lee/hpr-knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
hpr-knowledge-base/hpr_transcripts/hpr0311.txt

335 lines
29 KiB
Plaintext
Raw Permalink Normal View History

Initial commit: HPR Knowledge Base MCP Server - MCP server with stdio transport for local use - Search episodes, transcripts, hosts, and series - 4,511 episodes with metadata and transcripts - Data loader with in-memory JSON storage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-26 10:54:13 +00:00
Episode: 311
Title: HPR0311: Firewall Distros
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr0311/hpr0311.mp3
Transcribed: 2025-10-07 16:02:35
---
Music
Hello everybody my name is Mark Clark and this episode of Hacker Public Radio I want
to look at Linux and BSD based firewall distributions, basically distributions that are providing
functionality that's dedicated to providing firewall functionality and the perimeter of your
network. I'm not going to be looking at running files on a sort of desktop plant which you'll
be using in a desktop computer but rather as a machine which you'll use as a router or on
your perimeter of your network which breaks out into the internet or into any other untrusted
network that you want to protect your internal network from. The distribution that we'll consider
here based on the ones that I've used in the past or ones that are researched. I haven't
easily used all of them but a lot of them we have used in production environments just
to sort of test that and you know as you go along on your farm functional new distributions
that have got better functionality we use those as well. Most of them are Linux based distributions
but they're all two BSD based distributions and I'll go through the list of the distributions
you're going to look at later. First I want to consider some questions that typically get
asked when considering a firewall. So if people ask you know why would you want your own
dedicated firewall? Okay if you're a home user and you've got your ADSR router doing your
firewalling for you that's normally okay but there's firewalls that come on those those
routers typically aren't very strong after a couple of years the manufacturer stops releasing
updates to them and if you want to add functionality to those routers like let's say you want
to provide VPN access or you want to start using our proxy you can't do that you can't
really extend them. If you're SME well you want to use consider one of these because
a lot cheaper than buying some of them commercially supported or dedicated to the plants type of
firewalls that are out there and of course it provides a heck of a lot of functionality
that a lot of businesses use especially things like remote access to your office or secure
remote access to your office and also can say bandwidth of a lot of the proxy functionality
that are built into these firewalls. So those are good reasons to consider running your own
firewall. The next question I'd like to consider is what do you get generally with these firewall
distributions because they're not just firewalls in the sense that they're preventing traffic
and you want to traffic on the outside coming in and outside traffic getting out they also
have a lot of other functionality typically they have proxy service built in there's a web
proxy service which is great for saving costs on bandwidth. They also have things like
SMTP and proxies which can intercept all SMTP traffic scanner for viruses and spam all
those good things and also other functionality such as content filtering. Content filtering
is great at home or in the business at home if you've got kids and you want to control
where they're going what time they can actually the internet connection is up and available
you can take you there through these firewalls and obviously you can control stuff access
to the internet. I know a lot of businesses are closing Facebook and other popular websites
and I know it's another favorite with a lot of stuff but unfortunately businesses are
looking at trying to cut costs these days that often is what happens.
The next question then would be why don't you just take your favorite Linux distributions
such as Linux or Ubuntu or your favorite BSD distribution and then configure it yourself
because these firewalls distribution normally just aggregate a whole bunch of available
open source projects that already exist at such a squid for the proxying, dance guardian
for content filtering, you know HVP for the web filtering of URLs in case there's fishing
attacks or some kind of poison website that your store are going to those kind of things.
And the answer is because these things are not trivial to configure quickly so unless
you're a security expert and you sit at your time playing around with RP tables and
that kind of stuff it's better to have somebody else who already looked at it, put it all
together and packaged it so that it works because the risk of getting it wrong when you
configuring your firewall which is basically protecting your whole internal network is you
know the cost of it's wrong is quite hard because people can get it and then basically
disrupt your whole internal network. So I would suggest if you're not familiar with not a security
expert then try and use one of these Linux based or PSD by sorry distributions. Lastly
I want to look at the criteria used for selecting the ones that are prefer out of all of
the list of available distributions that are art tape. Okay so it often depends on where
the distribution is going to be used as well so it's not just there's a clear winner.
So in some cases you want a distribution as easy to use and manage and interface basically
appoints and click interface and then your distributions come with a web based gree that
enables non-technical people to maintain the firewall. You also want a distribution that's
easy to update. You don't only have to reinstall your entire system every time a new distribution
comes out and rebuild all of your rules from scratch because that can be quite time consuming
and also error print. And also you want a distribution that is easy to extend because some
of these distributions will not allow you the way they bolt up is not easy to extend
them in the functionality which maybe they don't provide out of the box. Okay then let's
just go into the distributions that I will be looking at here. This isn't necessarily
a comprehensive list of everything that's available out there which is ones that are
no problem if tried. So firstly and it's also sort of done in order which I cannot
cross these things. The first one is RPCOP which can be found at RPCOP.org. RPCOP is an open
source, completely open source based package and community supported firewall distribution.
Then I look at Indian firewall. This is Indian with an E, E-N-D-I-N. That can be found
at indian.com which is based on RPCOP. I also then look at VRTA which is a new sort
of more router firewall kind of distribution out there that's designed to compete with
Cisco and Juniper routers and that's what we are a TTA VRTA.org. Then there are two BSD
based distributions. I haven't actually used them myself as we had about them. There's
Mona war at Mona M-O-N-O-W-A-L-L Hall.org. There's O's or zero's in the logo so I'm not
sure how you pronounce it. And then there's P of synths. P for Peter and F for 30 synths
as E-N-S-E.org and that's based on Mona. I also have a look at quickly open W-R-T which
is basically a firewall for embedded devices such as your ADSL router.
Largely these distributions are two categories. One is you can take a generic computer and
install them on there just like it's any Linux distribution on your PC. Typically you
can you know depending on the size or you can get both all the desktop PC. It only
to be two powerful these machines because basically what they're just doing is scanning
all the check that it goes over the network. We have the comments you get all the ones
which are open W-R-T which is used in embedded routers. So that's basically if you've got
your ADSL router and it's compatible you can flash the firmware on there and you can put
your own firmware on there. It's much more fun to do that but also a lot more work. But
you can get quite a lot of functionality and typically you use ADSL-flash router in
situations where you don't want to put a whole PC down. So let's say you own a coffee shop
or you own a little restaurant or some can and you want to have a few internet access,
few alpha access to your patrons. In typically you'll use one of those because you know
it's stuck up on the shelf there just above the ball or in the kitchen where you know
it's not a deal environment for your computer and you want to know when people just to
run up there and steal it which is often an issue. So you know you can use a W-R-T
or even at home where it's quite a lot of fun. So the question will be if you're going
to use one of these Linux or BSD based distributions what kind of hardware do you need?
Typically you don't need very powerful hardware I mean you think of the kind of specifications
of your ADSL router they're not that great. So you can get bar with a machine that has
256 megs of memory. Hard to say to be that large it can be quite small. The hardest
hard normally depends on how big your web cache box is going to be and also how much
logging you're going to be wanting to do. But even then a 60 gig hard drive or even 30
gig is more than enough. Typically you want to make sure that there's a space to take
at least two network cards because what happens is the one network card will get connected
to the to the hostile environment which is typically the internet and I don't get connected
to your internal network. One of the terminologies that I picked up which makes it quite easy
to discuss the architectural design of your network of people I got from AmpliCop and
they sort of popularized it as far as I'm away. It's the green network which is basically
your internal network and green for good or guy everything is fine there. That's the network
you keep protecting. Then you have the red network which is obviously the hostile network
which is the internet. All your texts are going to be coming from although 80% of the
cases most of the texts are internal. But then you have your third network which is called
the orange network and this is basically your demilitarized zone or DMZ zone. So what
is a DMZ zone? Essentially that's where you're going to put your machines that you're
going to want people to have external access to your controlled external access to via the
file. So you might want to literally let's say the web traffic to which you're letting
your customers access or you might be a file server that you're letting your sales equal
to remote branches access. It's called the orange zone because it's sort of it's with
controls. It's less danger there but it's still dangerous because somebody could hack
into those machines. And the whole idea is that you then those people have hacked into
those. They're then prevented from getting onto the green network. Anything I can really
hear you have it with other machines on the orange network. So yeah, so the orange network
group is then say you wouldn't want to put your sort of file servers there that's got
internal stuff on there and all that stuff. You put that on your green network. So
when you start that external, people need to be accessing. Okay, so let's get on to
actually looking at these distributions. The first one that I came across a couple of
years ago, a three or four years ago was RPCOP. Now RPCOP is a community fully community supported
Linux file distribution. And many people use it and find it adequate. A lot RPCOP initially
but after a while you begin to notice a few in mapping and weaknesses with the system.
