setting up IPCop, can circumvent this chapter and go to the second chapter which gives an introduction to IPCop and its different features. The authors have explained the concepts in an easily understood way with the aid of necessary screen-shots. One of the salient features of IPCop is its web based interface which allows one to configure all aspects of it from a remote location. In fact, IPCop is designed to be controlled from a remote location and serves all its configuration parameters via the Apache web server.

In the second chapter, one gets to know all the features of IPCOP including the different services it offer. One thing that struck me while going through this book was that the authors are fully immersed in explaining the configuration aspects of IPCop which is done entirely via the web interface. Other than the first, third, and 10th chapter, where the readers are made to digest some theory, the rest of the book is as a how-to. I found this to be ideally suited for people who are the least bothered about theory and just want to set up IPCop and get on with what they were doing.

In the third chapter, we are introduced to the unique feature used by IPCop to segregate the network depending upon its vulnerability. And in the succeeding chapter, the authors walk one through installing IPCop. Here each and every installation step is explained with the help of a screenshot which makes understanding the procedure much more intuitive.

The chapter titled "Basic IPCop Usage" gives a good introduction to the web interface provided by IPCop. Reading this chapter, I was able to get a good feel for the IPCop interface. More specifically, you learn how to configure IPCop to provide different services such as DHCP server, support for Dynamic DNS, editing the hosts file and so on. The IPCop interface is quite rich in functionality even providing options to reboot or shutdown the machine remotely. In this chapter, apart from the introduction to the web interface, the authors have also provided a few tips related to logging in to the remote machine running IPCop using SSH.

Put in simple terms, IPCop is a specialized Linux distribution which contain a collection of tools which revolve around providing robust firewall capabilities. The tools bundled with IPCop range from the ubiquitous iptables, services such as DNS, and DHCP, to tools which specialize in intrusion detection such as snort.

The sixth chapter titled "Intrusion Detection with IPCop" explains the concept of intrusion detection and how one can use snort IDS bundled with IPCop to effectively find out what is passing through our network and thus isolate any harmful packets.

The book moves on to explain how to use IPCop to set up a virtual private network (VPN). By way of an example, the authors explain how to setup a VPN between two remote networks with each end having a IPCop firewall in place. This chapter covers different VPN scenarios such as host to net, net to net connections as well as configuring IPCop to detect the Certifying Authority certificates.

The 8th chapter is a rather short one which explains how to effectively use proxying and caching solutions available in IPCop to manage the bandwidth.

One of the biggest advantages of IPCop is that it is possible to extend it to provide additional features by way of add-ons. Add-ons are generally developed by third parties and are usually developed with an aim to provide a feature that the developers of IPCop have missed. There are a whole lot of add-ons available for IPCop. The 9th chapter introduces the most popular add-ons available for IPCop such as SquidGuard — a content filtering add-on, LogSend — an add-on which send the IPCop logs to remote email accounts, AntiSpam, integrating ClamAV anti virus solution and more. The authors have also explained how to install and enable these add-ons using the IPCop web interface.

The tenth chapter titled "Testing, Auditing and Hardening IPCop" has more of a theoretical disposition where the authors list some of the common attributes towards security and patch management and also some of the security risks and a few common security and auditing tools and tests.

One thing I really like about this book is the practical approach taken by the authors in explaining how to accomplish a certain task. Each section is accompanied by the relevant screenshots of the web interface with a brief explanation of the options available. The book is well designed with a number of tips provided in each section highlighted in big square brackets which makes it quite eye catching. Even though I found the book a bit short on theory, it is an ideal resource which provides a hands on approach to people who are more interested in installing and setting up IPCop firewall solutions in ones network rather than pondering about the theoretical concepts of the same.

Ravi Kumar likes to share his thoughts on all things related to GNU/Linux, Open Source and Free Software through his blog on Linux.

You can purchase Configuring IPCOP Firewalls - Closing borders with Open Source from Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Sorry! There are no comments related to the filter you selected.

Stop the Ubuntuization of Linux! (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17135216)

If you can't handcode an iptables rule (including new chains) you don't deserve to have a Linux firewall, goddamn it.

Re:Stop the Ubuntuization of Linux! (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17135356)

Are you shill, or just some loser?

Re:Stop the Ubuntuization of Linux! (4, Interesting)

MoxFulder (159829) | more than 7 years ago | (#17135802)

Why not? Using a user-friendly GUI to configure a Linux firewall is a great way to *LEARN* to use more advanced features down the road.

I am an experienced Linux user and do pretty much everything from the command line. But I find there is a lot to like about the new GUI utilities like gnome-system-tools, especially compared to their MS Windows counterparts.

One of the great things about most Linux GUI configuration utilities is that they use the *same* configuration files that you could edit by hand, and generally try to modify them in a human-readable way. For example, under Debian or Ubuntu, you can edit your /etc/apt/sources.list file by hand, or have Synaptic do it for you. Synaptic will correctly parse any changes that you make, and if it modifies the file, it will do so in an easy-to-read way. I recently installed Ubuntu for a friend of mine and explained to him that a good way to learn to use the command line configuration files is to play around with the GUI utilities and study the changes they make to those files.

Contrast this with Windows where a lot of things can ONLY be configured with the GUI utilities, which often write their changes to impenetrable, undocumented binary registry keys... very hard to track down. If you try to configure things from the command line in Windows, you'll run into inconsistencies. For example, Windows XP actually has an /etc/hosts file like Linux somewhere under the \winnt\system32 directory... I made the mistake of editing it by hand, and then trying to undo the changes with the GUI. The changes made by the GUI were somehow silently ignored, which led to a mistifying series of DNS problems.

So I see the gnome-system-tools style of GUI configuration tools to be a Very Good Thing. These utilities make configuration easier for many people, without preventing them from accessing the underlying configuration in a comprehensive manner, and without leaving the system in an inconsistent state.

