IPcop firewall on ALIX
When the ALIX.2D3 I'd ordered arrived, I set about installing IPCop, a secure Linux distribution managed through a web-interface. IPCop has a huge number of features, and provides good documentation in form of an installation manual and a separate administration manual.
I wanted IPCop to run off a Compact Flash (CF) card (1GB), so I proceeded as per instructions, creating the CF image from a staging IPCop installed in a VirtualBox machine. (If you prefer a ready-made image, look at EMBCop or read on.) After copying IPCop's image onto a CF card, I inserted into the ALIX and booted.
The hard part (after I'd found a NULL-modem cable in the pile of mess I call a cellar 
) is finding out which of the NIC connectors on the ALIX are which. What I did was to, one after the other, plug in an Ethernet cable and wait until the link status goes up (I can identify that with ethtool). I then know which it is (eth0 … eth2) and can label them accordingly.
The interfaces are labelled as per the terminology that IPCop uses:
- RED is the bad Internet. (And it is bad, believe me. As soon as you have IPCop running, glance at the firewall logs. You might be surprised at the rubbish coming towards you.)
- ORANGE is the DMZ if you need one.
- GREEN is the good network, i.e. your home or SOHO network to which you connect your PCs, Macs and printers.
IPCop supports a number of different network combinations, depending on your requirements. You can set it up with just a RED and GREEN network (the simplest combination), or you can expand it to include a BLUE network for wireless LAN (WLAN or WiFi). IPCop automatically allows or forbids traffic between these interfaces, but you can override specific ports with port forwarding or so-called DMZ pinholes.
Instead of messing about with IPSEC VPNs, I decided to install OpenVPN on IPCop. There are a large number of addons for IPCop, and OpenVPN is provided as Zerina. After copying the tar file to the IPCop, I had to change the version check line in the install file, replacing 1.4.18 by 1.4.21 before launching ./install. The addon integrates nicely with IPCop's Web interface, and allows me to create an SSL root Certification Authority and then add certificates and keys for road warriors. If you don't have experience with OpenVPN, there are a couple of good introductions to IPCop and OpenVPN here and here.
What I particularly like about this setup is:
- Totally silent because it has no fan.
- Great functionality including OpenVPN and Snort Intrusion Detection System.
- Easy to perform a full backup of the CF card without removing it:
ssh -P 222 root@ipcop "dd if=/dev/harddisk" > backup.img - Simple but powerful Web interface. (Better than most low-cost routers I've seen.)
- There exist a large number of useful (and not so useful) add-ons for IPcop. A nice repository is at IPCop addon binaries. Installation is usually just a matter of getting a tar file onto your IPcop with scp, logging in to it with ssh, extracting the files (tar) and running an ./install in the package's directory.
- IPCop updates are supplied as encrypted GPG files. I simply upload them in the browser and IPCop does the rest.
Check out the IPCop support page with links to mailing lists and support forums. If you read German, I can warmly recommend ipcop-forum.de which offers downloads (for registered members) with ready-made CF images, ready to run on ALIX boards.
Further reading:
- Book: Configuring IPCop Firewalls. (English; good.)
- Buch: IPCop Kompakt. (Deutsch; ziemlich gut.)
- Professioneller
Internet-Router im Eigenbau - DSL-Router im Eigenbau: 177 Euro mit AMD Geode
- Internet-Lösungen per VPN: OpenVPN mit EMBCop
If you are owning an ALIX board you might also want to look into using monowall (http://m0n0.ch). Maybe you like it.
Thanks Bernhard: I know about m0n0wall, but I think it isn't user-friendly enough for the target person.
However I do plan to look into it more carefully for myself.
Redwall is also another nice alternative. I have a firewall that boots off a CD (could just as easily be a CF card) and pulls its config from a write-protected floppy disk. I can then manage the rules in a GUI by using Firewall Builder which is nice for me because it looks/acts much like Firewall-1 to which I am accustomed. And since its a CD-boot and write-protected floppy for the config there is no fear of it being hacked and having a root-kit installed.
Perhaps something similar could be done with the ALIX board.
Dan
Hi Jan-Piet,
I was wondering if you could give me a little bit of help to get my eBox 3852 (TK-63T) up and running. I created the image as per the instructions on the ipcop site, but now I'm stuck. Being a Windows guy means I only have rudimentary knowledge of *nix. So, a lot of questions arise:
Can I write it to the flash card from ipcop using dd? The CF card was previously used in Windows and has FAT f/s on it. How do I format it for Linux? What device should I use in the command line to mount it?
Please reply to the e-mail address.
Thank you.
I don't see too many recent postings about your project here. Is this still functioning well one year later?
I actually didn't put this into production myself, but I know it is working well.