Firewall


19 posts
by Jawloms » Fri Feb 10, 2012 9:46 pm
I have tried searching for this and haven't found anything, but apologies if I've just missed it.  I know that Smoothwall won't go on the pi (unless someone ports it), but is there an alternative?

Thank you

Stuart
Posts: 14
Joined: Wed Dec 28, 2011 2:11 pm
by bredman » Fri Feb 10, 2012 9:55 pm
Your problem may be that there are too many alternatives.

Almost every Linux firewall GUI is just a front-end for iptables.

See here for more info on Debian, but the situation is very similar for all distributions.

http://wiki.debian.org/Firewalls
Posts: 1413
Joined: Tue Jan 17, 2012 2:38 pm
by error404 » Sat Feb 11, 2012 12:04 am
First of all, if you're after an actual dedicated firewall, the Raspberry Pi hardware is not very suitable.

Not many dedicated firewall distributions are likely to build for ARM. Most of them are designed around relatively 'large' systems. OpenWRT is fairly likely to get a port IMO, as it's pretty suitable for other embedded tasks that Pi will be good at and already runs on some other ARM-based devices, so you could use that. Or you could just roll something yourself. I happen to like the Shorewall set of iptables scripts.
Posts: 351
Joined: Wed Dec 21, 2011 11:49 pm
by cnxsoft » Sat Feb 11, 2012 4:22 am
You could setup the R-Pi to be a headless Linux firewall using iptables. http://www.linuxhomenetworking.....g_iptables

I'm not so sure about the performance though.
User avatar
Posts: 190
Joined: Sat Oct 15, 2011 2:33 pm
Location: Chiang Mai, Thailand
by bredman » Sat Feb 11, 2012 8:54 am
When building a firewall, remember that the RPi has only one ethernet port. This means that the RPi must be configured as a router, not a switch.

What does this mean to you? It means that the equipment you are trying to protect (for example your PC) is still physically wired to the internet. The only reason it would pass its traffic through the RPi firewall is because it is told to.

In this scenario, it is very easy for a user or for malicious code to bypass your firewall.

So the hard truth is, if you want to build a proper firewall, you build it on a box which has two ethernet ports. This means that traffic must pass through the firewall.

For the purists, I know that you could lock down your modem to only accept traffic to/from your firewall, but most modems do not allow this level of control. If the modem allows this level of control, the modem probably includes a fancy firewall also.
Posts: 1413
Joined: Tue Jan 17, 2012 2:38 pm
by cnxsoft » Sat Feb 11, 2012 8:57 am
Alternatively he could use a USB Wifi Dongle and configure the R-Pi has a router. All clients would have to support WiFi however.
User avatar
Posts: 190
Joined: Sat Oct 15, 2011 2:33 pm
Location: Chiang Mai, Thailand
by Jawloms » Sat Feb 11, 2012 10:10 am
cnxsoft said:


Alternatively he could use a USB Wifi Dongle and configure the R-Pi has a router. All clients would have to support WiFi however.


That's pretty much what I was thinking. Speed won't be an issue as the bottleneck will be the Internet connection itself.

Thank you to everyone else.  I have a static IP address for my broadband and what I wanted was to connect the Pi to my Internet router, then be configurable so that I can not only decide what goes out, but do some basic filtering for the kids (as I don't like Windows Family Filter) and also access my home network from the outside world, either via ftp, RDP, HTTP and anything else I can come up with.  All the other devices will connect to the Pi via wireless so presumably it would need to act as an AP?
Posts: 14
Joined: Wed Dec 28, 2011 2:11 pm
by bredman » Sat Feb 11, 2012 10:41 am
Jawloms said:


All the other devices will connect to the Pi via wireless so presumably it would need to act as an AP?


It can be very difficult to find a WiFi USB device which is capable of working in AP mode.

Your RPi can act as a normal WiFi station if you have an AP already available. You would need to disconnect the ethernet port of your AP. You may also need to configure your AP, set the RPi as its gateway device.

Adding a WiFi access does get around my concerns above related to having only one network interface.
Posts: 1413
Joined: Tue Jan 17, 2012 2:38 pm
by broken pipe » Sat Feb 11, 2012 11:44 am
you can nearly cover every scenario with iptables. for a wifi access point 'hostapd' is recommandable and you also need a wifi device which works in monitor mode.

offtopic: go and get some cheap router which runs openwrt/ddwrt, flash it, configure it and you're fine ... :P
Posts: 4
Joined: Mon Jan 16, 2012 8:15 pm
by tr1ck5t3r » Sat Feb 11, 2012 5:24 pm
Jawloms said:


I have tried searching for this and haven't found anything, but apologies if I've just missed it.  I know that Smoothwall won't go on the pi (unless someone ports it), but is there an alternative?

Thank you

Stuart


This might be useful ie pfSense.org an extremely capable firewall with lots of addons including things like Snort.org which is used by some Govt's to protect their infrastructure.

http://www.raspberrypi.org/for.....-4/#p40413
Posts: 10
Joined: Thu Feb 09, 2012 7:56 pm
by drgeoff » Sat Feb 11, 2012 5:33 pm
cnxsoft said:


Alternatively he could use a USB Wifi Dongle and configure the R-Pi has a router. All clients would have to support WiFi however.


