Friday, August 28, 2009

IPCop Firewall 2.0 - Coming Soon to a Network Perimeter Near You!

IPCop 2.0 will be here soon - I just downloaded and installeda beta version of IPCop 2.0 - IPCop 1.9.7 on a Virtual Box on my Macbook Pro. I don't know why, but they're playing it pretty close to the vest. There is virtually no mention of 2.0 on the web site unless you click on the Road Map link - which lays out 2.0's intended features. From the looks of 1.9, it's coming along rather nicely. I'll review the highlights and show you some screenshots.

/edit 11-Apr-2011
It seems a heroic few have soldiered on and are slowly moving toward what will be IPCop Version 2.0.  Despite the fact that there hasn't been a new stable version in quite some time, the IPCop version 2.0 is still under development - a new test version 1.9.19 has been released - you can find the test versions at  Looking at their timeline it would seem that documentation is half finished, and many features are at 80% and 90%.  It seems that traffic shaping has not begun implementation, don't even think about using a dial-up modem (my Granddad still uses one - no kidding!)

If you've never heard of IPCop I'll give you a quick rundown: it's a Linux distro that you load into a crappy old PC - they've tested it on a 486 with 64MB of RAM, and it worked at a reasonable speed! You replace your network firewall with this baby and you gain all the power and flexibility of a Microsoft ISA Server (without the hassles and expense) or a Cisco PIX Firewall (again, without the hassles and expense!). Believe me, this thing is easy and fun. For install instructions and tutorial (version 1.4.x at this time, but easily applied to 1.9.x, or even 2.0 once it arrives) check out this Instructables Article.

I spent some time looking for documentation prior to installing the Beta, and found nothing but complaints about install problems or enigmatic questions wondering when 2.0 will be available. Wonder no more: the Beta is available now, you can test it out to your hearts content. In fact, I encourage it - the more people that download the software and try it out, the more feedback will be given to the developers, and the odds are that a few people who install it will know a thing or two about development and make some serious contributions.

Why haven't I contributed? I have! I'm spreading the word! The developers get a golf-clap: by downloading the software you show interest, and no one wants to develop software that no one is interested i. I'd contribute more if I knew how to code and script - I know code and script, but I'm a total script-kiddy: I understand the fundamentals and can manipulate the system once it's made. It's like knowing how to drive, fine-tune, and even fix an automobile, but ask me to fabricate a new piece or improve on the existing engineering and I'll have to pass. I'm confined to standing on the shoulders of giants.

IPCop v2.0 is a development of v1.4, but incorporates some significant improvements.

    • Linux kernel 2.6.27
    • New hardware support, including Cobalt, sparc and PPC platforms.
    • New installer, which allows you to install to flash or hard drives, and to select interface cards and assign them to particular networks.
    • Access to all web interface pages is now password protected.
    • The port for https secure connections has been changed to 8443.
    • Redirection from ports 81 and 445 will not work.
    • A New Look User Interface, which includes:

    • A new Scheduler Page, on the System Menu, where you can program various events.
    • More pages on the Status Menu including new pages for System Info, Traffic Accounting, and IPTables, as well as an overhauled page for Connections.  The entire Firewall Menu has been overhauled, and the Pinholes and Port Forwarding are now controlled by Firewall Rules. (This feature set rocks - the port forwarding worked great in 1.4.x, but the "pinholes" made no sense to me.)
    • An updated Proxy Page, now with advanced control features. (The "Advanced Control Features" are Marco Sonderman's AdvProxy addon for IPCop 1.4.x rolled into the new distro so you no longer have to install it separately. Thanks, Marco!)
    • There's a simplified DHCP Server Page. And underneath, dnsmasq has replaced dhcpd as the DHCP server.
    • The Time Server Page has also been simplified, as IPCop now uses ntpd fully.
    • OpenVPN has been added to IPCop, as an alternative to IPsec. (Whither Zerina? I'm guessing Zerina was rolled into this distro, too. Bravo! At the time of writing the Zerina site was down, here is the Google Cached Page Link)
      On the flipside, snort Intrusion Detection System has been dropped from IPCop v2.0, to become an Addon. (I didn't use this - the Sourcefire rules update was an onerous burden, there were too many false positives, and it's strictly reactive - great forensic evidence after the crime is committed but hardly a way to prevent the crime in the first place!)
      All in all, I'd say that these are milestone improvements - the install time is drastically reduced by rolling two of my favorite addons into the distro, multiple interfaces with separate IP's may be set up in each zone (2 Red's, one on the Fiber Line, one on the DSL backup?) making this a much more flexible system. I'm glad I stocked up on extra Ethernet adapters!

      Oh, and a word to the wise: This is a BETA, don't use it for a production system, use it for testing and development. The manual is certainly less than complete, and I'm certain that many features are half-baked, so you'll experience some headaches if you stake you business on 1.9.x.


      Anonymous said...

      Great Review Good to see the links

      I have contacted the Author of the Zerina Package. I helped do the doucmentation for the package. Use that package heavily and works bullet proof.

      Will be interesting to see the openvpn implementation and hope maybe that there is an option to import in the zerina content, good thing is that content is ipcop/openvpn directory.

      Thanks for the review.

      Mike T. said...

      Glad to hear that IPcop is moving forward! I have been a user / fan of IPcop for many years. However one thing that was a bit lacking was in the area of easy VPN setup.

      I have been able to get VPN going with zerina and XP machines on the outside, but have not been successful using Windows 7 machines.

      Hopefully this issue will be resolved with integrating Zerina into version 2.0. Hopefully they will do that.

      Anonymous said...

      Even if I love Linux I think pfsense is the way to go. IPCop may be good but pfsense is way more complete IMHO

      Anonymous said...

      IPCop is FAR better than PFSense unless you want to spend much of your life in technical hell. IPCop is such an under-rated Firewall/IDS, yet has all the facilities that blows the others away.

      Justin said...

      IPCop vs. pfSense?

      I've been using them both on similar hardware (in fact I've reloaded some IPCop boxes with pfSense) and have found that each one has advantages and disadvantages suiting each to a unique role.

      IPCop is simply the best firewall for home, small-office, and home-office use. Simple setup and configuration, usually solid network performance, and excellent site-to-site VPN capabilities. Add-ons are easy to install if you don't mind using the command line, and I love the command line! It does an excellent job as a simple firewall - I have loved it for the six years that I have been using it. My issues with it have been:

      *Poor Squid Proxy and URLFilter performance

      *Zerina plugin required for mobile vpn users (and it takes a trick to install in on newer versions of IPCop
      *IPSec VPN clients cannot work from behind an IPCop

      *Poor support for locations with multiple subnets

      *Lack of updates or progress on the new version

      PFSense is perfect for small and medium businesses - simple to install, it gets up and running as quickly as IPCop. Initial configuration is a bit murky, but the documentation is complete in this regard. Support for multiple adapters and subnets means that it can replace routers as well as firewalls and supports WAN failover - this flexibility comes at the expense of adding some complexity to the system. Firewall is very fine-grained, again a technical hurdle for those who are inexperienced with firewalls, but appreciated by us control freaks. Add-ons are installed through the web management gui, have had very little need to spend time in the command shell. The network useage and diagnostics reports are excellent. Excellent VPN support.

      My problems with pfSense are:

      *Poor Squid and Squidguard performance
      *Incomplete documentation
      *Complex firewall rules
      *Squid and Squidguard addons are not as easy to set up and manage as IPCop once they are installed.
      *Squid reports are virtually nonexistant (sorry, Lightsquid is too rough around the edges!)