Bootable CDROM-based Firewalls? 50
DNapalm asks: "I work at a small local ISP that is in desperate need of a firewall. We don't have much of a budget, so a hardware-based solution (which I'd prefer) really isn't an option. I've been searching around the web for firewall distributions, and I know what I am looking for. I'd like a boot CD (no install required, no filesystem hacking, just reboot) that stores the configuration on a floppy (that we can easily write protect). It should have a web interface and be able to log to a hard drive or some other machine. Some distributions I've found that seem close are Sentry Firewall, Devil-Linux, NetBoz, ClosedBSD, and Keeper Linux. Has anyone used these? Can you give recommendations? Any help would be appreciated."
gogole (Score:2, Insightful)
Google/Linux router floppy [google.com] gives Linux router project [linuxrouter.org]
Dead site (Score:3, Informative)
LEAF (Score:4, Informative)
I'm using a floppy-based Bering system where I work as a multi-ISP router/firewall, and it works quite well.
Duh, this here magazine sez we needs a firewall! (Score:3, Interesting)
Synergy Networking
http://www.synergycorp.com
1780 SW 43 Ave.
Fort Lauderdale, FL 33317
Phone: (954) 792-1866
Fax: (954) 791-4214
E-mail: webmaster@synergycorp.com
Sorry to post anonymously. I'm sick to death of irresponsible ISPs who have no clue how the technology they work with actually works. You're running a goddamned ISP, invest some time into understanding what that firewall is before deploying it.
I shouldn't be surprised. This ISP is proud to have a "less is more" policy for website design. Hell, right below their claim to have secure web pages, they proudly state their FrontPage support.
Re:Duh, this here magazine sez we needs a firewall (Score:2, Funny)
"Proactive? Paradigm? Aren't these just buzz words that stupid people use to sound smart?"
Re:Duh, this here magazine sez we needs a firewall (Score:1)
Re:Duh, this here magazine sez we needs a firewall (Score:2)
Does he know what synergy means?
synergy: Cooperative interaction among groups, especially among the acquired subsidiaries or merged parts of a corporation, that creates an enhanced combined effect.
I don't know about you, but I wouldn't trust a business whose very name lies about the structure of their organization.
He's a liar. admit it. (Score:2)
You: It's a consulting business that does system integration work. Does he have to have internal synergy? Does anyone hold Microsoft to the "micro" part?
Given that he also refers to himself as "we" (see the web page: "Try Synergy, and find out why we're proud to be the best at what we do. "), I'm more inclined to believe that he's a liar, and is abusing a hackneyed buzzword in an attempt to seem much larger and more established than he actually is.
And that's worse than lying to the client through your name. If he's so good at what he does, why can't he just say "I", and let his great reputation in his field do the talking? What kind of business relationship can one expect with an organization that's dishonest from square one?
Re:He's a liar. admit it. (Score:2)
Then why refer to himself as "we"? Is he British royalty?
liar part deux (Score:2)
Really? Judging by this portion of their website, I'd say it's more likely a fifteen-year-old trying to parlay his limited linux experience into a business, so he can avoid having to go to college, like regular people:
We've hosted servers for interactive games such as Starsiege Tribes for years. We've been following role-playing games with more in-depth interaction for some time, and now host Sphere servers
Re:Duh, this here magazine sez we needs a firewall (Score:1)
Well I did read the Kamasutra and I still don't know a fucking shit about Linux.
What options do you need? (Score:3, Insightful)
Do you just need a packet filter, to block incoming SYN packets?
Or are looking at an application firewall with anti-virus e-mail scanning, web caches, VPN's, seperate DMZ's for your servers, authentication with OTP's and tokens, etc?
Different needs. Different solutions.
How much staff do you have? Any *nix experts?
SuSE Firewall (Score:3, Informative)
http://www.suse.com/us/business/products/suse_busi ness/firewall/index.html [suse.com]
Re:SuSE Firewall (Score:1)
Re:SuSE Firewall (Score:2)
Few services == lower maintenance != no maintenance.
Gibraltar (Score:4, Informative)
Re:Gibraltar (Score:1)
Deal Sites (Score:1)
Coyote Linux (Score:1)
Coyote Linux! [coyotelinux.com]
I know it's not supposed to be CDROM based, but it is smaller and easier. They've stopped developement on it, so it's pretty stable. You can hack it to run off a CDROM, but it's just as good from a floppy. It's part of the Linux Router Project, and it acts as a pretty good firewall too. It uses IP chains and IP masquerade, so you can do as much or as little configuration as you want.
