IPCop Firewall Review

Continuing on my previous post.

After discussed it throughly, we decided to give software firewall a try. Better to postpone to buy expensive hardware firewall, and first try the software firewall that are more cheaper (or free).

The Choices

There are many software firewalls, but after googling, searching and etc, the choices are down to four.

There are:

Then we choose IPCop.

Why IPCop?

First of all, I need to exclude m0n0wall and pfsense, not because they bad software (from many reviews they are good software firewall), just because I’m not that good in freeBSD. :)

I know that both software firewall are already design as simply as possible, but I’m affraid soon or later I need to hack on those firewall. That I want to avoid.

I’m much familiar with Linux and also familiar with iptables, so now the choices are down into two.

I choose IPCop, maybe because off the small time frame that I have, I only able to look for several places. On that short time frame, I think (maybe wrong) that IPCop have more addons, more hack available than smoothwall.

But who need addons if the firewall already complete?

I know that IPCop alone is not enough, so beside IPCop I also download many addons for IPCop, there are:

With these, I think IPCop will easily beat up most hardware firewall.

Surprisingly, installation for IPCop and those addons are simply enough. I had no problem at all.

Hack to allow NAT 1:1

The first problem that I had (from now) is that IPCop doesn’t support nat 1:1. There are some internals servers that need dedicated public IP such as my mail server. But luckily there are some hack for it.

I know that I already copied the hack from internet, but I forget the link.

We need to modify the /etc/rc.d/rc.firewall.local

#!/bin/sh
# Used for private firewall rules
# See how we were called.

case “$1″ in start)
## add your ‘start’ rules here
#Added for zerina start – BEGIN
/usr/local/bin/openvpnctrl –create-chains-and-rules

#Added for zerina start – END
#Added for MY_SERVERS oubound IP assignment – BEGIN
/sbin/iptables -t nat -A CUSTOMPOSTROUTING -s 192.168.51.200 -o eth1 -j SNAT –to-source PUBLICIPADDRESS1
/sbin/iptables -t nat -A CUSTOMPOSTROUTING -s 192.168.51.201 -o eth1 -j SNAT –to-source PUBLICIPADDRESS2
/sbin/iptables -t nat -A CUSTOMPOSTROUTING -s 192.168.51.202 -o eth1 -j SNAT –to-source PUBLICIPADDRESS3
#Added for MY_SERVERS outbound IP assignment – END

;; stop)
## add your ‘stop’ rules here
#Added for zerina stop – BEGIN
/usr/local/bin/openvpnctrl –delete-chains-and-rules
#Added for zerina stop – END
#Added for MY_SERVERS outbound IP assignment removal – EGIN
/sbin/iptables -t nat -D CUSTOMPOSTROUTING -s 192.168.51.200 -o eth1 -j SNAT –to-source PUBLICIPADDRESS1
/sbin/iptables -t nat -D CUSTOMPOSTROUTING -s 192.168.51.201 -o eth1 -j SNAT –to-source PUBLICIPADDRESS2
/sbin/iptables -t nat -D CUSTOMPOSTROUTING -s 192.168.51.202 -o eth1 -j SNAT –to-source PUBLICIPADDRESS3
#Added for MY_SERVERS outbound IP assignment removal – END
;;reload)
$0 stop $0 start
## add your ‘reload’ rules here ;; *)
echo “Usage: $0 {start|stop|reload}” ;; esac Rgds Simon. (END)

Where 192.168.51.200 -192.168.51.202 are your servers and eth1 is your red interface.

BlockOut Traffic

IPCop as default will allow all outgoing traffic from Green (Internal Lan) to Red (Internet). I need to limit that, so only a few ports will be allowed for users. This is solved with BOT (BlockOut Traffic).

Advance Proxy, URL Filter, Update Accelerator and Calamaris

Advance Proxy, URL Filter, Update Accelerators and Calamaris are big help in proxy server. Advance Proxy will replace the standard web proxy in IPCop with a new and more advance Proxy. URL filter will block certain web site, Update Accelerators will hold the update for windows like windows update and etc, and lastly Calamaris for Proxy Report.

Nice.

Cop Filter

Cop filter is another excellent addon, it will scan the http, ftp, smtp and pop3 for viruses. It also can detect for spam. But somehow, it slow down my http and pop3 connection. It take extremely a long time for me to download emails from external pop3 server. So I had to disable Cop Filter until I solved the problem.

Zerina

This will add OpenVPN support in IPCop. The installation and configuration is easy enough, even for newbie like me.

IPCop Summary

IPCop is a good firewall, and with addons you can have a complete firewall package. I just tested it for a few days, it still in testing. But so far, it works flawlessly.

If only I can export all the logs to csv files, but maybe I ask too much for a free software :).

3 Comments

  1. Comment by valdrin:

    Nice by ipcop linux but i dont know how to stop clients by chosen date and control them.
    exmp: 25/08/2008 to 25/09/2008 adn ipcop stops internet acces automaticly on this date!
    is it any modul?
    i still work with ipcop and love it.
    Valdrin

  2. Comment by N1N1:

    When you do a review, i would expect to see the version you tested in order to see if a newer version includes the missing features you talk about.

  3. Comment by petthok:

    @valdrin: it is posibble with Conn Scheduler addon. http://www.ban-solms.de/t/IPCop-connscheduler.html

Leave a Reply

Your email address will not be published. Required fields are marked *