That’s approximately 2 computers per person! One of the best ways to re-purpose an old computer is to install a Linux or FreeBSD firewall distribution, and use it to run your personal, home office, or small office network is one way to keep “obsolete” technology from ever reaching a landfill.

Help the environment by reusing an old computer as a firewall. It will protect your computer from internet worms, save you time, money and most importantly – improve your internet experience as a whole.

Fact: A wireless router at an electronics store that can cost in excess of $100 is actually slower than any computer made in the last decade. Really! Most routers off the shelf at a store only have a 200MHz processor and 16MB of RAM.

By today’s standards, the 500MHz computer that’s been running quietly in my closet for the past 3 years is beyond obsolete. More than ten generations of processors have come and gone since this computer rolled off the assembly line.

Keep that wallet in your pocket, don’t be a sucker and spend lots of money on a slow, horrifically overpriced home networking product. There’s a good reason why companies like Linksys (a division of Cisco), Netgear and D-Link are worth multi-billions of dollars and continue to climb. Consumer spending on products with home network connections will reach over 17 billion dollars this year.

Here’s the criteria each platform is graded on:

• Installation & Configuration
• SSH
• VPN
• Graphical Interface
  • Ease of Use
  • Functionality
  • Style
• Extensibility (Add-ons, Plugins, etc)
• Speed Testing

Each item in the list is given a value of 1 to 10 (10 being the highest), then averaged to obtain the final score.

The testing platform we are using today is an HP Vectra slimline PC. Considering the computer was FREE (as in beer) after a company upgraded their workstations, the specifications are nothing to scoff at.

• Pentium III 500 MHz
• 192MB of RAM
• 1GB Transcend disk-on-chip IDE module
• Dual 100Mbps NICs

We’re taking a look at no less than seven different firewall products today:

I’d like to draw your attention to the size column. Size is NOT everything (that’s what she said) when it comes to firewall distributions. Wireless routers that may run your home or office network right now pack a ton of functionality into a package as small as 2 megabytes. FreeBSD, Redhat, and Debian are the building blocks for these home networking appliance distributions.

Let’s take a look at each one in more detail.

ClarkConnect is a BEAST – in a good way. It’s really hungry for a faster processor than I can throw at it. The list of features really blow everything out of the water. It’s not just a router or firewall platform, it’s like someone asked themselves a question: “What is EVERYTHING a small office could EVER need in a networking server?” ClarkConnect provides three different robust VPN connectivity solutions using IPSec, PPTP, OpenVPN, along with web proxy and web filtering. Additionally, it provides an SSH server, Quality of Service (QoS) filtering for common P2P applications, Intrusion Detection, and much, much more including email server, file, print, database and web serving. Not to mention a fairly comprehensive group ware suite, which has calendar, contact, tasks lists, and provides a paid option for using Microsoft Outlook Connector to allow everything to go right into Microsoft Office Outlook.

ClarkConnect is certainly a jack of all trades. Doing everything is great, but how well does ClarkConnect do it? On the testbed, installation was easy, and had an informative installation progress screen. The first time running through the installer, there was a problem with not having enough disk space. After rebooting and trying again, I chose to utilize Disk Druid, a partitioning program – instead of the auto-partition mode. Everything worked just fine after that. I believe the problem lies with the testbed – 1GB of space is not alot to work with, but fortunately they provide a manual partitioning method. It also prompts to create a GRUB (bootup) password, so that if the device is physically compromised, it would be more difficult for someone to maliciously (or accidentally) make changes to the system.

Configuration was an overall negative experience. It got confusing, not to mention frustrating. A small business owner who doesn’t know much about networking or computers, would be best to consider hiring a professional to do the initial installation, or paying for a yearly support contract from the vendor, or for a single incident. An interesting feature ClarkConnect leverages very well during configuration stages is a graphical interface to the system. Every other firewall reviewed here either has a very sparse text-mode or console configuration. ClarkConnect wants to make it easier. Just point and click to configure the system, which is nice – but it does not contain all of the features as the text-mode configuration tool which is also provided.