Re:Stop the Ubuntuization of Linux! (1)

Howserx (955320) | more than 7 years ago | (#17136218)

I love the way nmapfe will give you the command that it is going to run. Choose a different checkbox then the command line changes. I wish more apps did this. I prefer command line but sometimes I don't feel like reading 100 man pages so I use the GUIs. Having the GUI tell me the command it is about to run would be awesome.

I should add that I don't do any real admin anymore. Most of slashdot would have assumed that the second I mentioned using a GUI.

Re:Stop the Ubuntuization of Linux! (1)

MoxFulder (159829) | more than 7 years ago | (#17136334)

I agree completely. nmapfe is great about that. When I know the command line options I want to use, I run nmap. When I don't, I fire up nmapfe and use it to LEARN the appropriate command line options.

GUIs done right, as front-ends for command-line programs or configuration files, can be very powerful and useful tools.

Re:Stop the Ubuntuization of Linux! (0)

Anonymous Coward | more than 7 years ago | (#17136796)

Mod parent up! It can be frustrating being able to on a GUI, it works, and you don't know what you have done.

Re:Stop the Ubuntuization of Linux! (1)

flyingfsck (986395) | more than 7 years ago | (#17141268)

Note that Windows has two hosts files: hosts and lmhosts. That, I guess, was just to keep it simple... ;)

Re:Stop the Ubuntuization of Linux! (1)

b0s0z0ku (752509) | more than 7 years ago | (#17136134)

If you can't handcode an iptables rule (including new chains) you don't deserve to have a Linux firewall, goddamn it.

So you want Linux to only be used by "geeks" and have *less* market penetration?


Re:Stop the Ubuntuization of Linux! (2, Insightful)

TrappedByMyself (861094) | more than 7 years ago | (#17136200)

So you want Linux to only be used by "geeks" and have *less* market penetration?

Nah, he just doesn't want his "1337ness" to go away as people realize that these things really aren't as difficult as they seem

Re:Stop the Ubuntuization of Linux! (0)

Anonymous Coward | more than 7 years ago | (#17138870)

Forget marketing, he just wants to receive *more* penetration.

Re:Stop the Ubuntuization of Linux! (5, Insightful)

Psiren (6145) | more than 7 years ago | (#17137092)

If you can't handcode an iptables rule (including new chains) you don't deserve to have a Linux firewall, goddamn it.

Spoken like a true computer scientist. I know, I used to be one. You see, the problem is you're spending too much time getting excited about the solution and not enough time looking at the problem.

It certainly doesn't hurt to have an understanding of the underlying mechanics of Linux based firewalls, but it shouldn't have to be a prerequisite of solving your problem. I've been a Linux user for 10+ years and I use IPCop at home. I'm familiar enough with iptables to solve any problems I might encounter, but I'm not interested in any more than that. I actually want to use my computers as tools, rather than spending all my time figuring out how to do something which should be easy.

Would you recommend every motorist should be able to strip their engine down and rebuild it? It just isn't feasible, or sensible.

Well said (1)

lullabud (679893) | more than 7 years ago | (#17139822)

I feel the same way. Geek out, then move up and balance.

Return those Linksys routers! (1)

lullabud (679893) | more than 7 years ago | (#17139724)

Linksys runs Linux, do you mean to say that everybody should return them?

Re:Return those Linksys routers! (1)

radu.stanca (857153) | more than 7 years ago | (#17140518)

Linksys runs Linux, do you mean to say that everybody should return them?

Actually I think only wrt54gl uses linux, all of they routers are using vxworks lately.

Find it here (4, Informative)

SpaceLifeForm (228190) | more than 7 years ago | (#17135280)

IPCop []

Re:Find it here (1)

pretorious (905586) | more than 7 years ago | (#17135940)

site is starting to buckle under /. effect... there is a .torrent in the wild for the 1.4.11 release

A "solution"? It's a distro. (2, Insightful)

Kadin2048 (468275) | more than 7 years ago | (#17136618)

I think it would have been helpful to note somewhere in the review what IPCop actually is. It's a Linux firewall distribution.

Reading the review, I thought that it was some new packet filtering system, like an actual replacement/alternative to iptables that I'd just never heard about.

The review's introduction called it a "solution" which is a generic term for 'anything that does anything, somehow.' Not very descriptive.

Re:Find it here (1)

WuphonsReach (684551) | more than 7 years ago | (#17142042)

I see that it's still not easy to run IPCop v1.4 (2.4 linux kernel) under Xen v3 (2.6 kernel). Any word on when they'll be starting up v1.5 (with a 2.6 kernel)?

Re:Find it here (1)

mdhoover (856288) | more than 7 years ago | (#17142318)

Base operating system used is Linux From Scratch. It shouldn't be too much of a fight to get the frontend to work on a custom LFS/Cross-LFS build... I havent looked at their stuff but am fairly intimate with the OS build... may have a crack at it this weekend for shits and giggles...

The Truth (0, Flamebait)

Anonymous Coward | more than 7 years ago | (#17135282)

OpenBSD + PF > Linux + IPCop > Cisco PIX > Sonicwall

Re:The Truth (1)

0racle (667029) | more than 7 years ago | (#17135758)

OpenBSD + PF > Cisco PIX > Linux + IPCop > nothing > Sonicwall

Personally I would prefer a PIX over a linux firewall.

Re:The Truth (1)

Howserx (955320) | more than 7 years ago | (#17136160)

I would prefer a Subaru Outback over the ford escort that I drive. Guess which costs less.

Re:The Truth (2, Informative)

value_added (719364) | more than 7 years ago | (#17136766)

Personally I would prefer a PIX over a linux firewall.

Well, if you can afford it, and don't mind learning IOS, great. Reading the replies thus far, it seems the home-user would prefer something else, although that something else seems to include everything but the kitchen sink.

Maybe it's me, but my idea of firewall is something that I manage over a serial cable that isn't doing anything else but handling traffic, and perhaps logging to an external box. A web server, DNS, DHCP, ClamAV, SquidGuard, etc. etc. etc., might be handy, but those are standard network services and belong elsewhere.