One is that they don't have regular updates coming out that often. The second is that
they have a lot of plugins, which is normally great. The plugin actually is great but it's
also bad if the plugins continue to break your machine. You're not sure when you install
them if it's going to work or not. Install it and next when you have a whole mess, your
machine starts working. And it's not found with RPCOP. It just wasn't that easy to use
when you started adding in the plugins. And also the issue that I found with it was that
it didn't really have, it didn't come standard with the art going file. So it was incoming.
And typically, you know, nothing art going file goes as fine if you've got a home machine.
But if you've got a business or you want to, you know, to provide some kind of control
of internet access via your kids at home, you need an art going file to sort of rockboards
and also to be able to control websites that you've been visiting, a contentful to kind
of mechanism. So I find RPCOP great but not that, not not long when it didn't have the
features that the other later file was started coming out with.
Okay, there's a spin-off from RPCOP. This is probably a problem. A commercial company
started using RPCOP as a base of its file distribution. I think a lot of the developers
of RPCOP, you know, were in that company, a company called Indian. That's Indian within
E. And they basically took over, took the basic RPCOP destroyer and then they made it
a bit better. So they added an art going file or they improved the user interface. They
added some things by default, such as content filtering. And for a while, we used Indian
a lot. Indian is really, really great if you basically not their technical. It's got
an easy use web interface to configure everything. And yeah, it's great for small companies
as well with their own big art department and there's some sort of super user that's
the company arti-guar as well. So if you go and put that in there, you don't have too
many support calls having to guard them and sort things out. So Indian file, I would highly
recommend for people, for home users and for small businesses. The only issue I do have
with Indian is because it's one of those open source slash commercial destroyers. You
find that some functionality is only available in commercial. Also, you get the feeling
that they use the community for a lot of their beta testing and they've been on release
candidate three, for example, for their 2.2 release or some kind of release candidate
for a very long time before they put out a stable release. But having said that, it's
still quite a, quite a good file. One of the things that also that I don't really
like about Indian and as well as Army Cop that I find it difficult to extend. When I
mean difficult to extend, you know, let's say, you know, really hard to use appy tables
or you know, they configure a script or dance guardian. You know, you have to go into these
machines and then they have a whole different infrastructure way of configuring and controlling
those configurations. And so you have to learn how that works. And typically they can be
quite frustrating when you want to do something a bit more complicated. So, especially if
you have to go and change their config files and understand how they get read and you
know, at runtime or when they boot up, how they get used to configure the actual machine.
And then this is a limitation which I found with both Indian and Army Cop was that if
you wanted anything fancy on the read interface, for example, you want to do bonding. So
you've got two ADSL lines when you bond them together or you want to do load balance,
you know, cross them typically, like, yeah, on certificate, you want a local ADSL line
which is a lot cheaper. So that's only traffic that means we're locally in the certificate
in your thin certificate. And then you have one which does your international bandwidth
which is a lot more expensive. So you can use a local one for all of your SMTP traffic,
for things like connecting to remote branches, if you've got a VPN over them, all of those
things. And that you can't really do that easily in Indian file or in an Army Cop for
that matter. Okay, before I'm considering VRT, which means, which was next on the kind
of list, I just want to quickly touch on Mono and Mono rule and PFCNs. Now these are
BSD based just shows I haven't used them myself. The Mono rule from its website says that
it loads everything into RAM. And this is one of its limitations apparently because
obviously everything is a RAM, you know, you need a lot of RAM, you can't store everything
on disk, which makes it unusable for smaller embedded devices. Whereas PFCNs, which is based
on Mono rule, I'm actually designed to use disks and all of those good things. So it
provides a lot of the functionality. From the screenshots and the documentation of this
art, I think this looks like a great potential replacement for PFCN, for APCOP or Indian file
and it also allows for more complicated setup on the red interface in terms of having multiple
connections to the internet there and bonding them and being able to configure those in a
deal way to take advantage of the different, you know, basically least cross-reaching as it
were for your local internet connectivity. But actually instead of having actually used
them myself, so if you guys want to go there, check it out and have a look at the PFCNs website.