The Web Graphical Interface is easy to use. Items are categorized in a logical fashion and it doesn’t take much hunting to find something you want, if you don’t know where exactly it is in the menu. Style-wise, ClarkConnect is the only option in this roundup that provides a theme switcher – it is possible to use a very slick, visually appealing interface, or with a few clicks, just change to another theme which is less eye-candy, but probably more familiar to most people who have configured a wireless router in the past.

Many companies, like ClarkConnect, release a “community” version as well as a paid version which includes more features and support options, add-ons such as email and virus scanning is available on a subscription basis, and with so many features to start out with you might not need anything else to help to run a small business.

Consider IPCop to be the baseline for features, usability and extensibility. The installation CD is simple, but employs a non-linear configuration that some may have difficulty using the first time around. A nice touch is including MemTest86 on the CD and including that as an option on the initial bootup. The program will systematically test your RAM and determine if there is a fault, and as a computer gets older, the likelihood of that happening becomes more of a reality.

The auto-partitioner worked great, unfortunately the installation procedure does have one glaringly obvious flaw. When the setup routine attempts to detect network cards, it cycles through every single network card that is supported. After the first card is detected, it prompts you to set that as the “GREEN” interface, also known as the LAN. Once it’s found the first NIC and assigned it to LAN, you can’t change it to “RED” or as the WAN interface. Mildly annoying, but thankfully the workaround is pretty simple, just reboot and start it again.

The web-based configuration tool is absolutely simple. Setting up SSH is just a checkbox away. VPN support is focused on a solution to provide IPCop-to-IPCop connectivity, but an OpenVPN add-on exists. Speaking of addons, there is a HUGE modding community devoted to adding features into IPCop. The webGUI style is in a word, tacky. It’s a good thing that it can be easily modified. A few changes to colors and background images later, it looks much, much better. Functionality-wise, IPCop makes it easy to forward ports, but does keep a few ports to itself that you cannot utilize, such as port 222 for SSH. Printing is not an option. I haven’t been able to find any 3rd party modification that allows print serving. The graphs are simplistic, yet very informative.

monowall is by far, the smallest of the bunch. The entire thing is contained in a measly 8 MB CD image! monowall is first and foremost, a routing platform. Nothing more, nothing less. The distribution comes in two flavors, either for embedded systems or for regular PCs. Installation the first time around may be difficult for a beginner, since it refers to network cards by their FreeBSD driver name, instead of something a human can easily interpret. Which is easier to understand: “fxp0″ or “Intel Pro 10/100+”? Why not provide both peices of information to the user?

VPN is well supported with both IPSec and PPTP options. SSH access can be enabled by a 3rd party add-on. Print serving is unsupported. The configuration page for monowall uses K.I.S.S. (Keep It Simple Stupid) to great effect. It’s brain-dead simple to set things up. However, two things stand out as being somewhat awkward, those being static DHCP and advanced settings. Otherwise, it’s fantastic. Ever had P2P traffic slow down your internet surfing? Check one single box in the GUI, and instantly you have over 20 different protocols that are instantly filtered using QoS to make your internet surfing experience as pleasant as possible.

Add-ons are not easy to incorporate, and require modification of the ISO image, but monowall is not designed to be anything more than a router and firewall. Extra features like a wireless AP feature that can be used with the captive portal function, Wake on LAN interface, and probably the smallest feature I could point out – the uptime is printed on the console when rebooting. Small things like that show an extremely polished software platform that delivers.

pfSense is a hybrid of sorts, that has multiple sources for it’s major components. It was originally derived from monowall, but uses OpenBSD’s ported Packet Filter, a package management system to provide an integrated extensibility to the platform and Alternate Queuing (ALTQ) from FreeBSD. This Frankenstein is no slouch when it comes to performance, features and usability.

Installation uses the same monowall device naming system which is clunky, and also does not provide the entire name of the device. Once installed, the console has several options, one of those which is a program called “pfTop”, if you’ve ever needed to be able to view where most of your network bandwidth is being used from a console, now you can very easily.