Seems like a good enough book, though. My vote is still with pf on a *BSD system. The pf FAQ [] is as well-written as any book, and the examples provided should allow even the novice user to be up and running in minutes. Pick up a Soekris box [] and Bob's yer uncle.

Re:The Truth (0)

Anonymous Coward | more than 7 years ago | (#17138496)

I'd personally go with WRAP instead of Soekris, much cheaper; unless of course you have the money to throw away or a good reason to choose Soekris (expensive) over a WRAP?

I'm running a full install of OpenBSD 4.0-STABLE (from release(8)) on one of mine with OpenSSH for RSync and SSHd, IPSec, PF + CARP + PFSync + AltQ, trunk, ifstated(8) (for ISP failover DDR), etc. etc. All file systems are created in an MFS and 'only' /usr is via flash (mounted read-only) (/usr in flash being optional too) - system right now runs using less than 10M RAM with only a 256M Compact Flash. Simply amazing what can be done with OpenBSD...

Another one does other things, but also has X for some things I use on it, in which I connect via XDM using the X-Server from Cygwin on my WinXP Desktop...

And of course, another one that runs only in MFS without any Flash Card installed, which does some really nifty things too.

If anyone's interested in knowing how - let me know... It's really easy to do, but I'm working on releasing a script to automate these types of setups - not limited to Soekris or WRAP though, but any Flash based media (USB, CF-IDE, CF, SD, etc.).

For those with little knowledge or who don't want to learn more, or who just prefer web based front ends for whatever odd reason, there's also [] that's worth mentioning - aside from M0n0wall and others...

Re:The Truth (1)

Niten (201835) | more than 7 years ago | (#17139186)

I pretty much agree with the way you sorted your chart of firewall uberness, but not everybody has the expertise to set up and use OpenBSD with PF. And as much as I wanted to run OpenBSD on my old PowerMac G4 router, the hardware support just wasn't there.

Linux might not make the most badass packet filter in the world or have OpenBSD's extreme security features, but as an all-around solution – taking into account ease of administration, hardware support, simplicity of installation, and performance – it (I'm particularly thinking of Debian here) compares very favorably to OpenBSD. PF is great, but in the real world not many people want to manually patch and recompile their kernels whenever a security vulnerability is announced. Especially not the kind of people that IPCop is targeting.

Re:The Truth (1)

robpoe (578975) | more than 7 years ago | (#17141372)

isn't that what [] is for?

Re:The Truth (1)

Niten (201835) | more than 7 years ago | (#17142070)

PFsense is a good way to get an easy PF-based firewall, but the OS isn't based on OpenBSD and so lacks the rest of OpenBSD's famous security features and code auditing track record. Which by no means is any reason not to use PFsense; my point is only that, no, PFsense isn't "for" an easy way to use OpenBSD instead of Linux on your home or small business router.

Re:The Truth (1)

jazman_777 (44742) | more than 7 years ago | (#17135892)

And how to configure an OpenBSD firewall is here [] .

Update on the link (1, Informative)

Anonymous Coward | more than 7 years ago | (#17135316)

For some reason the review links to B & N, but it seems that Amazon has it a few bucks cheaper [] . With a book this pricey, any savings are welcome.

Re:Update on the link (0, Offtopic)

drinkypoo (153816) | more than 7 years ago | (#17135556)

/. links to B&N instead of Amazon because of the one-click patent or some shit like that. Frankly I think they should be linking to someone a little less mass-market who could use the traffic, but whatever.

Re:Update on the link (1)

AngusSF (34059) | more than 7 years ago | (#17142388)


Bookpool: Configuring IPCop Firewalls: Closing Borders with Open Source []

$39.99 Configuring IPCop Firewalls: Closing Borders with Open Source: Books: Barrie, Dempster,James, Eaton-Lee Closing-Borders/dp/1904811361 []

$41.99 - Configuring Ipcop Firewalls: Closing Borders with Open Source : Barrie Dempster : ISBN 1904811361 s-closing-borders-with-open-source/q/loc/106/20330 4392.html []

If you're in the UK you get a huge 0% discount at TheReg:

1904811361/9781904811367: Configuring IPCop Firewalls: Closing Borders with Open Source :: The Register Books - The IT and Computer Book specialists
RRP £24.99 Save 0%
Our Price £24.99 htm []

Re:Update on the link (0)

Anonymous Coward | more than 7 years ago | (#17144004)

You can get it at 10% off and free delivery worldwide at Packt's web site: []

You can get an ebook version there cheaper too... $26.99.


David Barnes
Packt Publishing

Don't buy from slashdot link (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#17135348)

buy it here [] . Sure it cost one penny more than BN. But for that one cent you can have the satisfaction of screwing slashdot out of their kickback.

Re:Don't buy from slashdot link (1)

djh101010 (656795) | more than 7 years ago | (#17135792)

But for that one cent you can have the satisfaction of screwing slashdot out of their kickback.

Seems to me the value-add provided by slashdot, by giving us a review of the book, to me is worth a "kickback". But of course, in any endeavor where the costs are only paid by those willing to do so, there will always be those who not just only take from it, but who do so while pretending they're somehow superior for doing so. (shrug) Whatever.

Re:Don't buy from slashdot link (1)

CRCulver (715279) | more than 7 years ago | (#17136084)

Slashdot gets money from advertisements regardless of whether some people reach into their pockets and buy books through a B & N link.

Re:Don't buy from slashdot link (1)

ScentCone (795499) | more than 7 years ago | (#17136276)

Slashdot gets money from advertisements regardless of whether some people reach into their pockets and buy books through a B & N link.

No, slashdot gets money from advertisements only if those advertisements perform for the people running the ads. How many times have you clicked those ads and then followed up by doing some business with one of the advertisers? Affiliate links to places like B&N or other vendors are just part of the wider revenue-generating efforts, and all of the techniques have good days and bad. Unless you're really complaining about the basic pursuit of raising enough money to run the site, pay the people who make it go, and keep it alive between slow periods, what are you complaining about?

