IPCop

IPCop is a free Linux distribution that acts as a router and a firewall in the first place. In addition, the distribution still offers selected server services and can be extended with additional features. IPCop based to version 1.3.0 on the free GPL version of SmoothWall, since version 1.4.0 IPCop is based on Linux From Scratch ( LFS short ).

Server services

The IPCop provides directly after installing a router, a working firewall, a proxy server ( Squid), a DHCP server, a caching name server ( dnsmasq ) and an Intrusion Detection System ( Snort ). Other functions such as traffic shaping, VPN, and Dynamic DNS are available.

System

The required computing power of your PC depends on the application. It requires 133 MHz with 32 MB RAM (better 64 MB ). There are at least two network cards required (PCI, PCMCIA, USB, ISA or VL- Bus), one for the connection to the Internet (via DSL or another router ), one for connecting to the LAN.

The computing power in private use can already take a 486 if you turn off Squid and the Intrusion Detection System ( IDS).

Interfaces

IPCop distinguishes between different networks, which are displayed in different colors. The green network represents its own LAN, the red network symbolizes the " unprotected " Internet. A possibly existing WLAN is symbolized by the color blue, while orange represents the DMZ (Demilitarized Zone). This is used for servers that should be accessible from the Internet (Web server, FTP server, etc.). If now this network successfully attacked ( compromised ), the other networks are independent protected.

For each network, which is used, a separate network card IP address is required. It is not necessary to use any network. If there is no WIFI, just is not blue network. If there is no web server (or similar) exist, no DMZ, so requires no orange network. The units are equiped with a red and green network can by add- ons to up to four additional network cards and so networks - be expanded - regardless of blue and orange. Each of these networks is separate and protected by the firewall.

Web interface

IPCop is configured via a web interface to reach over (before version 2.0.0) http://SERVERNAME:81/ or over SSL on https://SERVERNAME:445/ ( default ports - can or should be changed for security reasons, because 445 is blocked by many providers now ), alternatively to the server name using its IP address. Since version 2.0.0, secure access no longer on port 445, but (by default) is only possible via port 8443.

Can then Settings This web interface such as port forwarding, opening ports (external access), proxy and DHCP server, but also dynamic DNS, traffic shaping, IDS and time server (NTP ) must be configured. Furthermore, we obtain via the web interface access to the various log files and their evaluations, which in part also be provided as graphics.

In the Unix shell, the user can also access to create more detailed configurations, or change. Access is here then via SSH on port 8022nd very common and easily available without knowledge of Linux is WinSCP and PuTTY.

The capabilities of the IPCop can be expanded via add-ons, such as with a URL filter, the Open- VPN ZERINA or a Layer 7 filters. The extensions will be published on the official website of IPCop.

Safety aspects

IPCop provides the base installation, many services and is also customizable with add-ons. But here is a compromise between performance and functionality and security is done because at enhancing complexity can also suffer security. Already with the basic installation of an unnecessary for the Firewall Features Web server and a NTP server is installed, these can be used to attack. Also various add-ons such as Samba can create additional attack surfaces.

The magazine c't in 2005 had presented at a Server Project c't - Debian server, where IPCop in User Mode Linux (UML), a virtual machine under a well-equipped Linux home server system with various network services running. This usage is considered by many experts as insecure because an attacker could take control of the virtual host. In the current version of the sample server, these risks have been through the use of Xen and two reduced based on virtual servers.

In the latest version of the IPv6 support is missing.

LCD4Linux

LCD4Linux is an extension, which makes it possible to have information on an LCD display, which is connected via the serial interface display.