The web GUI is absolutely fantastic. It’s got initial setup & traffic shaping wizards, a captive portal, load balancer (nice!), OLSR (ad-hoc wireless AP mode), Wake on LAN wizard, different selectable themes for the GUI, OpenVPN, IPSec, and PPTP VPN are all included by default, failover, and packet capturing!

Wizards for traffic shaping and initial setup – not anything new, almost any router you can buy today has them, but when you see them for the first time included in a firewall distribution, it’s great to see changes that make a product easier to use. No other firewall we’ve looked at has three different VPN options.

SmoothWall’s installation is simplistic, and the GREEN/RED interface descriptions are an easy idea to grasp. One of the best features is a Java SSH client that runs right in the web interface – slick. Smoothwall’s VPN is designed to connect multiple Smoothwalls to each other, but IPSec is supported fully, and addons can be found for other VPN implementations.

The web interface is easy to navigate. This is the only product to provide a Java SSH client that runs right in the WebGUI – very nice. The real-time traffic graphs are a great addition. Add-ons for Smoothwall 3.0 are plentiful and usually easy to install, if you can think of it, it probably exists. my.smoothwall is integrated into the web configuration tool, and provides some basic integration into the smoothwall website. Free services like dynamic DNS are available, along with paid features as well.

The IM proxy is the best I’ve seen. Once it’s enabled, every incoming and outgoing IM conversation is logged. After opening up a few channels in IRC – in real-time – it’s possible to view any conversation going through the firewall. MSN, AIM, and other protocols are supported as well. It’s a big-brother feature, but if you want to monitor who you children are talking to, or for whatever reason, I can see it being an invaluable resource to monitor what is going on in a network you control. It would almost be easier to keep track of conversations using the logging tool in Smoothwall instead of multiple instant messenger clients.

Endian and Gibraltar are not included in the final results due to not finishing testing.

Endian “is very easy to install, use and manage, without losing its flexibility.” I had a completely different experience. Although Endian is only 106 MB and would easily fit within the 1GB limitation of our testbed, installation failed at 96% – reporting that there was not enough space on the drive.

The installer for Endian has hard-coded values for the suplementary filesystems /var and swap. There is no minimum system requirements listed on their website that I can find, and I checked online for solutions to this problem. The best solution provided was to install Endian to another hard drive, resize the partitions to fit on the smaller disk, then copy it back using an disk imaging software. That workaround does not constitute “easy to install” by any stretch of the imagination.

Gibraltar is a close match to every other distribution we’ve looked at so far, with a few nice touches. Their website says that they have the following feature at first look, seems pretty kickass: “Anonymisation Gateway: The Gibraltar Anonymisation Gateway makes your overall network traffic anonymous and it makes sure you can surf in the internet anonymously.”

To activate the firewall you must obtain a license key (for free) from their website. Unfortunately, that feature on Gibraltar’s site does not appear to be working properly. I’ve tried multiple times to request a key, and it said one was on it’s way – but never arrived. About a day later I requested a key once again, and was informed that a key already exists for my email address. Not good. Right before publishing this article I finally received a key via email, and it appears that the license key process is not automated, unfortunately. We’ll take a look at it next time around.

Conclusion:

The scoring system gives equal favor to the following categories: Setup, WebGui, Extensibility, and Speed Testing. Each of the distributions passed the speed test with flying colors, with less than 5% margin between highest and lowest scores. It’s difficult to assign arbitrary numbers to reach a score, and I’ve attempted to provide a good metric for which someone can go by to determine which is best for them.

In the end, pfSense is ultimately the best choice overall and provides the best value of all we have looked at today.

PeerGuardian is a program that blocks companies such as the RIAA and their affiliates (such as Media Defender) from connecting to your computer when you are running P2P software.  This is not foolproof by any means, but certainly a step in the right direction.

When I used Windows, one of the programs I used to protect my online privacy was PeerGuardian. Now that I’m using Ubuntu full-time, I’d like to find an alternative.

A quick google search found that PeerGuardian actually has a Linux client, but the installation is far more difficult than another program I found called MoBlock. Not only does it come pre-setup with most of the Bluetack blocking lists, the same ones that PeerGuardian uses, but it will also utilize the eMule ipfilter.dat file format, if you’re looking for that.

