firewalls?

[bigpook]

Thought I would share this.

I have used a fair amount of linux based firewalls. Astaro, monowall, ipcop, clearos and just recently pfsense. I like them all but Astaro is kind of heavy for what I am doing at the house, monowall is nice and lean but boring, ipcop I ran for the longest time but it is getting long in the tooth. Clearos looked good but to get the full bang you have to pay for it.

For the past 6 months or so I have been running pfsense, 1.2.3 RC2 IIRC and was really happy with it. I went ahead and installed 1.2.3 Release but had  issues with the DMZ and port forwarding. I ****ed with it for a day or so but got disgusted.
At least getting out to the internet worked.
So what to do?

I found ipfire on distrowatch and have yet to hear of it. The iso comes in at under 80M so it didn't seem to be a bloated mess.
I installed it and it worked straight away. Has a nice GUI with lots of graphs and port forwarding is trivial. It supports VPN which I need to get working next and has some other nice bells and whistles. Its only been running for an hour so there is still plenty of time for it to crash and burn; but so far it is looking good.

What do you all run as firewalls? Not so much for business, mostly what you run at the house.

[EverythingIBM]

I like using Tenebril's security suite. Ghost surf, spy catcher, etc.
Not really sure if it would be considered as a "firewall", but it's pretty good. Ghost surf blocks annoying ads too.

[ch_123]

My WRT54G has a firewall built into it, I rely on that.

[Rajagra]

Software firewalls running on the PC you use are a huge compromise. They aren't that secure, and they can affect performance. To be honest I just can't be bothered with them. Unless someone can recommend one that is flawless.

I wouldn't be without a NAT router though. Once you've seen logs of how often your IP address is being probed by the outside world you'll never trust a direct connection again.

[InSanCen]

ipcop on a mini ITX atom based system, 30GB 1.8" HD, 1GB SO-DIMM.

It's still huge overkill for what goes through it, but the parts were there, might as well give them a use. It is long in the tooth, but it just works.

[bigpook]

I used IPCop for a long time and it ran with no issues. Getting the VPN working with Zerina was a breeze too. But I rebuilt my firewall using a mobo with a Via C7 cpu and IIRC IPCop had issues seeing it. They are working on a new release to bring it up to date but it doesn't seem to be quite ready yet. Once it is, I will be checking it out.

I browse distrowatch for new releases and news and it amazes me that there are so many choices for firewall software. Most are free and some have some cost associated but overall there are so many to choose from.

[ricercar]

So a router's 'NAT- network address translation' isn't a true firewall, but plays one on TV. In other words, marketing people say NAT = firewall and tech people say not really. Anyone here care to explain the difference, in simple words that even I can understand?

[ricercar]

But then, I'm about as technical as John McCain on this security stuff.  The difference is I NEVER open those greeting card attachments from Sarah Palin.

Then you'll never be republican candidate for VP.

--
Generally anything that stealths all service ports on steve gibson's Shield's Up test is good enough 'firewall' for me.

[kw71]

I use openwrt on a buffalo router I got in Japan.

The buffalo I have did not have english firmware anyway.  But it happens to have lots of RAM and a decent size flash.

Openwrt is a small linux and includes iptables.  If you don't need broadcom wireless drivers in your device, you can use the 2.6 kernel, which will let you use ip6tables with the conntrack mod.

Saves a lot of power vs. a PC running linux.  SIX WATTS.

If you don't want to hunt for a suitable home router, as it's tricky to find one, you can use the single board computer from ubnt.com.  Look at their routerstation pro.

[Rajagra]

So a router's 'NAT- network address translation' isn't a true firewall, but plays one on TV. In other words, marketing people say NAT = firewall and tech people say not really. Anyone here care to explain the difference, in simple words that even I can understand?

A NAT router can connect multiple PCs on your private network, all with different IP addresses, to the Internet. The router has its own external IP address, and that is the *only* address the outside world can see.

Incoming communications are ignored by default, unless one of your PCs started the communication. In which case the router forwards the packets to that PC - effectively 'translating' the public network address to your private address.

The key point is that random attempts to break in to your PCs will be blocked. But if you download malware that starts using the Internet, the router will allow it, because communication started on your side. So you could say a NAT router is like a firewall that only blocks unrecognised traffic from one side.

[pfink]

Software firewalls running on the PC you use are a huge compromise. They aren't that secure, and they can affect performance. To be honest I just can't be bothered with them. Unless someone can recommend one that is flawless.

I wouldn't be without a NAT router though. Once you've seen logs of how often your IP address is being probed by the outside world you'll never trust a direct connection again.

It's not a bad idea to run a software firewall on your computers even if you have a NATing router, especially if you've got roommates or family members with their own computers or if you let house guests connect to your internal network. You never know what might be tagging along on the kids' laptops.

I've been running the free version of COMODO on Windows XP for a while and it seems to be pretty solid. I used to use ZoneAlarm but the recent versions were getting kind of bloated. COMODO eats up less resources and is more customizable.

[bigpook]

It seems to be working pretty good. If you want you can bang on it.
Look for me here: ajm.no-ip.info



 I think the Germans write good software, not that I am some expert on it or something, but they seem to be anal about security. And I mean that in a good way.

I don't know how people can write software for free though, but I am appreciative that they give it away for no cost.

[bigpook]

I was thinking it would be the other way around....