I've run IPCop on several home networks and been pleased with the results. Lately I've been thinking about giving pfSense a try as well. Mainly, it looks like the web GUI in pfSense is a bit nicer to use, but learning a bit more BSD would be a plus. I was thinking of installing that on a little soekris box to get rid of the noise of an old workstation running the firewall. http://ipcop.org/ http://www.pfsense.com/ http://www.soekris.com/net4501.htm Anyone who's used both IPCop and pfSense care to offer a comparison? Anyone run it on a small embedded device like the Soekris I linked to? Regarding Snort : I ran that on an IPCop instance for a while, but ended up shutting it down because of a lack of analysis tools. It generated this massive log file, and IPCop provided no way to look at it except by manually trolling the log. I looked into adding mysql to IPCop (since snort can also log to a database), and then you can use Base to examine the logs. Adding mysql, recompiling snort, etc, etc, inside the IPCop distro proved to be a bit more than I was willing to invest the time in. http://base.secureideas.net/about.php Lisa, I'd be interested to know how you use snort in these conditions? alex On Mar 28, 2009, at 10:05 PM, Lisa Kachold wrote: > Join us at UAT.edu as we build and play with Firewall ISO's in old > boxen with network cards. > > Just imagine the script kiddies surprise when your new Firewall > retaliates with a storm of SYN packets automagically rather than > roll over like your Linksys or Netgear did? > > Imagine being able to check snort logs and dump a big list of IPs > directly to a deny file without having to type them all into teensy > little forms like on the http://192.168.1.1/filters.htm screen! > > Addicted to the LinkSys/Netgear Wireless, or like the fast ethernet > ports and pretty blue and white LinkSys interface for setting up > VPN's? > > You can set that device in place on the INSIDE of your Firewall of > China! > > See you there! > > Obnosis | (503)754-4452 > PLUG Linux Security Labs 2nd Saturday Each Month@Noon - 3PM > > > From: lisakachold@obnosis.com > To: plug-discuss@lists.plug.phoenix.az.us > Subject: RE: OT? Linux-based trojans now targeting WRT and other > linux-based routers > Date: Sun, 29 Mar 2009 04:09:13 +0000 > > Yes, I was thinking about getting an ASA, but I like my gigabit > 1000BaseT connections, L2 vlan, VPN's, and I think you are correct > that optimally, a fast machine with 4 ethernet cards is going to be > the direct solution in line before that silly "LinkSys" arm > processor IPS. > > I used to build custom linux firewalls in 1995 and drop them in for > businesses with a 2400 cisco, and I have built a few since > (azwsx.com) so I think I will take your advice - I have a fresh > install FreeBSD box right here, and a couple extra cards. > > Thanks for the great suggestion! > > Obnosis | (503)754-4452 > PLUG Linux Security Labs 2nd Saturday Each Month@Noon - 3PM > > > Date: Sat, 28 Mar 2009 03:13:32 -0700 > > From: technomage.hawke@gmail.com > > To: plug-discuss@lists.plug.phoenix.az.us > > Subject: Re: OT? Linux-based trojans now targeting WRT and other > linux-based routers > > > > Lisa Kachold wrote: > > > Well, the sad fact is that _any_ machine will kick over and barf > it's guts under distributed attacks; it just depends on what it does > after the green slime clears.. > > > Also, it really helps if you run one that won't take WRT, or > only runs on an arm, with small memory therefore they aren't too hot > to pwn you. Linksys put out the source, whereupon I built my own, > and played with the features; you know kiddies are doing this also. > > > > > > Course, if you have a WRT-able router, it's a good idea to set > it up as a small linux system, but you have to know how to work it; > starting by iptable deny all of china is a good start. > > > I have had mine owned regularly; I just flash it again. Mine is > easy to determine, since it suddenly starts showing AIM ports open. > Once they target you successfully, they will insidiously continue to > keep track of you; rather like trophy hunting. > > > I could have done a complete defcon presentation on various > routers by this time. > > > That's why I always suggest to everyone, if you see something > strange, you see something strange, report it, complain, study it, > rather than continuing to agree with everyone in denial about the > sad state of security. > > > Obnosis | (503)754-4452 > > > > > > > > > > > > > > > PLUG Linux Security Labs 2nd Saturday Each Month@Noon - 3PM > > > > > Lisa (and others), > > I don't tend to generally trust the "commercial grade" devices > > available. they can't handle what I do with my home connection on a > > daily basis > > (and the last thing I want is some script kiddie pwning my > router). I > > use OpenBSD here as my firewall machine (I have both a hardware > version > > and vmware). I tend to keep close track on these and so far, neither > > have been "pwned" after nearly 5 years of continuous use. I used > to use a > > linux firewall before that, but had problems with rootkits. > > > > Even with this, it still doesn't hurt to have a whole bevy of > security > > tools at hand for "just in case" (like windows, linux, OS X, etc). > > > > --------------------------------------------------- > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > > To subscribe, unsubscribe, or to change your mail settings: > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > Quick access to Windows Live and your favorite MSN content with > Internet Explorer 8. > Windows Live™ SkyDrive: Get 25 GB of free online storage. Check it > out. --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss