IPCop for Small-Business Network: Web Proxy Usage

Hi All!

Our small-business (5 PCs) has its LAN connected to the internet through ADSL (1 Mbit downstream, 128 KBit upstream). Now I decided to use IPCop. First I wanted to use an old Pentium 166 for IPCop, but the system should operate 24/7 so I ordered the following hardware:

- VIA EPIA PD-6000 fanless board (with VIA Eden ESP 600MHz Processor)

- Morex Cubid 2699 case with external fanless power-supply

With the fanless VIA board and the fanless power-supply of the Morex, even if the small case-fans should stop working there should be no problem I think. Actually I want to try to use the systems without any fans running...

Unfortunately I have not found many info on the web proxy feature of IPCop. I hope the CPU will be fast enough for our small-business firewall/router with one VPN tunnel and the proxy turned on. I also have to decide how big my HDD should be. Any ideas what would be a good proxy cache size for my setup? Any other comments on my setup are welcome!

Thanks a lot and best regards! Anguel

Reply to
astanko
Loading thread data ...

Personally, the old P166 PC would have been more than sufficent for 5 PCs. You could have found a way to have seperate fans just incase the CPU fan stops. I've seen IPCOP running on an old P400 Toshiba laptop using two PCMCIA cards for the Red & Green networks (the fan is very quiet and the battery will keep the unit running for 2-3 hours after a power-outage).

Reply to
ABC

Fine - assuming adequate RAM that should be overkill

No idea why

Why? You are posting from a DT address, and it shouldn't get that hot, but why the desire to not have fans? Keeping the computers at a lower temperature (CPUs and hard drives produce significant heat) is going to make a more reliable system. Still, a friend of mine runs his firewall on an old 486 laptop underclocked to 16 MHz, located behind the books in a small bookcase in his home office. This is in Arizona, where the room temperature is held *down* to +27C in summer (it's +38C outside now).

Being old fashioned, I prefer to have nothing but firewall running on the firewall, as that significantly reduces the risks. As far as CPU speed, the limiting factor is your ADSL connection. A 386SX-16 is more than fast enough for that.

The proxy cache obviously depends on what your users are doing and few of us can guess that. For a minimalist firewall, the disk requirements are extremely modest - there are several firewalls that will run off a floppy. Logging may set a requirement for you - we log direct to a line printer, and send some log date over the wire to the log server, so for us there is no real need of a disk on the firewall (our firewalls boot from a CD).

Old guy

Reply to
Moe Trin

The trouble is that something without a lot of power of memory has to be rebooted constantly, or it crashed. I used to use a 128MB Celeron 667 as the gateway m achine on my network of 3 PCs, and I was forever having to re-boot, but I do not have the problem, since I replaced it with an Athlon64 machine, with 512 MB of RAM. If you are going to use a gateway machine, I would recommend no less than 512MB of RAM.

Reply to
Charles Newman

If he wants something that wont make a lot of fan noise, an Emachines T6212 PC will do. The CPU fan (where most of the noise comes from on PCs) makes a lot less noise than most CPU fans. I can hardly hear the fans on the T6212. If you want machines with virtually no fan noise, get an Emachines T6212, with an Athlon64 processor. Then your machines will be ready the the 64-bit Windows operating systems of the future. Longhorn will require a 64-bit processor.

Reply to
Charles Newman

X-No-Archive: Yes

In news: snipped-for-privacy@z14g2000cwz.googlegroups.com, snipped-for-privacy@gwdg.de typed || Hi All! || || Our small-business (5 PCs) has its LAN connected to the internet || through ADSL (1 Mbit downstream, 128 KBit upstream). Now I decided to || use IPCop. First I wanted to use an old Pentium 166 for IPCop, but || the system should operate 24/7 so I ordered the following hardware: || - VIA EPIA PD-6000 fanless board (with VIA Eden ESP 600MHz Processor) || - Morex Cubid 2699 case with external fanless power-supply || || With the fanless VIA board and the fanless power-supply of the Morex, || even if the small case-fans should stop working there should be no || problem I think. Actually I want to try to use the systems without || any fans running... || || Unfortunately I have not found many info on the web proxy feature of || IPCop. I hope the CPU will be fast enough for our small-business || firewall/router with one VPN tunnel and the proxy turned on. || I also have to decide how big my HDD should be. Any ideas what would || be a good proxy cache size for my setup? || Any other comments on my setup are welcome! || || Thanks a lot and best regards! || Anguel

For a LAN as small as yours your IPCop box could even be considered overkill.

600MHz is more that enough.

But don't take my word for it, check out the forum and ask your questions there

formatting link

Reply to
Robert de Brus

I have my IpCop running on an Compaq 2000 with 32MB ram and a 3Gbit HD and there is no fan, the only sound is from the HD. It has been runing 24/7 for almost 6 month now. No problems

Reply to
Anders

Running poorly written code does that. Why do you feel it is normal for a system to need constant rebooting? Why do you feel it's normal to have the crap crashing all the time? Or do you look at the BSOD as meaning that the system is in 'Enhanced Security Mode'?

You seem to not understand that IPCop is not a windoze application, so it's not crashing each time a gnat farts within a thousand meters of your computer. We also don't have to reboot because the O/S detected that the mouse has been moved. My firewall isn't on a UPS (if power goes down, the cable is down, so who cares), so it got rebooted during a momentary power outage in February. The rest of the systems are on UPS, and haven't needed a reboot since a major update (new kernel) the weekend before Christmas 178 days ago.

That 486 lapdog I referred to up thread has 12 Megs of RAM. My 36SX only has 8. Maybe if you didn't need to run all the anti-virus, anti-trojan, anti-spyware, anti-popups, etc. on top of your desktop on this "firewall" you wouldn't have this crashing/rebooting problem. Maybe it would help if the code were professional quality, instead of "what-ever the sheep will buy".

Still waiting to hear what college you attended that networking class at.

Old guy

Reply to
Moe Trin

I know the lapdog has a fan, but I can never hear it. My own firewall is running on a 386SX with an old PC Cooling Systems power supply and an old 213 Meg disk. The disk makes more noise when in use than the cooling fan, and that's nearly inaudible.

First Charles, a 64 bit CPU is GROSSLY OVERKILL for a firewall. You might need it because you are running a full desktop of windoze in which the toy firewall is a mere application, but that is representative of why you don't understand the base concepts of security. The only thing you seem to know is marketing hype.

As for "the 64-bit Windows operating systems of the future", Linux and BSD have run on 64 bit hardware (Alpha, Sparc, and Ultra Sparc) for

12 years - something not possible with your toy O/S. As for the AMD and Intel 64 bit processors, ia64 was a supported processor in 2001, with (at least) Debian, Mandrake, Red Hat and SuSE supplying releases.. While I don't follow the x86-64, I know that several Linux distributions have had x86-64 versions on store shelves since last year. Oh, and you've seem to have forgotten the PowerPC64 (of course we know windoze won't run on that - but Linux does).

It's that bloated, eh? *BSD and Linux requires a 386 minimum.

Still waiting to hear what college you attended that networking class at.

Old guy

Reply to
Moe Trin

X-No-Archive: Yes

I have IPCop machines in various places looking after networks varying in size from 6 to about 30 and they stay up 24/7 for weeks and months without crashing or the need to reboot, unless I upgrade, etc.

Maybe your Celeron with 128MB had a hardware problem, the RAM for example.

Reply to
Robert de Brus

X-No-Archive: Yes

Well, I recommend the T6212 becuase of the extremly low noise. I use that as the gateway, and when it is the only machine on, you can hardly hear it. I have two different programs running HTTP and Socks Servers. I have AllegroSurf, to handle routing, I have Tiny Personal Firewall, to put the machines behind a firewall, and becuase I have had problems, in the past, with housekeepers who bring their children with in, filtering, which is done by the old freeware version of WebWasher, which ailso does HTTP filtering. As far as controlling where users can go, I am just as secure as any corporate filtering network. You can call my setup a toy firewall, if you like, but it can stop a lot of things the hardware firewalls cannot. I can stop Kazzaa, Grokseter, and IM services, which the hardware appliances cannot do 100 percent.

Reply to
Charles Newman

... there are several firewalls that will run off a

Im a huge fan of Smoothwall and IPCop. Im running IpCop at home! But i know progs such as FreeSco use to run off a floppy. this has added advantages of nreqireing less hardware (ie no HDD), but also, if comprimised you can just reboot and no 'evil' files left around, cause they cant write to the cd!

What im asking is for direction to sites/ setup guides to do this for myself. Thanks!

Joseph

Reply to
Joseph

... there are several firewalls that will run off a

Im a huge fan of Smoothwall and IPCop. Im running IpCop at home! But i know progs such as FreeSco use to run off a floppy. this has added advantages of nreqireing less hardware (ie no HDD), but also, if comprimised you can just reboot and no 'evil' files left around, cause they cant write to the cd!

What im asking is for direction to sites/ setup guides to do this for myself. Thanks!

Joseph

Reply to
Joseph

Well, that's true. On the other hand I think the mechanical moving parts, this means the fans, are the no. 1 reason to cause system failure. So I prefer not to depend on any fans.

In a professional pc-magazine I read that notebooks with their small fans are not made for 24/7 operation.