Re:Don't buy from slashdot link (0)

Anonymous Coward | more than 7 years ago | (#17137322)

So you have a problem with people paying the bills, and possibly earning a profit. nice troll.

Moo (1, Insightful)

Chacham (981) | more than 7 years ago | (#17135370)

IPCop is famed for letting users setup a sophisticated firewall for ones network

It is "one's" not "ones". And, it would have been better to say "for their network".

Is *any* editting done?

Re:Moo (0, Insightful)

Anonymous Coward | more than 7 years ago | (#17135520)

Editting?? LOL. Brilliant tact.

Re:Moo (1, Insightful)

CastrTroy (595695) | more than 7 years ago | (#17135568)

I'm not sure about that. I always thought that when using a pronoun, the apostrophe is not used for the possessive. Examples are yours, its, hers, his, and possible ones, although I'm not really sure about how this applies to "one". Their is the plural term, so it should not be used when referring to the individual. Using "one" is sometimes what happens because there is no widely used gender neutral singular pronouns in English. It's fine just to use his or her, but some people think that's sexist.

Re:Moo (1)

operagost (62405) | more than 7 years ago | (#17135658)

"Their" applies here, because "users" is plural.

Re:Moo (1)

StikyPad (445176) | more than 7 years ago | (#17138106)

"Users" is plural, so "their" would be the proper pronoun. And yes, there is an apostrophe in the possessive form of one [] .

Re:Moo (0)

Anonymous Coward | more than 7 years ago | (#17135790)

You forgot to include:

" insensitive clod!!" ;)

Re:Moo (1)

tds67 (670584) | more than 7 years ago | (#17136188)

Me thinks u right. Mightily primitive with grammer, Slashdot is. Best too hold you're knows when reading, stink it do much so.

Speak for yourself (0)

Anonymous Coward | more than 7 years ago | (#17136440)

So, nobody points out 'editting'? Since when is that spelled tt? Get off the proper English bandwagon. You're not my English teacher and you certainly need your own spelling teacher.

Re:Moo (0)

Anonymous Coward | more than 7 years ago | (#17136536)

It's "No" not "Moo", is any editing done?

If you read Slashdot... (5, Informative)

b0bby (201198) | more than 7 years ago | (#17135386) probably don't need this book. IPCop is super easy to to set up & configure if you're even the slightest bit geeky. I really like it, but then I'm the slightest bit geeky.

Re:If you read Slashdot... (0)

Anonymous Coward | more than 7 years ago | (#17135470)

I would have to agree, its about as simple as the over the counter consumer level nat routers. The one thing that made me steer away from IPCOP and do it the old fashionned-linux way was the lack of multiple "green/blue/orange" networks.. or even multiple red networks for that matter.

Re:If you read Slashdot... (1)

rHBa (976986) | more than 7 years ago | (#17138420)

About 5-6(+?) years ago when adsl had just become popular in the UK, cheap, off the shelf firewall/routers weren't available and IPCop was still on IP chains, I bought an old Compaq deskpro off eBay, plugged in an Alcatel clamshell USB modem (the standard at the time) and installed IPCop on it in half a day, working from TFM and a HowTo.

Baring in mind this was my second only Linux install, my first being RedHat on a Dell laptop, and I'm far from a computer nerd, I would agree that this book is only for the computer illiterate or those who don't have the time to RTFM.

IPCop versus SmoothWall (2, Interesting)

intnsred (199771) | more than 7 years ago | (#17135448)

Does anyone knowledgeable want to contrast IPCop [] to SmoothWall [] ?

Advantages/Disadvantages? Pros/Cons?

Re:IPCop versus SmoothWall (5, Interesting)

TellarHK (159748) | more than 7 years ago | (#17135566)

I haven't followed the projects since way back, but IPCop was originally a fork of SmoothWall meant to stay completely Free after a "dickishness inclined" project founder pissed a good number of people off with particularly ugly actions and statements. Not to mention a downright hostile stance toward helping non-paid users and threatening critics with lawsuits (myself being one of the recipients of an indirect threat levelled against me through my college where I once hosted some email correspondence with some of the SmoothWall team) in order to silence people speaking up about issues with said founder being... well, a douchebag.

Re:IPCop versus SmoothWall (2, Informative)

il_diablo (574683) | more than 7 years ago | (#17135908)

I'll second that.

I was a paying user of Smoothwall, and the founder was still a total douchebag to me. I was reselling the product to some clients, having had such a good experience with the product in house (my small company of 6 people). There was quite a bit of angst trying to get him to take care of some relatively simple things in the ordering provide an actual physical product to the client.

Yes, I know it was downloadable. Yes, I know the point of open source/pseudo open source software. But if you're selling a *product*, at least *try* to act like you're an actual fulfillment channel.

Nice product, utter a-hole of a founder.

Re:IPCop versus SmoothWall (1)

gilesjuk (604902) | more than 7 years ago | (#17136794)

Luckily that guy has left now. I think someone vandalised his car and he had a re-think about his life.

Re:IPCop versus SmoothWall (1)

TellarHK (159748) | more than 7 years ago | (#17142472)

Couldn't happen to a douchebaggier douchebag.

Fortunately, I did hear some time ago that he left the project. Don't judge today's SmoothWall on yesterday's... douchebag.

Damn, I just love the word douchebag. It needs more usage.

Re:IPCop versus SmoothWall (0)

Anonymous Coward | more than 7 years ago | (#17143994)

Richard, the founder of Smoothwall, was obviously experiencing some very real personal problems at the time - I know as I was one of the people who had a very public "discussion" with him about the matter at the time.

As others have noted he left the project quite some time ago to concentrate on other things.

He is now active in another area and I occassionally read emails from him and he does not display any of the behaviour that characterised his problems at Smoothwall.

There is nothing to be gained from continuing personal attacks against him.

The licensing errors were resolved and Smoothwall now appears to be a successful project and successful business.

For my money the IPCop team are still preferable however as they are more a Free Software project than a for profit business.

