"Software router i suppose" Revisited

[ShadesOfGrey]

Ok, I've got pretty much the same question as JJ did...  Except I'm actually looking for anything BUT a Windows based solution.  In-my-not-so-humble-opinion, Windows personal firewalls are all crap...  Mostly because Windows is crap.

Anyway, I'm looking for an opensource or freeware firewall that is:

1.) Easy to use!  And I mean really easy to use!!!  My folks have a harder enough time turning their computer on and getting on the web!  I need something even a great grandparent could use!

2.) Can be run on a PC with as little as a Pentium 120MHz w/16MB RAM.

3.) Has a host of remote management options (i.e. https, VNC, SSH, and/or X-server.)

4.) Can 'instantly' notify a user of 'un-authorized' net access in much the same way Windows based personal firewalls do.

The first three are essential.  The fourth I'm not sure is possible, given that you probably need to hook into the client OS...  But who knows, I've only recently started this odyssey.  Any guidance would be welcome.

BTW, I should probably mention that I already have a 'hardware' firewall in the guise of a Linksys WRT54G router.  Unfortunately the "ease of use" requirement disqualifies it.  While I'm computer literate enough to use it, I know my folks are not.  The last thing I want to do right now is be solely responsible for maintaining it or any other router, gateway, bridge, or firewall.

[rayt]

You should go for linux/iptables.. I run a linux (first 2.4, now 2.6 kernel)gateway at home since a few years and never had any problems.. I first had a 486/120Mhz with 2 ISA NICs and it also worked, although I did ugrade it a bit from time to time.. Of course you can also operate your linux box via ssh at any time..
I don't really understand why it must be easy to operate for people with little computer knowledge. The firewall should be set up by the admin (you) and not be changed by simple users like grandparents etc.. Maybe some distros offer a gui for iptables configuration but normally you configure it via command line(script)..

[ShadesOfGrey]

rayt wrote:
I don't really understand why it must be easy to operate for people with little computer knowledge. The firewall should be set up by the admin (you) and not be changed by simple users like grandparents etc.. Maybe some distros offer a gui for iptables configuration but normally you configure it via command line(script)..

My brother and I are renting the third floor at our parents' house at the moment.  But if/when I pack up and leave; I want them to be able to maintain the firewall themselves with as little assistance as possible.

Don't get me wrong, I don't mind being the live in PC tech or tutor.  But I shudder to think what will happen if/when I'm not around.  I spent close to 60% of my summer vacation fixing a relative's horribly mangled Windows PC.  Trojans, Ad-ware, Spy-ware, search bars, pop-ups galore...

What's worse is that Mal-ware will only get worse.  So I'd like to find some means of protecting my parents (and brother) that they themselves can use and understand.

That said, I have started to look at firewall Linux distros.  Hopefully I'll find time next week to play around with one or two...

[billchase]

Have you checked out Coyote Linux?

Coyote Linux

It fits on one floppy disk and will run on a 486DX.
It has a built in firewall and supports DHCP.  You can
download a Windows based creation wizard that will generate
the coyote boot disk.  As soon the boot disk is generated,
just boot and you will be up and running.  Thats it.

C Snyder

[aardvark]

Nothing wrong with a hardware router, they're cheap as dirt now; especially as many people want a Wi-Fi version these days.They're pretty plug and play for _any _ OS.  Usually they are configured by accessing a web page hardwired into their roms. Heck my 14 year old installed one on our home computer because he wanted to plug in a playstation.  I bought one at Wal-mart for $50 Canadian.  Cheaper than most firewall software and was the only thing that helped me get rid of my sasser worm after about six weeks of re-installs. :pissed:

[adz]

IMHO IPCop would be the ideal option, all you need to do is download it, install it, configure it and then leave it. Its can be configured via a web browser and it supports iptables.

IPCop.org

[ShadesOfGrey]

@billchase

No I haven't, but I'll at least try it out now.

The biggest problem I've had so far is finding out what options are available...  I mean Linux based solutions alone (full and embedded/firewall distros alike) are so numerous as to be overwhelming.

[ShadesOfGrey]

@aardvark

I agree, as a first line of defense I wouldn't by a router without some form of firewall protection.  But I also need something that I'm pretty confident my folks can deal with.