Okay, so I'd like to look at VRT and I've got a camera across recently and VRT is an industrial
strength replacement for Cisco and Juniper readers. So it's much more hardcore if you like, it's,
you know, designed for those, like for ISPs, they have a lot of interconnects, you know, you connect
the major networks together, so not necessarily just home users or your business you're connecting
to your ISPs network and all of that. It's really is quite a, quite a powerful firewall and
router. What I like about it is that it's got a, it's easy to extend because basically it's
used as a core, core functionality, the cut of Linux and those various open source applications
and I was just a thin layer on top to configure it. VRT might be considered not that user-friendly to
people who prefer to use a GUI, so I recommend that people who don't, you know, that much about
networking, how to configure Linux stick with either Indian or PSCNs to configure. The reason I
do like VRT is you put into those situations where you have, you know, you might have a clan
to fences themselves to be a computer user and ask them to go into the firewall rules all the time
and then they break it and then they call you in. So if you don't want them to do that,
curiosity kills the cat kind of thing, power them through VRT and then they look at it, they
don't have any idea how to configure it or how to touch it. So you know, I might be considered
a negative, as well as a positive, but you know, that can help in some situations. So VRT is
basically the firewall that we use now in most situations for the services that we provide when we
install firewalls. Okay, so then lastly I like to look at the group, like OpenWRT which embedded
the vases. Now these can be a lot of fun and you can learn a lot from them. They're coming
out more and more with GUI interfaces to configure as well. Normally the hardest part is to make sure
that your hardware router, the ADSR router that you've got to a wireless router is compatible and
if you go to OpenWRT.org website, they have a long list of devices that are compatible,
something when you're partially compatible, all that things. But once you get it, the main thing
is actually to now flash it with your new firmware. Once you've done that then a lot of the
functionalities available you can download as packages. Typically because these devices have
limited memory and flash the storage, you know, you can install certain packages on them but you
have to pick and choose what you want to install. But they're quite nice. You can put things
there like Astrics, web servers on them. And so you can actually design some very interesting
and, you know, applications on top of them, especially for things like restaurants,
entertainment areas and those kind of things. And a lot of, as I said, coffee shops and restaurants
tend to use them to provide this kind of functionality. For example, you can install application
actually spot on top of it, which will allow you to, you know, either you have paid for all three
controlled access to your local internet connection area that you're providing to your patrons,
or to your neighbors if you're happy enough to provide them with access to the bandwidth.
There's another couple other distributions of spinners, or then one other thing called
tomato as well, or tomato. So if you want to have a look at that, have a look at the tomato
distribution. Okay, so that was quite a quick run through your suppose of the other various
distributions that are out there. If there are any others and people who feel free to let me know.
And then say what comes down to my recommendation is to probably look, I'll say use
a few cents, but I haven't actually tried it myself. But from what research I've done, it looks
like it's the best easy to configure firewalls at ART for home users and for small businesses.
If that's a bit, a bit much, you can look at Indian firewall. As I said, peer sense is also
nice because it's fully community supported, so there's no, you know, divide between a commercial
and an open source version of the application. And if you're going to be looking at more hardcore
stuff or look at VRT, it's very extensible. You can leverage your existing knowledge into the
various applications that you use such as appy tables and squid. And then on your embedded
devices, I would use OpenWRT. There's also a DDWRT, but I've never used that. OpenWRT seems more
architecture and the source code is fully available and it's easy to use. With DDWRT also seems
like it's got this commercial stroke open source divide and it's always from what I could
gather from the forums. Admittedly, it's a cursory kind of investigation,
because it's always restricted. They're going to close everything up in the next release,
so it's a basic with OpenWRT. Okay, one thing which I think I should probably edit the
India, maybe some, for those people that need, you know, to understand some of the firewall
terminology that's art, they typically when you look at these, these rooters. Okay, and, you know,
one other concept with the firewall is that all of your external traffic uses netting essentially,
so all of your external traffic arounds at the firewall and that scene is the source of
or destination for a lot of your packets. Even if it's not seen as a destination in a sense that
the firewall can have multiple appy addresses on it, it will handle an old traffic that touches
any of your machines on the other side of the red interface. So whether they're in the orange zone,
the demilitarized zone or in the green zone. Until you get what happens is you use a concept
code port forwarding for art cunning machines initiating connections in. So what you'll do is the
machine will connect your firewall and you'll tell your firewall, look if it's coming in a port
whatever, like let's say 80th of the web port forwarded to your web server in the demilitarized zone
with the orange zone. Okay, so why do you do this? Because essentially the firewall, you know,
you don't have to go and configure each individual machine within those zones to sort of help
protection, although obviously that's a good idea to do as well, but you know, it's like some,
if you're relying on some other people to configure those machines and you're in charge of the firewall,
it's best to make sure that there's another layer of protection in case those guys don't do their job
properly. So if you look at external access into your into your network, then you will use the
concept port forwarding again. So if you're going out here, the art going firewall, art going
firewall, why would you want that? Well, you don't want guards on your internal network, it's
just seriously using bit torrent if you're a business because it will jam up your network and you
won't be able to, you know, actually do your work. And also there's all of the legal implications
around that you don't want people coming on your door and blaming you for stuff that your stuff
have been up to. So you might want to block art going, art going stuff, art going ports. To make it
the only art going ports that you really need to leave open on port 80 port for us for HTTP,
for for three, for HTTPS, again, if you're going to do doing administration tough stuff, you can
selectively allow port 22 for those times they need to get out into external devices on the internet
that they're hoping to maintain. Another issue that people normally like to look at for firewalls
is to provide VPN access. Now VPN access is basically secure, tunneling over the internet for
connections into your office. So you can you can treat remote users as if they're local or see the
network is local. So they'll get an armpit address from a local network on a green network and
they can access all the all the resources of the green network. Okay now when I say it's it's
like being on the network, obviously this is going to be dependent on your on your internet links.