Re:IPCop versus SmoothWall (1)

DenniRuz (245661) | more than 7 years ago | (#17135766)

IPCop is spun off of Smoothwall close to 5 years ago- I don't really have any complaints about smoothwall, but IPCop has a nicer look and feel to it as well as some enhanced features.


Re:IPCop versus SmoothWall (2, Informative)

jazman_777 (44742) | more than 7 years ago | (#17135984)

The guy running SmoothWall, in my opinion, made Theo de Raadt (OpenBSD) look like someone with whom you'd like to have a spot of tea and a lovely afternoon chat.

Re:IPCop versus SmoothWall (4, Informative)

sparkyradar (908639) | more than 7 years ago | (#17136238)

I've used SmoothWall, and found it easy to setup, and extend. At the time (several years ago) IPCop was a pretty new fork from SmoothWall, so they were nearly the same. The GUI tools were different, and (particularly important for the forkers) the developer-attitude was supposed to be much-improved with IPCop.

In terms of hardware, I was using a Pentium-166, which had *tons* of horsepower for this application (either IPCop or SmoothWall). The only thing was that it was older hardware, and about once a month it would sporadically die :-( Because of this, and also the 200W power-consumption, I eventually ditched it for a consumer-grade Netgear NAT/"firewall" thingy... I've never regretted this move! Be guided...

SmoothWall was a compacted Linux distribution, which allowed for the usual Linux apps to be added. Want to your your own ntpd for your home-LAN? No problem. Perhaps some fancy dchp-configuration options - again, no problem.


Re:IPCop versus SmoothWall (0)

Anonymous Coward | more than 7 years ago | (#17136824)

The owner of Smoothwall is a nutcase... here's an email from a user titled "Straight from the mouth of Richard Morell"

I've been a user of Smoothwall for quite some time, and while I've occasionally tried to help people in the alt.os.linux.smoothwall group, I have often recommended the use of Smoothwall over in

I've also stayed out of the various rounds of flaming in alt.os.linux.smoothwall group, as I didn't believe the things that were being said about Richard and the other members of the Smoothwall development team. This has all changed, and I will no longer recommend Smoothwall to anyone. [...]

Richards replies, in order, are presented below:

Richard wrote,

Grow up fuckwit

Ummm you're the knob who can't put one foot in front of the other.

Go to Waterstones buy a good sysadmin book or get on a course

either way fuck off


Fuck off

1) you arent a customer
2) you're a muppet
3) I deserve the respect - I earnt it - you don't

umm you're not a customer - you cunt

Have fun tomorrow ....

I've already made sure you'll be busy

Re:IPCop versus SmoothWall (0)

Anonymous Coward | more than 7 years ago | (#17141338)

My experience with Smoothwall and IPCop was both very similar. Smoothwall had most of what I needed, but not quite. Extending was made more difficult by the fact that there are no official extensions. Getting help on the forums never happened. I only asked a question 2 or 3 times, and either got no response, or just nothing that helped.

I tried IPCop sometime later. First thing I noticed was a bug that prevented me from changing any settings. I read the manuals, FAQs, and found nothing. Wrote to the forums, an admin tried to help, but didn't seem to know what he was talking about. A normal user, who had the same problem, told me how he fixed it. My solution was similar, but somewhat different. 2 hours debugging the thing, and that was my first day. IPCop also has the problem of no official extensions.

Filing a bug report, as well as feature request, for IPCop was a nightmare. Actually, the bug report went fine, but the feature request was deleted without explanation. Thinking that there was a bug in the software, I refiled, only to have it deleted again. Someone yelled at me (in writing) to stop filing the same feature request that they did not want to implement.

I get along well with the Debian, Ubuntu, and Damn Small Linux communities. I think both of these firewalls were forked from the same pile of poop. I hear that Astaro is good, but I understand that it is not FOSS, but is linux-based.

Other options (2, Interesting)

Jesterboy (106813) | more than 7 years ago | (#17135560)

Personally, I've always used m0n0wall [] since it can be run from a CD/floppy/flash drive, and the only experience I've ever had with IPCop was a bad one. I was working on a small project with a tight deadline, and it just completely failed at a crucial moment and I didn't give it a second look. Admittedly, it was configured by an idiot, so I am wondering:

What does IPCop offer that other options (m0n0wall, Smoothwall) don't?

What is the most barebones setup you can manage with it? By that I mean the smallest system requirements to get decent performance?

Re:Other options (2, Informative)

racermd (314140) | more than 7 years ago | (#17136516)

I've tried both m0n0wall and Smoothwall, but neither of them seemed as easy to use. IPCop is (to me) logically laid out and incredibly easy to configure with nothing more than the descriptions on each of the config pages in the GUI.

As for hardware config, I'm running a 1GHz P3 that I swiped out of a friend's PC that he was upgrading (long ago - a socket 370). It's got 256MB of RAM, and a 4GB disk, as well. This setup is *way* more than enough to run IPCop. One of it's advantages is a small system footprint, so it can run on things like the soekris [] boards. The newest model - the 4801 - is a 266MHz AMD Geode CPU w/ 128MB of RAM. That system is also fairly peppy for IPCop.

Another friend of mine is running on a P90 and 32MB of RAM. With the proxy features turned on, he'd hit the swap space pretty hard. He has since turned the proxy features off and is running a cable-modem connection into his whole house with it (about 8-10 devices).

I'm sure Smoothwall and m0n0wall are similar in their system requirements.

For me, IPCop is just much easier to figure out and use. I was considering getting the book, but I'm not so sure now that I've read the review. I've pretty much figured everything out.

Re:Other options (2, Informative)

Zuke8675309 (470025) | more than 7 years ago | (#17136874)

I've run ipcop on an old p166 with 32mb ram and a equally tiny hard drive (don't remember how big off hand) and it worked great for a network of 50 or so computers.