Best regards, Anguel

Reply to
astanko

I don't think the EPIA 600 Mhz is comparable to Athlon 600 MHz, and I think if it has to handle routing, firewall and web caching all the time, and from time to time VPN, it will have something to do. I think this is especially true if I set the web cache a little bigger. I am not sure if I should take a 1 Gig or a 8 Gig HDD for the cache of the proxy. I think I will go with the bigger disk. Such caching is especially useful if I have to install the same software / updates on all 5 PCs ;-)

Best regards, Anguel

Reply to
astanko

Like most experienced admins, I _DON'T_ recommend such a system, as it's a waste of a useful system. Your home firewall only needs a clapped out piece of trash that has been thrown away by others because you don't run ANY applications on a firewall other than the firewall.

Does Comcast permit that on a residential service?

Get a real operating system - both of those are built in to any *nix

Sounds like you have substantial security problems you haven't addressed.

No, but that's because you don't understand how people configure firewalls.

But you've already shown you don't understand even the fundamental concepts of firewalls. How would you know what can or can not be done? You have zero experience with one, and don't even understand basic IP networking. Should you allow any packets of protocol 17 through your firewall? Do you even know where to look up the protocol number, much less know what it is, and where the protocol number is located in the packet header with respect to the destination IP address? What about protocol 6? Is it a good idea to block packets with the DNF or ECN bits set? Why?

Please stop making such false statements - my skill levels (or those of anyone in the business) are not as lacking as yours. Just because you don't want to believe something can be done doesn't make it so, except in your own mind.

By the way, I'm going to keep asking what the name of that college was where you "learned" networking. Are you ashamed of it?

Old guy

Reply to
Moe Trin

FreeSCO's domain registration (freesco.org DO NOT TRY) was hijacked by a spammer. The replacement site

formatting link
404s for me now.

Well, the preference is to not get compromised in the first place, but the concept remains the same. Ideally, the system should boot from read-only media, (write protected floppies mounted RO are OK, and some hard disk drives have a jumper to make them 'read-only'), have a monolithic kernel (meaning no modules used - also meaning you have to compile from source to get your specific NIC driver, and any other "unique" things you want), and the system runs no over-network daemons. You admin the box via a serial link that provides a remote console (which is the ONLY place /etc/securetty allows a root login), but otherwise the system accepts no connections to itself. You can modify this rule slightly, so that the system also accepts SSH connections from specific network hosts (preferably from inside only). The base concept is that if the box is doing NAT or port forwarding, any connection to a forwarded port (perhaps web server, or DNS) gets sent to the appropriate server. ALL OTHER connection attempts are either rejected (preferred) or dropped ("stealth" is marketing bullshit terminology.)

Logging should be set to an old fashioned line printer using continuous feed paper, AND to an internal logging server. You should only log the important stuff, and ignore the 100,000 connection attempts per hour from the thousands of windoze zombies out there. If using a logging server, that box should also be HIGHLY restricted - accepting connections only from known local hosts, and root logins restricted to the console ONLY. And yes, I relaize a line printer is going to be rather noisey for a home user - but I'm coming from the security angle, not the convenience.

What I'd recommend is a bit of reading first. Two O'Reilly books are

Building Internet Firewalls, 2nd Edition 1-56592-871-7 $49.95 Practical UNIX & Internet Security, 2nd Edition 1-56592-148-8 $44.95

Those are (unfortunately) US dollars. Please check your university library, as they are likely to have those books on hand. If you are not familiar with TCP/IP (a very complex subject), the classic book is from Addison Wesley

TCP/IP Illustrated, Volume 1 The Protocols 0-201-63346-9 $LOTS

which is often used as a college textbook for networking classes. I haven't priced it lately - my copy was US$59.00 at the Stanford University bookstore (and US$65 at two other nearby university bookstores, as well as several regular book store chains). I understand it's much more pricey now.

A lot of this material is also discussed in the various HOWTOs available from the Linux Documentation Project which if you have Linux installed, you should find in /usr/share/HOWTO/ or similar. If not, go to

formatting link
or
formatting link
or
formatting link
or ftp://mirror.aarnet.edu.au/pub/ibiblio/pub/linux/docs/HOWTO/ (note: this last link is only available from within Oz). HOWTOs to look at are:

85507 Aug 20 2001 Firewall-HOWTO 281095 Jun 17 13:55 HOWTO-INDEX 703560 May 23 08:22 IP-Masquerade-HOWTO 22582 Feb 6 2004 Reading-List-HOWTO 287028 Mar 31 2003 Remote-Serial-Console-HOWTO 155096 Jan 23 2004 Security-HOWTO 278012 Jul 23 2002 Security-Quickstart-HOWTO

Those are all 'current' (as of Friday Jun 17 at 1650 UTC) file dates.

