IPCop | IP Cop Linux based Firewall
For my home network these days I’m using dd-wrt for my main internet gateway, however at one point in time I had used Mandrake’s Single Network Firewall, followed by their Multi Network Firewall products. I was overall pleased with these, but the licensing of MNF required you to remove any and all branding before installing for someone else (pain in the neck). I had at least one client on the old SNF product until just recently.
I had hoped to upgrade their firewall for a year or so actually. Mandrake’s SNF only supported an internal lan and a wan, which we were starting to push beyond (I wanted wireless on a separate subnet). At the time though the disruption of migrating firewalls seemed too great. Well, recently they had some peculiar outages and it turned out that I caught a network card malfunctioning. So, I rerouted their network setup for a few days to bypass the firewall box and prepared the repair and replacement.
IPCop has become my firewall distribution of choice. It really performs so well, you get dns handling for the machines that get dhcp addresses (and you can add static leases, etc.) All things that I never was able to do with SNF or MNF (I had to manually maintain the hosts file – yuck.) Of course, port forwarding is a given, but there is also a wide range of supported plugins that give you everything from hard drive monitoring (another item I wished for from snf) and content filtering (which we had made use of on the SNF install.) All in all, IPcop, being newer helps, but has a richer and more polished feature set than the several year old install it replaced.
One annoyance we had for several years with the old setup was udp traffic not passing through the firewall consistently (even with port forwards.) So, we had workarounds with openvpn using a tcp port (which is less than ideal.) NTP didn’t work with the old firewall for some unexplained reason. Several times I investigated and tried to solve it, but to no avail (so I wound up running an NTP synchronization over an openvpn connection to the outside world.) The new IPCop install exhibited none of those problems.
Now, ipcop takes some getting used to if for no other reason than the default ports for administration. It reserves port 222 for it’s own ssh access (if enabled.) Port 81 is the http configuration interface port and https lives on port 445. So, all of my notes on administration have to be updated. This new install though has been humming away for several weeks now without incident. TIme has been synchronizing better, dns works which makes locating internal machines easier, the content filter still works as it did (and we have a few new options such as whitelisting specific machines, or times of day.)
All in all, this move has been well worth it and I expect will continue to be as we may be moving the wireless to route through this device (currently it’s upstream between the firewall and dsl modem.) I should have possibilities for some custom firewall rules if we do that to discourage abuse of the wireless. Also, this may become the host of our openvpn install in the future, taking some of the load away from the current server.