Currently I run two at our private school, one is an old ibm e-series celeron 800 and the other is a p3-450. I moved up in processor speed because the current two machines fit in my rack better. :)
Both perform flawlessly and continuous uptime would be over a year if we didn't have a long power-outtage a couple months ago. I just checked the cpu graph on the celeron 800 machine and the highest it hit was 15% in the past 24 hours. So that tells me that I could have a slower cpu and be ok. Obviously, it all depends on how many computers you'd be putting behind the ipcop.

I suspect that if you had a problem before with IPcop failing then it was most likely a hardware issue. A clean install is practically foolproof for anyone with even minor geek knowledge.

IPcop also works pretty well as a vmware virtual machine. There are a couple of vm images available for it this way too.

Re:Other options (2, Informative)

Charles Dodgeson (248492) | more than 7 years ago | (#17137202)

I can't speak to the difference between IPCop and Smoothwall, but the difference between those two and monowall is enormous. Monowall is designed to run on very small systems. I recommend it on a Soekris net4801 [] where monowall can fit on an 8MB Compact Flash card. If energy consumption and space are a concern for you than something like monowall is great.

If, however, you want to do any kind of proxying (Squid for example) or run larger services off of the firewall and you have some old spare machine to use than something like IPCop maybe the right way to go.

I like keeping a powerful and flexible firewall (monowall) as a unit by itself. If later, I want to add web proxying, I can always put that on a separate box, and simply set the firewall to only allow web requests from the proxy.

But there are plenty of cases, where I've recommended something like Smoothwall/IPCop.

Re:Other options (1)

jackb_guppy (204733) | more than 7 years ago | (#17140806)

486sx25 w/ 12M Ram, 270M Disk & 2x ISA 10Base-T. Loaded via diskette/network, so no cd-rom needed. Supports 5Mb/768kb Cable Modem at full rate.

I do not just use IPCop, I also test the LOW end.

Chapter 1 (1)

tsunamiiii (975673) | more than 7 years ago | (#17135582)

How to use a GUI

Preface (1)

lullabud (679893) | more than 7 years ago | (#17139576)

How to plug in things that need electricity

Snort and Firewall on Same Box? (1)

mpapet (761907) | more than 7 years ago | (#17135640)

I thought this was a bad thing.

For example, there was this [] compromise from last year. I don't know the status, but it just seems to me this isn't such a good idea.

I can think of a few other reasons why taking the Microsoft approach to a firewall distro isn't good. Most of which boil down to Linux's current status as "more secure" is easily discredited.

An analogy would be all of the features/applications are a long rope with which the distro hangs itself.

I'm thinking the firewall needs to be very hardended with logging information to monitoring tools on another box. Am I wrong?

I've deployed IPcop extensively (3, Interesting)

t0qer (230538) | more than 7 years ago | (#17135712)

Small real estate company with several sattelite offices around the bay area. Owner was cheap. Sometimes a cheap boss can force you to be creative, which can be fun.

Most of the IPcop firewalls in the sattelite offices are running on PII or less machines, with the main office on a P4 1.4ghz. Freeswan VPN's are setup between all the office.

Not much more to say than that. Other than a few upgrades (easily done through the web interface) my ipcop boxes have had uptimes around 2 years. Very awesome, reliable firewall.

I'm a fan but ... (1)

OffTheLip (636691) | more than 7 years ago | (#17136026)

I've used IPCop a few times doing some complex tasks (VPN's, VOIP, VTC) and have been generally satisfied with how things worked but look forward to the next major rev of the product based on the 2.6 kernel. The current IPsec implementation is OpenSWAN based and I prefer the native ipsec included with the 2.6. This by no means diminishes the effort of the IPCop team, it's a good product.

IPCop vs DD-WRT (2, Interesting)

bcnstony (859124) | more than 7 years ago | (#17136158)

I've used IPCop, both a couple years ago and for a while earlier this year. I was impressed by it both times, but was unhappy about the noise/heat/electricity of a box running 24/7. Granted, it had great features, but I really didn't use them, so I just replaced it with a WRT54G running DD-WRT (I stopped using sveasoft after I felt they weren't honoring the spirit, if not the letter, of GPL).

IPCop will permenantly dominate if someone manages to port it to the WRT54G. If I could have the amazing power of IPCop in a $50 silent box, that used little electricity, then I think IPCop would be on the edge of being a killer appliance.

(If you were hoping I was going to say one was better than the other, it's like asking which is better - a sandwich or a glass of water - it depends if you're hungry or thirsty)

Re:IPCop vs DD-WRT (1, Informative)

Anonymous Coward | more than 7 years ago | (#17136312)

I use a Turion 64 and a IDE Flash card / RAM drive... low power, no noise.

IPCop vs Firestarter? (1)

fuego451 (958976) | more than 7 years ago | (#17138290)

My router handles firewalling but I read some time ago that Firestarter is also a good GUI based firewall, is easy to use but with features for advanced use. How does it campare with IPCop?


Re:IPCop vs Firestarter? (1)

doodleboy (263186) | more than 7 years ago | (#17141364)

Firestarter and ipcop are completely different animals. Firestarter is a pretty cool firewall GUI for linux. It's pretty and easy to use. You can see the hits in real time, make firewall rules on the fly, etc., all without having to go anywhere near the iptables manpage. I would not hesitate to use firestarter on a laptop if I was travelling.

But for home or business use, I would definitely use a dedicated solution like ipcop. I have two internal networks, one wireless for the laptops and another for my linux boxes. The ipcop machine (an old k6/450, total overkill) protects all the computers in the house, provides caching dns, dhcp, ntp, IDS, transparent proxy, etc, for both networks. It doesn't solve every firewall problem, but it's very powerful, secure, and easy to configure.

There are millions of spare pcs lying around out there. I think even non-linux users should be able to install ipcop on some of them.

Copfilter... (2, Informative)

b0s0z0ku (752509) | more than 7 years ago | (#17136230)

Copfilter [] is an add-on for IPCop that provides spam and virus filtering using SpamAssassin, Clam, and proxSMTP. It can also filter incoming POP3 streams and even WWW traffic (but is sloooow doing it). Not terribly configurable, but handy if you need a quick spam appliance solution that Just Works. The only thing is that is doesn't seem to play nice when IPCop is running off a flash card and RAMdisk.