Ok, now I know we’re looking at the rest of this document and saying,

“Sh!t Wayne, this looks complicated.”

It’s actually really easy if you follow it step by step, and if you have any questions, feel free to comment and I’ll do my best to help you out.

Deep breath, here we go.

First, we edit sources.list to add a repository:

gksu gedit /etc/apt/sources.list

Paste these two lines at the end:

deb http://moblock-deb.sourceforge.net/debian feisty main
deb-src http://moblock-deb.sourceforge.net/debian feisty main

Save and Close the gedit program, just a few more commands:

gpg --keyserver wwwkeys.eu.pgp.net --recv 9072870B
gpg --export --armor 9072870B | sudo apt-key add -
sudo apt-get update
sudo apt-get install moblock-nfq

Now it’s installed! Congratulations. Now we need to configure the program so that HTTP (website) traffic is unfiltered. This program likes to be as paranoid as possible to start out with, which can be a good thing for some people.

gksu gedit /etc/moblock/moblock.conf

Look for the following section about half-way down:

WHITE_TCP_IN=""
WHITE_UDP_IN=""
WHITE_TCP_OUT=""
#WHITE_TCP_OUT="http https"
WHITE_UDP_OUT=""
WHITE_TCP_FORWARD=""
WHITE_UDP_FORWARD=""

Remove the hash (#), save and you’re done.

Run this command to test and make sure it’s working properly:

EDIT

Thanks to mbsjoblom on Digg, I missed a step.

sudo moblock-control reload
sudo moblock-control test

You should get a message something like this:

* MoBlock blocked the IP. Test succeded.

EDIT 2

Thanks to “Moblockin” there is a GUI available , which I haven’t tried out, but seems like a more user-friendly than the command line.

Now, you have no more big brother looking after you. MoBlock will automatically do it’s magic behind the scenes with no interaction from you – ever!

I’ve got a P3 500MHz PC w/ 192MB of RAM and a 1GB Transcend Flash IDE module that I’ve been running as a Linux-based IPCop firewall platform for around the last two years.  It’s been running IPCop after testing out m0n0wall, SmoothWall, pfSense and IPCop.  pfSense impressed me, but wasn’t quite polished enough for me.  m0n0wall and SmoothWall had their various problems with the current releases back then, and IPCop won my vote by default.

Two years have passed since then, lets see if there’s anything different this time around.

Here are my personal criteria for gauging the usefulness of a Linux firewall:

1.  Ease of installation without reading the instructions.
2.  How “friendly” and “snazzy” the WebGUI interface is.
3.  Has an easy to use or install OpenVPN server.
4.  Print server integration difficulty. 

ClarkConnect – http://www.clarkconnect.com/
I tried Community Edition 4.1 released on 04/18/2007.  ClarkConnect (hereby known as CC) to be a trimmed down Redhat distribution with firewall gui tacked on.  Installation took about 1.5 hours reading ZERO documentation.  Installation would have gone considerably faster if I had read instructions.  I’m doing this for fun.  CC can actually use better hardware than the rest comparatively, for sure.  WebGUI looked great, but was very slow, updating was extremely slow.  Strangely, it was using apt-get (according to top while connected via SSH into the machine) to update the system – what is wrong with YUM? ClarkConnect appears to be the most full-featured firewall-oriented distributions.  This has VERY slick integration with the CC website.  DynDNS service, updating monitoring, security audits, etc – but for a price.  OpenVPN installation as easy as 5 clicks in the WebGUI.  Print Server was just as easy to install.  Color me impressed.

Pros- Slick website, full-featured, enterprise capable.  Print server built in!
Cons- Requires a fast PC, installation was moderately hard.

IPCop – http://www.ipcop.org/
I like IPCop but it’s not quite exactly what I’m looking for.  It’s a firewall first, and doesn’t really do anything else other than slap a usable WebGUI on top of iptables.  It’s very stable, and the graphs are terrific and informative.  Lots of people use IPCop.  It’s got the Ubuntu-effect going on in their forums – lots of people use it, lots of people HELP you for FREE on their forums.  To get a print server running requires some serious hacking as far as I can tell.  OpenVPN is not as bad, there is a plugin, which will actually integrate into the WebGUI.