Re:Uh huh (Score:1)
Gotta wonder how much they pay their Web Developer who writes non-compliant HTML [w3.org] and ASP in "QEDIT and some old-fashioned typing" [Check their html source] too.
And you know hosting those 30 gaming [synergycorp.com] (oops. sorry, they're "Virtual Reality") servers has to be a big money maker, right?
Our firewall (Score:3, Interesting)
We have a 4Mbit/4Mbit HDSL line, and around 320 nodes. (I am part of a team, that runs a small time volunteer ISP: the whole street I live in, joined together to get good Internet access for a reasonable price; Linux all the way, yaeh!)
floppfw is a quite nice distro, it has loads of add-on packages: VPN(PPTP, Cisco, Intel etc), PPP, ssh etc. It is rock solid and has a high performance (used it for 3-4 years without problems)
There is also a powerfull GUI for configuring it: http://www.fwbuilder.org/
But is very simple to maintain and costumize without. You just mount -o the image, edit, unmount. Rolling and using your own kernel is also quite easy (we use NAT, and some NAT helper modules are outside the kernel).
The downside:
No changing the firewall rules on the fly.
Changing rules or upgrading, means a reboot lasting a minute or so.
We have a spare box (can be used as firewall or proxy, dhcp server if necessary), so by changing the default gateway, we can avoid loss of Internet connectivity, though it means that people cannot access our web-site in the mean time, but we can live with that, other may not).
We also use the spare box, as a testing unit for new firewalls, so we can be confident that it works before it is put into production.
Re:ISP (Score:1)
Not every business can make payroll.
Oh my...now I'm starting to feel sorry for you!
You want a cheap firewall?
Get a Linux box. Buy a Dell/IBM/? P166 on eBay or from some local goon for $20. Put a spare NIC in it so you've got two in the machine, total.
Go to Amazon.com or your local bookstore and buy a book on linux firewalls. If you're lucky you'll get a book that includes a linux CD, otherwise spend $5 and order one from CheapBytes, or download an ISO.
Install Linux, configure the firewall, install on your network. If in more than an hour or two you are still stumped, pay a local Linux geek $100 to do it, or maybe let him co-lo a server at your 'ISP'
Total cost? Not much.
LEAF! (Score:2, Interesting)
At present, I have 6 offices, hanging off this setup, with each one running the VPN daemon as well. There are plans in place (installation stage) to get 6 more internet circuits for the rest of our offices, making making for a total of 12 offices running off this code. It's excellent code, with a very well integrated setup, using standard tools, and gobs of documentation.
The best thing; except for the main office (which uses a P166), everyone else will be running their firewall and VPNs on pentium 100's or 120's, with 24 or 32 megs of ram.
Securepoint. (Score:1)
No one's mentioned one of the most popular.. (Score:2)
If you don't have to have it run from CD, you should probably check out T-Rex [opensourcefirewall.com] (NOT a stateful packet filter, but the free version is lagging a bit), or, if you need a firewall combined with other functions (such as serving files, mail, web, etc.) then check out e-smith [e-smith.org] or ClarkConnect [clarkconnect.com].
Re:No one's mentioned one of the most popular.. (Score:1)
Re:No one's mentioned one of the most popular.. (Score:2)
floppyfw (Score:2)
Devil Linux (Score:2)
Gnatbox (Score:2, Informative)
Simple floppy based firewall, with GUI for those who want it. Easily configured, and rated highly by several publications. Logs via syslog to another system. Can do email and dns proxying if you need it. Doesn't do CDROM, but you can do flash memory.
Basically, a BSD derived firewall that was split from the tree a few years ago. They have an active development effort, and sell commercial products just for your situation. Commercial versions of Gnatbox are not cheap, but there is a good installed base, and a good mailing list that will help with stuff.
I must be missing something... (Score:1)
2. You can boot your linux/bsd/whatever firewall using PXE or some other environment.
3. If you are deadset on the CD solution, do you need a floppy thrown in the mix as well? a CD is dirt cheap these days, you can just burn another copy with the new settings. Or just use a rewritable CD. Or read your settings from the network.. floppy disks die nasty deaths for various reasons.
fli4l (Score:1)
fli4l [fli4l.de] plus OPT_BOOTCD [fli4l.de]. You may also want to read one of the HOWTOs fli4l auf CDR [fli4l.de] or isofli4l [foken.de].
fli4l is a german language project, but fli4l itself has also an english documentation.