For the operating system / firewall of your choice, here's three starting points. (The quotes are from posters to Usenet, not me, as I'm stuck with a NDA not to discuss specifics from work.)

formatting link
"Use Linux as router, that runs from one 1.44 floppy and loads the system into RAM."
formatting link
CD (programs) and Floppy (configuration) "I use floppyfirewall on a 25mhz 386 with 16mb connected to a cable modem. see
formatting link
" "Take a look at
formatting link
One-Diskette-Router and firewall. The doku and the webpages are available in english too,"

Old guy

Reply to
Moe Trin

As mentioned in my reply, I don't like putting anything on the firewall except the firewall, but with five PCs, there should not be a problem unless those five users are hitting a lot of graphic intensive web sites. Assuming your local LAN is 100BaseT, the LAN would be saturated at

12.5 Megabytes/second, and a 80386SX running a network card on an ISA bus can be close to that - never mind a Pentium with PCI bus that can do ten times that rate. Thus, even if you went to a Gigabit NIC in the server, you are network bandwidth limited.

IPCop is a partially stripped Linux distribution. Assuming you are extremely lazy and only do software updates every six months, you are not likely to need much disk. For example, Fedora Core 3 was released Nov 08 2004 - or just over seven months ago. On Wednesday Jun 15 2005, I looked at the errata site, and found

[compton ~]$ awk '{total += $5 }; END {print total }' < fc3.updates.6.15.05 1499731090 [compton ~]$

or 1.5 Gigs of stuff. A large portion of that was a major update of KDE, but there is some "duplication" you wouldn't need.

[compton ~]$ grep kernel fc3.updates.6.15.05 | sed 's/.*mirror//' 18442991 Apr 11 20:18 kernel-2.6.11-1.14_FC3.i586.rpm 18348153 Apr 11 20:19 kernel-2.6.11-1.14_FC3.i686.rpm 18437069 May 23 16:35 kernel-2.6.11-1.27_FC3.i586.rpm 18340991 May 23 16:35 kernel-2.6.11-1.27_FC3.i686.rpm 2203548 Apr 11 20:19 kernel-doc-2.6.11-1.14_FC3.noarch.rpm 2205594 May 23 16:36 kernel-doc-2.6.11-1.27_FC3.noarch.rpm 17722035 Apr 11 20:19 kernel-smp-2.6.11-1.14_FC3.i586.rpm 17721244 Apr 11 20:19 kernel-smp-2.6.11-1.14_FC3.i686.rpm 17714175 May 23 16:35 kernel-smp-2.6.11-1.27_FC3.i586.rpm 17712566 May 23 16:36 kernel-smp-2.6.11-1.27_FC3.i686.rpm 553972 Jan 20 16:29 kernel-utils-2.4-13.1.49_FC3.i386.rpm [compton ~]$

You'd need one kernel, one kernel-doc, and the kernel-utils - 20.5 Megs compared to 149 Megs. Our update procedure has a nightly cron job that hits the errata server at the distribution, and checks the contents looking for new stuff. If anything is found, it's downloaded to a local quarantine server where (after auditing the changes) we can source the updates on our LAN for another cron job run on the servers and workstations to automagically update. Pretty painless..

Old guy

Reply to
Moe Trin

That being the situation, you also don't want large hard drive that will produce a lot of heat, or a fast CPU that runs so hot that a fan failure will make the CPU glow in the dark... for a short time. You also don't want a lot of RAM... do you see where this is leading?

That depends on the manufacturer's choice of fans. A fan with cheap sleeve bearings certainly won't last as long as a ball bearing fan. by my 386 laptop that I'm using as a firewall has been running continuously (except for power outages and annual cleaning) for four or five years.

Old guy

Reply to
Moe Trin

X-No-Archive: Yes

For perosnal use, yes. I have to make sure that my proxy cannot be accessed from thje outside, and my firewall is configured to make sure that does not happen. As long as my servers are not accessible to anyone from the outside, it is OK. You are allowed to run a home network, and have proxies to handle the network, as long as you only allow the machines on your network to be able to access them. I am surprised I did not hear from Comcast, however, when I tried CyBlock. It opened a security hole I did not know was there, until I looked at the logs. If you use the CyBlock web filtering program, be sure that only the machines on your network can access it, and also only allow CyBlock to go out to ports 80 and 443. Wavecrest needs to fix some serious security problems with CyBlock. IF you use CyBlock as your filtering program, better have Tiny Personal Firewall on the same machine as well, to restrict both incoming and outgoing access.

My computer setup is quite secure. Since I replaced ICS with AllegroSurf, my system is a LOT more secure.

Tiny Personal Firewall only controls by IP, port number. and or program running on the machine.

Reply to
Charles Newman

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.