Pros:  Good support is available because so many people use it.
Cons:  Lack of printing ability.  OpenVPN install requires some hacking. 

m0n0wall – http://m0n0.ch/wall/
The 1.231 version image failed to boot properly on my testbed.  It came up and the normal boot-up kernel text flew across the screen but then a message popped up saying it was going to reboot in 15 seconds.  Perhaps it is because I had some hardware that was unsupported, but I have used it in the past on the same hardware.  I will endorse the usage of m0n0wall if you ever think of buying a Soekris, PC Engines WRAP or perhaps even a RouterBoard, this is the distribution tailored specifically for these platforms.

m0n0wall did not finish testing, and unfortunately I did not have time to attempt resolving this issue. 

SmoothWall – http://www.smoothwall.org/
I am SO impressed by SmoothWall 3.0 Express.  It oozes with “gee, that’s smart” or “wow!” when I moved from one portion of the WebGUI to another.  Such as real-time monitoring of IM conversations if the IM Proxy service (totally transparent to the user) is enabled (VERY big brother-ish ala dsniff), a Java SSH client, my.SmoothWall website integration which is similar to ClarkConnect’s website integration, real-time graphing of network traffic, and the list goes on and on.  The installation was very easy, and installation of a print server using Samba is possible.  SSH access easy, just one checkmark.  A Java-based SSH client is available right inside the WebGUI – very nice addition!  Found a terrific mod that goes and checks the signal strength of my Motorola cable modem (many others are supported) and creates a graph of it.  Terrific!  Now I can nail my ISP when signal strength dies!  This is FAR better than when I tried the original release of 3.0 (or was it an RC?) and it had a terrible “DHCP on RED” bug that made it impossible for me to use “out of the box.”

Pros:  Great Modding Community, adding new features easily along with a forum that has walkthroughs for installing Samba.  The GUI is very robust.
Cons:  Printing and OpenVPN not installed out of the box, but these are easily fixed. 

pfSense - http://www.pfsense.com/ 
I tested the 1.2 RC2 version of pfSense.  I am rather interested in seeing what has changed since the 0.9 releases.  Oh… it’s nice.  DMZ works now, which previously did not work properly for me.  Still a little “techie” required to figure out how to get it online.  Ethernet interfaces are presented in a list (i.e. fxp0, rl0) which unless you know what vendor equates to which interface name, you need to guess which is which.  This is in stark contrast to other firewall distributions (SmoothWall/IPCop) which show the full name of the adapter instead of a driver name.  This is not the friendliest way of doing things.  A pseudo SSH tool is available in the GUI – just type your command into a text box, and the output is shown on the WebGUI.  VPN was the easiest to get working in this distribution.  This distribution does not use the common color-oriented user friendly way of configuring the network segments, (i.e. GREEN/RED) instead it uses the better known LAN/WAN combination and allows you to rename the interfaces to whatever you would like to use.  pfSense has come a long way in a short period of time.

Pros:  Nice WebGUI, graphs look better than most, full-featured and doesn’t require top-end software.
Cons:  Does not have any mods that I am aware of or can find.

Summary:
ClarkConnect:  Two thumbs up for people with newer hardware.  Instructions are recommended.  Print server installed by default!
IPCop:  Terrific as a firewall, has limited plugin availability.  IPCop is easy as pie to install.  No instructions needed. 
m0n0wall:  Did not finish testing. 
SmoothWall:  Terrific WebGUI and mySmoothWall integration is bar none the killer app for a firewall appliance.  Many modifications are available.  No instructions needed.
pfSense:  Has nearly as many features as ClarkConnect, without the problem of WebGUI latency.  Instructions probably needed the first time around.

Conclusion:
SmoothWall Express 3.0 is the winner of this round up.  I’ve already switched to SmoothWall myself.  If you are running IPCop or m0n0wall, this is a good performer on low-end hardware.  ClarkConnect wins an honorable mention, and I reccomend this distribution if you have newer hardware.