[ShadesOfGrey]

@adz

IPCop was one of the first Linux firewall distros I d/l'd...  I'm just waitng for the second NIC to arrive (I only had one when I thought I had two) to try it out.  I'm a bit concerned though that the box I plan to use may not meet the install requirements.  IIRC, IPCop may require more RAM to sucessfully install depending on the size of the partition used...  Right now, my little P120 box only has 16MB and I haven't been able to find that stash of 72-pin SIMMs I had.

If all else fails, I suppose I could use my old PII-400, even though I did have other plans for it.

[billchase]

That is why am such a fan of Coyote Linux, very lean
system requirements.  I have used Coyote with a Micron
486 that used two ISA 10baseT cards and was upgraded
with a P83 overdrive.  I was very pleased with the
performance.

C Snyder

[ShadesOfGrey]

@Thread

While reading Tom's Hardware last night, I came across something that might be of interest to other participants of this thread..  A BSD based firewall distro by the name of m0n0wall.  Given the number of opensource firewalls out there based on Linux, having one based on BSD is in some way...  Refreshing?

It certainly should be for those who, for one reason or another, prefer BSD over Linux.  Personally I don't care as long as it works.  So it, along with the other solutions suggested in the thread will be part of my evaluation roster.

[Floid]

ShadesOfGrey wrote:
Ok, I've got pretty much the same question as JJ did...  Except I'm actually looking for anything BUT a Windows based solution.  In-my-not-so-humble-opinion, Windows personal firewalls are all crap...  Mostly because Windows is crap.

Anyway, I'm looking for an opensource or freeware firewall that is:

1.) Easy to use!  And I mean really easy to use!!!  My folks have a harder enough time turning their computer on and getting on the web!  I need something even a great grandparent could use!

I've said it a bunch of times, but only because it's true -- I'm really impressed with 2wire's router interfaces.  However, I gather they aren't the only game in town anymore, and some of the late-model devices from more familiar brands are supposed to have equal 'Click here if you want to play Quake' features.

2.) Can be run on a PC with as little as a Pentium 120MHz w/16MB RAM.

OpenBSD can fit on a DX2-66 with 16MB, though upgrading and patching in that environment can be... less than painless.  And leaving a host 'useful' in case of compromise (gcc and other 'useful' tools present) is technically bad stewardship, so if you can find a cut-down 'appliance' distro (it's been a long time since I've looked at m0n0, and at first glance, it does seem whatever they've got going isn't half bad), feel free to use one instead.

3.) Has a host of remote management options (i.e. https, VNC, SSH, and/or X-server.)

Think about this for a second.  You really mean you want one standard remote management option that's well-secured, right?

4.) Can 'instantly' notify a user of 'un-authorized' net access in much the same way Windows based personal firewalls do.

Think about this, too.  Reporting an attack *blocked* by the firewall really isn't that interesting, unless you *are* a geek and curious about the latest worm going around.  Better to run snort or an equivalent IDS within the perimeter, so you only throw alarms on actual problems.

The first three are essential.  The fourth I'm not sure is possible, given that you probably need to hook into the client OS...  But who knows, I've only recently started this odyssey.  Any guidance would be welcome.

Well, if you have a generic *NIX box, you can run snort on any interface you like (before or after filtering), though how you distribute the notifications is a question left to the reader.  (Winpopup?)

BTW, I should probably mention that I already have a 'hardware' firewall in the guise of a Linksys WRT54G router.  Unfortunately the "ease of use" requirement disqualifies it.  While I'm computer literate enough to use it, I know my folks are not.  The last thing I want to do right now is be solely responsible for maintaining it or any other router, gateway, bridge, or firewall.

What are they running that requires changing or opening the ruleset at all?

...

To be honest, *any* decent firewall will block the majority of Stupid Windows Attacks.  As such, I wouldn't stress *too* much, as long as you can find something that lets them run anything that does need to punch holes without too much pain.  Bigger questions are whether Windows is secured from attacks a straight firewall can't block (IE exploits, Outlook exploits, even Firefox exploits) -- you can go nuts trying to configure snort + Hogwash to ensure everything stays pristine before it hits the hosts, but in the end, Norton (bleh) or the equivalent will probably keep their definitions as-or-more up to date, with less room for sysadmin error accidentally causing a DoS -- and how this wireless segment is being used, secured, and isolated from the rest of the LAN.

[the_leander]

Pmail me your address and I'll send you two sticks of 32Mb from an old bsd box I have (The mobo fried, but the ram is fine).