Using unbuntu to filter my internet

[splat]

what you want is a Dual Homed Host. i haven't done this in linux, but I have done it with freebsd. you basically turn your computer into a NAT filter, and you can install a very powerful firewall (ipfw).

http://www.google.com/search?q=free...s=org.mozilla:en-US:official&client=firefox-a and http://www.defcon1.org/natd.html

or use m0n0wall http://m0n0.ch/wall/ basically the same idea as smoothwall/ipcop but based on freebsd.

edit: i wanted to point out - http://m0n0.ch/wall/facts.php

* The m0n0wall system currently takes up less than 6 MB on the Compact Flash card (or CD-ROM), and contains
o all the required FreeBSD components (kernel, user programs)
o ipfilter
o PHP (CGI version)
o mini_httpd
o MPD
o ISC DHCP server
o ez-ipupdate (for DynDNS updates)
o Dnsmasq (for the caching DNS forwarder)
o racoon (for IPsec IKE)
o UCD-SNMP
o choparp
o BPALogin
* On a net4501, m0n0wall provides a WAN <-> LAN TCP throughput of about 17 Mbps, including NAT, when run with the default configuration. On faster platforms (like net4801 or WRAP), throughput in excess of 50 Mbps is possible (and > 100 Mbps with newer standard PCs).
* On a net4501, m0n0wall boots to a fully working state in less than 40 seconds after power-up, including POST (with a properly configured BIOS)

 

[curtis1552]

splat,
is ther a way to also set up a ftp sever on that?

 

[MRD]

I would go with ipcop. Smoothwall is risky. They have a proprietary version and a GPL'd version. They tend to focus much more on the proprietary version at the expense of the GPL'd version. IPCOP is totally GPL'd and so the focus is on that product. I don't think any of the other products are decent competitors.

As far as speed, you need a switch for one thing. Most things that today say they are hubs are in fact switches. About the only use for a hub is if you are running a packet sniffer of some sort (something where computers read the packets sent to other computers on the net). A hub works by getting a packet from one computer, and echoing it to every other computer on the hub, so every computer receives every packet, and it is left to the nic's to filter out the traffic. A switch routes the packet only to the target computer, cutting down on excess traffic and increasing speed. Much superior for most users.

If you go with smoothwall, ipcop, or something similar, you will need to attach a switch or a hub to one of the nic's (the blue nic) to connect all your pc's to it, so it doesn't really save you much money. Another thing to consider is that ipcop or smoothwall cost more to run in a year than the cost of a cheap router (computers require a lot more power than dedicated router units), so I wouldn't use ipcop to save money.

Finally, for security purposes, you need to have a router of some sort. IPCOP is a router (as is smoothwall), but you can also use a dedicated rouer like a linksys/netgear/dlink/etc. This creates a hrardware firewall between you and the outside world. DO NOT run anything else on the ipcop box. It's just ipcop, it just runs as a firewall/router. If you try to run other things on that box, you now have a very insecure network setup. For reasons of security, it is critical to have some kind of HARDWARE firewall between your pc's and the outside world... something that does NAT and blocks all the ports etc.

So if you need the old junker to do something else, like word processing, web surfing, etc... i.e. function as a general computer, you cannot use it to run ipcop or smoothwall or any similar program. It is highly insecure and asking to get malware or hacked.

People use ipcop over a regular router because it offers a lot of features the router does not. It allows for traffic shaping, the use of a caching proxy, network analytics, a more secure system especially if you have green/blue/orange/red zones, http filtering for viruses and/or ads, removal of ads automatically from all websites, etc. There are nice features associated with ipcop, but a regular router is ok for security too. Some kind of router is absolutely necessary though.

 

[splat]

splat,
is ther a way to also set up a ftp sever on that?

m0n0wall doesn't appear to come with it by default, but i'd bet money you could easily add the freebsd ports collection to it and then add any app you wanted from there...ssh, ftp, sendmail, postfix....

but at that point, you might as well just start with regular freebsd, do a minimal install, and enable ipfw, bind, natd, dhcpd, and whatever else you want.

 

[MRD]

It's generally a very bad idea to use a regular distro as a firewall. Firewall distros are stripped down to the bare minimum and ultra-hardened and tested for security, probably a lot better than any of us can do.

There's a reason the distros are so minimal. Less code = less code to audit/test = less likelihood of security vulnerabilities. Every bit of code running is a potential security hole. That's all well and good on a regular PC, because functionality is important too, but your firewall should be simple.

 

[splat]

in the ideal case, you would have a different machine dedicated to each different task, but that is not always reasonable for home use. So if it is possible, follow MRD's advice and dedicate one machine to router/firewall status, then another to fileserver/ftp server status. I'd say the biggest reason to have a separate router/firewall box in home use is so that you don't take down your entire net if you have to reboot your fileserver/ftp server for whatever reason.

 

[MRD]

If you can't afford a dedicated machine, get a dedicated hardware router like a linksys. Anyone can afford this. They are available on ebay for $5 if you can't afford a new one. This option is superior to compromising the security of your ipcop box. Either run ipcop (or whatever firewall/router distro you choose) alone, or don't run it at all.

 

[curtis1552]

OK,
The amount of blue in this thread is overwhelming me.

Sugessted Final setup
(i'm upping my 750 to 1Ghz on the fileserver)

 

[splat]

if it was me, i'd change out that router with a switch. ipcop has all the functionality of a router in it already.

 

[curtis1552]

Ok, something like THIS? linksys switch 200mbps

If i do decide to add wireless - for a laptop - could I just plug in a wireless card on one of the computers, or do i need a wireless router?

 

[splat]

multiport 10/100 switch (i have a netgear 8port, just fyi) is all you really need, something like http://www.newegg.com/Product/Product.aspx?Item=N82E16833127085 or gigabit would be nice but i'd assume its out of your price range. If you think you might get wireless in the future, you might as well just get a wirless router/access point/switch now http://www.newegg.com/Product/Produ...0010244&name=1+x+10/100M+WAN;+4+x+10/100M+LAN you can turn off the router function and just use it was a AP/switch if you still want to use the ipcop box.

 

[MRD]

Agreed with the poster who said dump the router. You need a router or a dedicated ipcop box. The ipcop box IS a router.

 

[Enablingwolf]

Less you know, the simpler it should be. Otherwise, you might open a very large hole in the network.

Once your up to speed what you need and knowledge. You can then start to form a complex network.

A machine handling the firewall and routing is a good start. It you never set one up. You going to have a handful getting it just right and smooth. After that is going really nice and swell. Look for something to handle files and stuff like that. Otherwise your going to get a headache trying to grasp several subjects at once. Since the firewall/router is the base of the network, right after that, It will be much easier getting the file server going. Since you will have a grasp of the routing and protecting everything behind it. Plus an understanding what is going on. Like ports to open or close and which ones need to be held tightly inside the network.

At the very least. Try and get a firewall/router up first and make it work, for your needs. Then you can test it as a different setup if you like at a later time. It is not hard to reconfigure a computer (read: reformat) to something else. Running old hardware is a great way to test the waters and have some fun.