[H-GEN] What's a good firewall for WIndows user?

Stuart Longland stuartl at longlandclan.hopto.org
Sat Sep 25 07:05:22 EDT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Seikel wrote:

> My brother has recently got himself a broadband connection, and he
> asked me for advice on firewall software.  Last time I checked he had
> two Windows boxes in his house.  He is a photo copier / fax / printer
> technician for Xerox, and he has some basic Unix training to help him
> with his work.

Depending on what he wishes to achieve, there's a couple of options.

1.  Set up his internet connection on one of the boxes (running Windows
2000 or XP) and use the Internet Connection Sharing in conjunction with
some firewall package (e.g. ZoneAlarm)
2.  Use a hardware broadband router to share the internet service.
3.  Use a dedicated Linux/Unix box to share the internet service.

Option 3 probably gives the most possibility  of  expansion  and
configurability.  The disadvantage here is that not all ISPs are
Unix/Linux friendly.

Option 2 is more likely to be supported by the ISP's helpdesk.  A small
hardware router will also be somewhat cheaper to run, as most draw less
than 50 watts of power.   Compare this with a typical desktop computer,
who's hard drive,  CPU,  RAM and other misc peripherals (as well as the
various  power  losses  involved)  would  easily  exceed  150 W.    The
disadvantage though is that a lot are nowhere near as flexible as  your
average Linux box.   You  also don't  have to worry so much about being
open to attack, being  an  embedded  RISC system,  these boxes are much
harder to exploit.

Option 1  is  probably   the least favourable  IMHO,   but  will  almost
certainly be supported by the helpdesk of the ISP.  The big issue I have
here is the fact that  Windows was not  designed  with security in mind,
and as such,  is more vunurable to attack.    One must keep a very sharp
eye on Windows Update if they want their network to remain safe.

> Naturally I suggested he get himself a cheap P100 and run Linux on it
> as the firewall.  I have no experience with the firewall distros
> though, so I thought I would ask for opinions here.  I will forward
> those opinions to him.  This email has also been BCC'd to him.

Okay, this is along the lines of Option 3.  Most firewall distros should
give him what he wants, the difference is in the ability to expand and
add bits & pieces when necessary, as well as upgradeability.

Smoothwall and IPCop are generally good choices, both offering similar
features, the former being commercially backed.  Both of these take up
only a small amount of disk space and work pretty much  out of the box
with only a little bit of configuration.

I've had little experience with firewall distros, my main experience was
assisting in troubleshooting Smoothwall being used on a Bigpond cable
connection.  The issue here was that firstly, Smoothwall didn't come
with bpalogin, and hence one needed to download a package to install.
Once this was done, it was possible to get the internet connection
going, but the configuration was fragile, and my mate had all sorts of
hassles if the box ever needed to be rebooted -- requiring him to bring
down the external interface before bringing it back up again.  Only then
would bpalogin kick in properly.

Some firewall distros:
- - SmoothWall (Doesn't natively support Bigpond Cable AFAIK, but can be
made to do so)
- - IPCop (originally forked from SmoothWall)
- - MonoWall (based on FreeBSD rather than Linux)
- - ClarkConnect (Red Hat-based firewall distro)
- - FreeSCO (Runs from single floppy apparently -- NOT to be confused with
the Santa Cruz Operation)

I think the best bet is to have a look on the web to see which one has
the needed features, it is after all, a horses for courses market out
there. ;-)
- --
+-------------------------------------------------------------+
| Stuart Longland -oOo- http://stuartl.longlandclan.hopto.org |
| Atomic Linux Project     -oOo-    http://atomicl.berlios.de |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
| I haven't lost my mind - it's backed up on a tape somewhere |
+-------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBVVDyuarJ1mMmSrkRAgGbAJ9yArWD7sbcqmYvkT6Bcfl5gNaCWQCbBsFv
6bYlyPz76gQafpIGLMNMJjA=
=tygo
-----END PGP SIGNATURE-----




More information about the General mailing list