I'm using IPCop and Copfilter on a LinITX PC for a client and so far he's very happy with the results. LinITX is a mini-ITX PC slightly larger than a Linksys "blue box" router with built-in video/USB/AT (so you don't have to configure it via serial console!), three Ethernet ports, a flash disk slot, room for a 2.5" HDD internally, and 2 on-board IDE controllers - you can even temporarily hook up a generic internal CD-ROM drive for install purposes.


my only knock on IPCop (1)

Darth_brooks (180756) | more than 7 years ago | (#17136254)

IPcop has been a fantastic solution for my both at home and in some business solutions. Easy to manage, stable, and strong mailing lists for support.

But the only knock I have is roadwarrior VPN's & windows. Now I'm sure that part of the problem lies with trying to integrate the two. Net-to-net VPN's are ungodly easy and rock solid. I've tried jumping through the hoops to get a roadwarrior going with no luck, and the most common piece of advice I've seen is to use a third-party add on such as zerina. Damnit there's a VPN built into the distro, why not just use that?

Besides, I'm already running third-party AV and anti-spam solutions (copfilter has been outstanding) , I'm not interested in adding another layer of possible failure onto the machine.

Re:my only knock on IPCop (1)

denis-The-menace (471988) | more than 7 years ago | (#17136324)

FYI: There is an add-on for this.

Re:my only knock on IPCop (1)

Darth_brooks (180756) | more than 7 years ago | (#17137738)

FYI: There is an add-on for this.

Yes, there sure is. I mentioned zerina in my post.

Why can't i just go ahead and use the built-in VPN component? That's a usability area IPCop needs to improve. Net-to-net VPN's are simple. Roadwarrior VPN's....not so much.

imho (2, Informative)

coaxeus (911103) | more than 7 years ago | (#17136264)

I do firewall/VPN/security work for a living; I've tried/used Ipcop and nearly all of the products mentioned below and dozens more (m0n0wall, cisco PIX, cisco ASA, checkpoint, juniper, smoothwall, proxy bases firewalls, sonicwall, guarddog, watchdog, hommade linux/freebsd/openbsd/etc etc).
I personally vastly prefer PfSense over any of them for nearly all applications. []

Re:imho (0)

Anonymous Coward | more than 7 years ago | (#17136872)

it'd be nice to read some of yho's as to why this is the case, I'll check out pfsense in the meantime

Re:imho (1, Interesting)

Anonymous Coward | more than 7 years ago | (#17139448)

From my perspective, the original poster has studied real implementations. After spending a lot of time with various firewall solutions, have arrived at the same conclusion. Pfsense took longer for me to figure out (2 hours instead of 1 hour), but I like its implementation of NAT better. I have had situations where the NAT in IPCop gives problems but Pfsense works. Reason: IPCop doesn't give true NAT.

If the above were not an issue, I'd probably run IPcop since I found it a bit faster to set up.

As a long-time user of IPCOP (1)

smellsofbikes (890263) | more than 7 years ago | (#17136322)

I'm going to have to get this book.
I'm one of those people midway between clueless AOL users and people who actually know what they're doing: I run all linux but don't actually know how to configure ipchains or the like. So I have an old (fanless 486) headless IPCop box downstairs, acting as a firewall and NAT. I got it set up and it's been running for six years, doing what I wanted, without me having to deal with it at all. Nobody (to the best of my knowledge) has ever gotten through it, and I do check the logs it generates on a weekly basis. It's been an enormous help: I don't have to set up DHCP, NAT, or a firewall, or figure out how to get a server and a couple desktops all connected without exposing myself to risks I don't understand. I'm nothing like a computer professional, I'm a lousy programmer, I don't understand most of the IT stuff I read on slashdot. IPCop isn't pretty, but it chugs along and does what I need. And, since I don't know what I'm doing, I can't figure out how to configure it to let traffic for SecondLife through, so I can't start playing SecondLife. Win-win situation!

Re:As a long-time user of IPCOP (0)

Anonymous Coward | more than 7 years ago | (#17142474)

Yep, I'm in exactly the same boat (right down to the fanless 486). ipcop works a treat, and the gui is nice... just wish I understood the terminology enough to get certain services through it. When googling, there seems to be a rather large gap between the absolute beginner information and the nitty gritty docs, and unfortunately I seem to have fallen into it.

Anyhow, my copy has been ordered and should make for nice xmas reading.

pfSense (2, Insightful)

korozion (127804) | more than 7 years ago | (#17136364)

I've used a lot of products like this. However I find pfSense a lot better.

Re:pfSense (1, Informative)

Anonymous Coward | more than 7 years ago | (#17136936)

Agreed 75%. Better, but not a lot.

I use both and never experienced a breach on one of them so I cannot give first person experience accounts on their security level. From a sysadmin point of view pfSense looks to me more stable and less prone to update failures, while ipCop supports more devices (I had problems with some wireless NICs under pfSense) but lacks multiple DMZs and other sometimes useful features.
Form a user point of view the IpCop folks should seriously consider grabbing some ideas from the extremely well designed and documented pfSense web interface: the IpCop interface simply sucks for multiple reasons, from the horrible logo to the absolute lack of visual integration with many extensions.
Other than these aspects I find both to be good products.

Re:pfSense (0)

Anonymous Coward | more than 7 years ago | (#17138556)

pfsense does, in fact, win the internet.

Re:pfSense (1)

robpoe (578975) | more than 7 years ago | (#17141396)

my only issue with pfsense is that if you don't have 128mb of ram, it constantly complains at you ... I use smoothwall ..

uptime (2, Informative)

Danzigism (881294) | more than 7 years ago | (#17136524)

IPCop is a great linux-router distro for old crappy machines as well.. i have it running at home on a pentium 133 with 32 megs of ram.. its been up 96 days without any problems at all.. the BSD based firewalls are great as well, but there's really not that much of a performance difference in my opinion.. they all do the same exact thing in the long run.. i guess its just a matter of your personal preference.. but for those of you who have an old piece just sitting in your closet, it'd make a great IPCop box.. incredibly easy to setup as well..

Save some money by buying the book at Ama (0)

Anonymous Coward | more than 7 years ago | (#17137552)

Save yourself some money by buying the book here: Configuring IPCop Firewalls [] .

SOHO is the target audience? (1)

SpecialAgentXXX (623692) | more than 7 years ago | (#17137954)

IPCop is a GPLed firewall solution targeted at Small Office/Home Office network
Seeing that the average SOHO user is not a computer geek, why would they be the target audience? I ask this because I can go to any online store and buy a $25 hardware firewall that has DHCP, SPI, DynDNS, etc. all built in and ready to go as soon as I plug it in. For IPCop, I would need another PC besides my business PC and make sure I didn't set it up incorrectly and accidentally expose any holes. Then if something goes wrong or breaks, I need to fix a PC vs. toss out the old hardware firewall and buy a new one.

Is there an advantage for the SOHO person to use IPCop vs. a small hardware firewall for their SOHO? It seems like IPCop would be an application that you embed in a small, cheap hardware firewall to sell to SOHO people.

$0 is less than $25 (1)

lullabud (679893) | more than 7 years ago | (#17139628)

In response to your first paragraph, for the past 4 years I've been running IPCop on a $0 Pentium 1 266mhz that my friend was going to throw away and I've had zero problems.

In response to your last question, they make images for the Soekris boards which are supposed to be used on CF cards.

Re:$0 is less than $25 (0)

Anonymous Coward | more than 7 years ago | (#17143804)

In this case $0 is NOT less than $25. The $0 PC probably uses significantly more power than the hardware firewall, so over even one year it is almost certainly more expensive (unless you have a source of 'free' electricity).

Re:SOHO is the target audience? (1)

jpop32 (596022) | more than 7 years ago | (#17140104)

Seeing that the average SOHO user is not a computer geek, why would they be the target audience?

The short asnwer is, because the comparable Cisco would cost you 10x as much. And, being a SOHO you probably can't even consider buying a Cisco.

Is there an advantage for the SOHO person to use IPCop vs. a small hardware firewall for their SOHO?

$25 HW firewall will work, but if you want _any_ other feature not present when you opened the box, you're stuck. With IPCop, you install a plugin or edit a file, and you have a new feature. The level of control is miles ahead of $25 boxes.

And, for some of the things IPCop does that small boxes don't, well... Proxying/caching, spam filtering, bandwidth shaping (based on ports, and with plugins based on protocol, IP, QoS or others), NTP server, remote logging, remote monitoring, intrusion detection (updated daily if needed), e-mail reporting/alerting... And whatever else they come up in new versions or new plugins.

Sure, if your technical expertise ends with being able to tell apart UTP from power cable, it's not for you. But, if you're at least capable of following online tutorials, you'll love it. Online resources, both from the developers and from the community are excellent (websites, wikis, mailing lists...). And, if you screw up, you can easily restore a backup in minutes.

As far as breaking goes, when you have it the way you like it, it's stable as a rock. I have _never_ had mine crash or malfunction. They stay up as long as they are plugged in.

pf please (2, Informative)

pkplex (535744) | more than 7 years ago | (#17138454)

IMO the IPCOP style firewall systems are only good for quite basic setups, mostly in the 'two nics, one external one internal' realm.

But if your firewalls need to have multiple nic's and such, running carp and pfsync, doing all sorts of funky stuff on each, then the web based things suck. The best ive seen is pfsense, but it still suffers from the whole concept of internal/external nic's instead of just letting me sort that shit out.

I use FreeBSD for all my firewalls now, with the exception of one pair of firewalls which I use openbsd with, only because obsd has the 'carpdev' option and FreeBSD does not, meaning I cant carp external IP addresses properly ( FreeBSD looks for the NIC with an IP on the same subnet as the desired carp IP ).

If you are looking after a semi complex network then IMO dont use IPCOP/Pfsense style setups, as nice as they may for some things.

Been using IPCop for a while... (2, Informative)

emotal (895565) | more than 7 years ago | (#17139292)

I work for a county hospital, so we don't get much money for equipment. So, a couple of years ago, when we out-grew our old firewall, I was forced to come up with a firewall solution for little or no money. So I took a spare pc and set it up with IPCop. We still use IPCop today, except now it is on a P4 2.4GHz pc with 1GB of ram. It services 600 devices that connect to the internet. I did have to make a few customizations for it, especially with the content filtering, since we have groups of ppl that need to hit only a few sites and nothing else. It has done a great job and the load rarely gets above 35%.

tu3girl (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17139606)

As possi3le? How

OpenVPN AddOn (2, Informative)

geronimo9 (656736) | more than 7 years ago | (#17140014)

I use IPCop at quite a few locations. My favorite addon is an openvpn module called Zerina. It can be found at

socks5 proxy (1) (630682) | more than 7 years ago | (#17142562)

Can IPcop be used as a socks5 proxy or which is the best socks5 proxy available as opensource and which is easy to administer etc ?

Beginner/Intermediate Networking (0)

Anonymous Coward | more than 7 years ago | (#17142608)

Basically anyways. This book makes an attempt to fill the first few chapters with basic network theory and read more like an intro to networking course book than anything I can compare it to. The pieces on ipcop are good for getting the theory but little is described as to the technology running IPCOP, or to define it's strengths and weaknesses compared to other platforms.

The IPCOP is a good platform for many applications, and out of the box makes for a great SOHO device. Without customizing the 'cops they're not being realized to their full potential, sections of the book outline this, but I would have preferred there have been more info regarding implementation.

All in all it is what it is, a pictorial to the use of an easy to configure device.

I would like to say, a security platform who's default SSH user is root doesn't exactly exemplify secure practices.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?