It could be quite slow and on the number of people coming over. But this is really a great tool
for companies that are using it to link various branches. So you've got a head office, you've got
a couple of branches out there and you don't want to pay for dedicated digginit lines and those kind
of things. Then using VPN over the over the ADSL line is a great way to do that. It can also be used
to provide access to to your world writers like a sales staff. You can configure their laptops,
you can connect via VPN so they need to pull down the latest process or other company information
or access the email remotely then they can do that over VPN. Okay another kind of standard
functionality that these firewalls do provide and I have mentioned it previously is this Foxing.
And the Foxing is great for things like saving bandwidth, especially if you're using something like
a web proxy. So essentially it catches all the pages you will go and see. So if it's a regular
favorite page that a lot of people go to like some news start or the banking science net,
all the images and things will be cached locally which can save you quite a bit of bandwidth.
So there's also instant money saving that they can be made by using these firewalls.
And to be on top of the cash you will have a content filter. Content filters are almost essential
these days. As I've said in few years, if you've got a family and you want to control where your
kids are going, you can enable like you know, you can disable adult sites, you can disable auction
sites, ROC, all that kind of stuff. Well actually normally you get disabled via the outgoing
port. You can just block those ports so kids can't use it and like the Skype ports and that kind of
stuff. But yeah, you can use this and it's quite good as well. A lot of these content filters
provide things such as scanning or the URLs. So they'll prevent users from going through
these sites which are which have been hacked basically. They've got exploits on them.
You know, so if this says somebody goes to start with, there's a video and a video basically
done as a virus. They're able to do some, at least some level of protection for that as well.
And you can also know me to be able to have a blacklist if you want to add any sites which
the content filter, the items don't pick up automatically. You can block those sites. So there's
a money saving thing there and there's also a security thing. So they can, they can save you money
once you're infected and you have to clean your machines. That can be quite a costly exercise
disruptive to your business. So you know, these firewalls all have a large amount of benefits that
you can actually take advantage of. So I think that's really all I have to say. I mean there's a
whole lot of issues around that we can we can talk for a while longer and a lot of these things
but I just don't want to to ramble too much in, you know, people might have got what they need
out of the podcast already. One of the things which I've got here is I forgot to assess all the
different distributions against when I was going through them was the ease of update. And this
is quite a problem for some of the the firewalls that are there. I found that for Indian firewall,
for example, there is no officially supported upgrade port. Although given their upgrades from
the 2.1 relative to 2.2 scene quite easy, just took a backup of the config files and you reload
it as backups. From the documentation of the files, if the configs change, you know, the config
file form has changed, they're not the only provider upgrade port for the for the commercial users.
At least that's my my understanding as it stands currently. We also provide a full upgrade port.
Basically you'll just use a I think the base though they'll use most of the based on Debian or
with a based on CentOS. Okay, I just had a quick look there and I see it's based on sorry Debian.
You know, it's basically this built on top of the app gate. And I have quite just run a few
commands in an update system to the latest version. So I just learned some using recently so I
had to do a district upgrade at the moment, but it seems a lot easier than the other distributions
out there. Pay a sense of unaware of the upgrade policy, but I'm sure the information will be
available on their website. As long as you can get the, you know, it depends also on how much
complicated your rules are. I think it's very complicated and you definitely want to wait
to be able to back them up and use them when you upgrade. You don't want to have to go and
recapture all of those port forwards and IP aliases that you're using and all of that stuff because
that can be, you know, it can be quite frustrating. Suddenly your VPN users don't know access,
then the boss calls you once in a while. They can't access the webmail when they're sitting at
their resort or something like that. So they'll best have an upgrade port that is easy to use and
available. Okay, I think that's it for me. Yeah, and hopefully I'll be able to use some more
releases for you guys and speak to you next time. Bye.
Reference in New Issue Copy Permalink