IPCop Firewall Review Part II

I has been testing IPCop Firewall for more than a week now. I only have two minor problems with IPCop, there are:

  1. IPCop as default allow all connections to the Internet. This maybe ideal for home users but not corporate users.
  2. IPCop as default not support NAT 1:1. Although we can modify the iptables script (/etc/rc.d/rc.firewall.local), but it will nice to have a gui for it similar with port forwarding and external access in Firewall menu.

Other than that, overall IPCop is good firewall, stable and easy enough to manage.

IPCop Addons
IPCop addons is a bit tricky to install. I have install many addons, while most of them install flawlessly, but a few of them cause a big problem.

A Tip
Before you add patch or add an addon, please do it your test machine and see how it’s going. I have spent an entire night to fix it after I installed an addon.

I will only talk about addons that I have a problem when installing.

BlockOut Traffic (BOT).
I have no problem when installed this addon, the installation was easy, and the configuration is very straight forward. BUT after I download and install a modified kernel that support layer7 filtering from http://www.mhaddons.tk/, BOT doesn’t works anymore.
Before the modified kernel, BOT block out any traffic successfully.

But, after the modified kernel installed, nothing is blocked.
Reinstalling BOT doesn’t solved the problem.

It seem that BOT and the modified kernel can’t work together.

Finally I had to remove BOT, and manually modify the iptables to block most of the ports.

Guardian

This one cause a very big problem. I download the latest guardian (v 2.4.9.7) from http://www.mhaddons.tk/, and when installing I receive an error. I’m not sure what kind of error, it says line error or something, but the installations process continue with no further error.
Curiosity, I reinstall the Guardian, and that cause a big problem.
Connection to the IPCop servers is blocked.
When I list the iptables rules with iptables -L command, it give me surprisingly result.

Chain INPUT (policy DROP)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination

When I try to manually run the iptables script, it give me errors about segmentation fault.

Panic, I restart the server, still give me errors about iptables segmentation fault.

I realize that IPTables got corrupted.

Then I found out that I still able to change the default policy from DROP to ACCEPT, at least I still can access the server remotely and copy files.

No connections to the net allowed unless though proxy.
Incoming and Outgoing email pending in the mail server.

I’m not sure how can I restore the corrupted IPTables.

After some trying and errors, than I manually copy files from the original iso of IPCop from /lib/iptables and /sbin and then restart.

It solved the problem.

All the iptables rules applied and run, what a relief.

I know that I need the install the new kernel that support layer 7 filtering, but I think that enough for now. I hate another surprises.
Regarding my previous tip, now I’m looking for unused, spare PC to become my test server. I will install all new addon in there first, after successfully installed, then I will installed in the live firewall.
I hope there are no more surprises.

I do now run many addons in my IPCop, and they works wonderfully, but still a test server will be great.

Uncategorized

Leave a Reply