Or a USB to ethernet adapter.
Posts: 2038
Joined: Wed Jan 25, 2012 6:39 pm
by tr1ck5t3r » Sat Feb 11, 2012 7:18 pm

http://www.raspberrypi.org/for.....-4/#p40413


This might be useful ie pfSense.org an extremely capable firewall with lots of addons including things like Snort.org which is used by some Govt's to protect their infrastructure.

EDIT: I should add you wont be able to run Snort on the Pi becuase it uses more memory than is available on the PI, but for firewall, DHCP and other routing tasks it should be ok.
Posts: 10
Joined: Thu Feb 09, 2012 7:56 pm
by error404 » Sun Feb 12, 2012 12:21 am
pfSense is by far my favourite router for small to medium sized setups. But a port is, at best, a long way off. First a FreeBSD port, then someone over at pfSense to bother porting it to this RPi, which is not really a great router platform in the first place. Considering they haven't even ported it to some of the larger MIPS routers out there that actually have appropriate hardware, I'd say chances are pretty slim.
Posts: 351
Joined: Wed Dec 21, 2011 11:49 pm
by RaTTuS » Sun Feb 12, 2012 11:16 am
IPCop may be worth a look,

they build it from LFS, so changing to an arm build may be easy [sic]
1QC43qbL5FySu2Pi51vGqKqxy3UiJgukSX - Prosliver FTW
"That's not right, the badgers have moved the goalposts."
User avatar
Posts: 4158
Joined: Tue Nov 29, 2011 11:12 am
Location: North West UK
by tr1ck5t3r » Sun Feb 12, 2012 11:27 am
error404 said:


pfSense is by far my favourite router for small to medium sized setups. But a port is, at best, a long way off. First a FreeBSD port, then someone over at pfSense to bother porting it to this RPi, which is not really a great router platform in the first place. Considering they haven't even ported it to some of the larger MIPS routers out there that actually have appropriate hardware, I'd say chances are pretty slim.



Apologies, I thought I'd seen references to Linux on their site but obviously not the case upon closer inspection.
Posts: 10
Joined: Thu Feb 09, 2012 7:56 pm
by Jawloms » Sun Feb 12, 2012 11:39 am
Thank you to all for your input.  I certainly have plenty of options to look in to now :)
Posts: 14
Joined: Wed Dec 28, 2011 2:11 pm
by fusiooon » Tue May 08, 2012 1:47 pm
I don't think you need 2 adapters, you could theoretically make the LAN port a trunk port and use tagged VLANs to separate traffic. Then the Pi could act as a router between the 2 VLANs. Obviously you will also need a switch that supports VLAN tagging. One VLAN could be connected to the Internet, the other to the local network. Hope the interface supports VLANs.

In my opinion using Snort with iptables would be ideal, not sure if the hardware is sufficient for snort to work satisfactory though. Will try it when it finally arrives.
User avatar
Posts: 7
Joined: Tue May 08, 2012 11:23 am
by Arne.F » Tue May 22, 2012 11:21 pm
Today i have released a first testing-image of IPFire for Raspberry Pi.
IPFire is a IPCop fork which is also available for ARM.

http://planet.ipfire.org/post/ipfire-on ... first-test

I have tested with a second USB Ethernet dongle yet. Wireless AP with a Ralink RT73 USB Dongle should also work but I have not tested this yet.

But keep in mind that only basic features work because the low computing power of the RPi.

Arne
Posts: 3
Joined: Tue May 22, 2012 11:13 pm
by chewchew » Sun Feb 24, 2013 5:43 pm
error404 wrote:pfSense is by far my favourite router for small to medium sized setups


As a novice to diy firewall appliances I would appreciate your thumbnail comparison of IPfire v pfSense [v IPcop (mentioned a few posts down)]. The request is RPi topical as i have some parent/child concerns about RPi as interweb device given ease of swapping out SD. One of the two or both should allow rules requiring use of particular NS resolver but articles on the topic presuppose familiarity I lack. Searching the interweb has become irksome with high volumes of spam results and "articles" which exist to churn ads.

fusiooon wrote: make the LAN port a trunk port and use tagged VLANs to separate traffic.


I'd like to learn more about that. If you have some URLs up your bookmark sleeve that'd be great.

Arne.F wrote:IPFire is a IPCop fork which is also available for ARM.


ohh. Nonetheless I would like to glean a bit of wisdom.


Arne.F wrote:Today i have released a first testing-image of IPFire for Raspberry Pi.
IPFire is a IPCop fork which is also available for ARM.

http://planet.ipfire.org/post/ipfire-on ... first-test


That following this harsh critique is inspiring:

http://planet.ipfire.org/post/the-raspberry-pi-dilemma (April 14)

- SoC that is working on the RPi board is old. I mean really ooooold.
- not make benefit of a fast GPU
- LAN ports are connected to the USB bus which causes very poor performance.


And wow, arne.f, continues chugging away at RPi IPfire:

http://planet.ipfire.org/user/arne_f

though I cannot determine if the feb posts are 2012 or 2013 with lack of year in the post timestamps

I'm going to need a larger stack of SD cards! Mine is merely six tall now.


arne_f,

if your project is still active would you consider also releasing it in BerryBoot ready format. I haven't been able to BBoot convert an image yet.
Raspberry Pi AS Jabber server
Posts: 1
Joined: Sun Feb 24, 2013 10:19 am