Dedicated OS "sub-version" or complete distribution for firewall?

[imported_Kiwi]

I want to extend broadband Internet across my home LAN, but I have a current big surplus of older hardware already, so I thought that I would run something on the order of Smoothwall as a dedicated firewall system on a P3 I have on hand that runs very quietly (I also probably could make it up to be a K6-2 350 or 400). But there are copies of release distrro DVDs on the news stands in Linux magazines all the time. Wouldn't one of those suit the purpose as well?

Those are ready to go, right from the DVDs. Smoothwall, I have to go through a number of preliminary steps with the download before it's ever ready to install anywhere . .

Easier, or harder, setting up at first, which way? After that, ongoing maintenance routines are in what relationship? About the same ? Simpler and faster one way or the other? I last had any *Nix exposure on a Unix workstation over 20 years ago, and I am certain I remember just about nothing useful from that experience.

 

[Nothinman]

A normal distro will be a bit more work to setup initially because it likely won't have the same GUI/Web tools that the specialized distros will have, Debian has a handful of firewall tools like shorewall but I've never used any of them. But I prefer a full distro because I like the flexibility of installing whatever I want, that and my firewall is an Alpha and there's not many firewall distros that support them. =)

Maintenance should be about the same, I have apticron installed on mine so it checks for updates daily and emails me when there's something new.

 

[imported_Kiwi]

Smoothwall has been the only dedicated firewall version I've run across so far. I was making an assumption that it wasn't the only thing of its kind out there. I haven't seen a magazine offering a free Debian distribution that I can recall.

 

[drag]

If you'd want to use Debian I like to use shoreline firewall (aka shorewall)

Basicly what you need to do to turn a generic Linux-based OS like Debian into a firewall would be...

Take a standard PC and install multiple nic cards into it...
You'll need the keyboard and monitor available to setup the machine, but after that then you don't need one.

1. do a 'standard' install.
2. update and secure the box. Use "netstat -pl --tcp --udp" to determine what services are running on the box and disable or uninstall them.
3. setup the actual firewall. There are lots you can do and you can make your own. I like to use shorewall and they have good documentation on the project's website as well as having good examples of common setups.
4. setup other services you want to have on your firewall. For example I setup a openssh server bonded to my internal network interface so that I can do remote administration. I also install dnsmasq package, which provides a simple LAN-style DNS/DHCP service. (one of the nice things is that dnsmasq will resolve names you put into your /etc/hosts file, which is great if you only want to those names for a internal network). You'll want to be careful and make sure that any services you setup are only running on your internal port or otherwise are inaccessible from outside your network.
5. setup port forwarding for any services on a internal server you want to be accessable from the internet.


Now of course this is for a small business/home setup with a NAT-style firewall. A Linux PC is perfectly capable of replacing any Cisco router or otherwise in a larger corporate-style network and work with open and common routing protocols like RIP, but that would take a entirely different approach.


It all depends on what you want. For me to sit down and take a Debian or CentOS box and have it equal the functionality a person will get out of a smoothwall, ipcop, or clarkconnect distribution by default would be very difficult. But I don't want all that stuff, I just want a basic, high performance firewall with only minimal functionality.

 

[HermDogg]

Can anyone point me in the direction of a distro tailored specifically for sharing an internet connection? I'm looking for a firewall, dhcp server and bandwidth management (it's a fraternity, I needs to be able to keep speeds constant across the network so people can still get hw done w/ online games and such being played)?

 

[drag]

There were several listed in this thread already.

Take a look at smoothwall.
http://www.smoothwall.org/about/

There are commercial and free software variants. It can do 'DNAT' (as in dynamic 'NAT' or network address translation). This is how you share a single internet address over multiple computers on a private network.

 

[Brazen]

Personally, I've tried SmoothWall (free version), Ipcop, and m0n0wall. I liked Ipcop a LOT better than Smoothwall. Granted, it has been probably a year and a half since I last visited Smoothwall. If you don't need a lot of "features" such as content filtering, redundant connections, or IPS, then m0n0wall is pretty much hands-down the best their is.

I've also been curiously following a new distro called pfsense which is based on m0n0wall but is working to extend the features. It has a stable release, but is still lacking some features I like in Ipcop.

At home however, I use a linksys WRT54GS flashed with dd-wrt firmware. dd-wrt is easy to use, but for various reasons I would like to one of these days reflash it with OpenWRT. I'm using the linksys mainly for the power and space savings though; otherwise I would use Ipcop.

Also, if would decide to go with a full distro, I would strongly suggest at least installing Webmin. It has a web interface to the firewall that makes firewall administration much easier. You can even use Shorewall and use Webmin as a web interface to Shorewall. I would bet it also has an addon for dnsmasq.