Page 1 of 1

Re: Firewall

Posted: Fri Feb 10, 2012 9:46 pm
by Jawloms
I have tried searching for this and haven't found anything, but apologies if I've just missed it.  I know that Smoothwall won't go on the pi (unless someone ports it), but is there an alternative?

Thank you

Stuart

Re: Firewall

Posted: Fri Feb 10, 2012 9:55 pm
by bredman
Your problem may be that there are too many alternatives.

Almost every Linux firewall GUI is just a front-end for iptables.

See here for more info on Debian, but the situation is very similar for all distributions.

http://wiki.debian.org/Firewalls

Re: Firewall

Posted: Sat Feb 11, 2012 12:04 am
by error404
First of all, if you're after an actual dedicated firewall, the Raspberry Pi hardware is not very suitable.

Not many dedicated firewall distributions are likely to build for ARM. Most of them are designed around relatively 'large' systems. OpenWRT is fairly likely to get a port IMO, as it's pretty suitable for other embedded tasks that Pi will be good at and already runs on some other ARM-based devices, so you could use that. Or you could just roll something yourself. I happen to like the Shorewall set of iptables scripts.

Re: Firewall

Posted: Sat Feb 11, 2012 4:22 am
by cnxsoft
You could setup the R-Pi to be a headless Linux firewall using iptables. http://www.linuxhomenetworking.....g_iptables

I'm not so sure about the performance though.

Re: Firewall

Posted: Sat Feb 11, 2012 8:54 am
by bredman
When building a firewall, remember that the RPi has only one ethernet port. This means that the RPi must be configured as a router, not a switch.

What does this mean to you? It means that the equipment you are trying to protect (for example your PC) is still physically wired to the internet. The only reason it would pass its traffic through the RPi firewall is because it is told to.

In this scenario, it is very easy for a user or for malicious code to bypass your firewall.

So the hard truth is, if you want to build a proper firewall, you build it on a box which has two ethernet ports. This means that traffic must pass through the firewall.

For the purists, I know that you could lock down your modem to only accept traffic to/from your firewall, but most modems do not allow this level of control. If the modem allows this level of control, the modem probably includes a fancy firewall also.

Re: Firewall

Posted: Sat Feb 11, 2012 8:57 am
by cnxsoft
Alternatively he could use a USB Wifi Dongle and configure the R-Pi has a router. All clients would have to support WiFi however.

Re: Firewall

Posted: Sat Feb 11, 2012 10:10 am
by Jawloms
cnxsoft said:


Alternatively he could use a USB Wifi Dongle and configure the R-Pi has a router. All clients would have to support WiFi however.


That's pretty much what I was thinking. Speed won't be an issue as the bottleneck will be the Internet connection itself.

Thank you to everyone else.  I have a static IP address for my broadband and what I wanted was to connect the Pi to my Internet router, then be configurable so that I can not only decide what goes out, but do some basic filtering for the kids (as I don't like Windows Family Filter) and also access my home network from the outside world, either via ftp, RDP, HTTP and anything else I can come up with.  All the other devices will connect to the Pi via wireless so presumably it would need to act as an AP?

Re: Firewall

Posted: Sat Feb 11, 2012 10:41 am
by bredman
Jawloms said:


All the other devices will connect to the Pi via wireless so presumably it would need to act as an AP?


It can be very difficult to find a WiFi USB device which is capable of working in AP mode.

Your RPi can act as a normal WiFi station if you have an AP already available. You would need to disconnect the ethernet port of your AP. You may also need to configure your AP, set the RPi as its gateway device.

Adding a WiFi access does get around my concerns above related to having only one network interface.

Re: Firewall

Posted: Sat Feb 11, 2012 11:44 am
by broken pipe
you can nearly cover every scenario with iptables. for a wifi access point 'hostapd' is recommandable and you also need a wifi device which works in monitor mode.

offtopic: go and get some cheap router which runs openwrt/ddwrt, flash it, configure it and you're fine ...

Re: Firewall

Posted: Sat Feb 11, 2012 5:24 pm
by tr1ck5t3r
Jawloms said:


I have tried searching for this and haven't found anything, but apologies if I've just missed it.  I know that Smoothwall won't go on the pi (unless someone ports it), but is there an alternative?

Thank you

Stuart


This might be useful ie pfSense.org an extremely capable firewall with lots of addons including things like Snort.org which is used by some Govt's to protect their infrastructure.

http://www.raspberrypi.org/for.....-4/#p40413

Re: Firewall

Posted: Sat Feb 11, 2012 5:33 pm
by drgeoff
cnxsoft said:


Alternatively he could use a USB Wifi Dongle and configure the R-Pi has a router. All clients would have to support WiFi however.


Or a USB to ethernet adapter.

Re: Firewall

Posted: Sat Feb 11, 2012 7:18 pm
by tr1ck5t3r

http://www.raspberrypi.org/for.....-4/#p40413


This might be useful ie pfSense.org an extremely capable firewall with lots of addons including things like Snort.org which is used by some Govt's to protect their infrastructure.

EDIT: I should add you wont be able to run Snort on the Pi becuase it uses more memory than is available on the PI, but for firewall, DHCP and other routing tasks it should be ok.

Re: Firewall

Posted: Sun Feb 12, 2012 12:21 am
by error404
pfSense is by far my favourite router for small to medium sized setups. But a port is, at best, a long way off. First a FreeBSD port, then someone over at pfSense to bother porting it to this RPi, which is not really a great router platform in the first place. Considering they haven't even ported it to some of the larger MIPS routers out there that actually have appropriate hardware, I'd say chances are pretty slim.

Re: Firewall

Posted: Sun Feb 12, 2012 11:16 am
by RaTTuS
IPCop may be worth a look,

they build it from LFS, so changing to an arm build may be easy [sic]

Re: Firewall

Posted: Sun Feb 12, 2012 11:27 am
by tr1ck5t3r
error404 said:


pfSense is by far my favourite router for small to medium sized setups. But a port is, at best, a long way off. First a FreeBSD port, then someone over at pfSense to bother porting it to this RPi, which is not really a great router platform in the first place. Considering they haven't even ported it to some of the larger MIPS routers out there that actually have appropriate hardware, I'd say chances are pretty slim.



Apologies, I thought I'd seen references to Linux on their site but obviously not the case upon closer inspection.

Re: Firewall

Posted: Sun Feb 12, 2012 11:39 am
by Jawloms
Thank you to all for your input.  I certainly have plenty of options to look in to now

Re: Firewall

Posted: Tue May 08, 2012 1:47 pm
by fusiooon
I don't think you need 2 adapters, you could theoretically make the LAN port a trunk port and use tagged VLANs to separate traffic. Then the Pi could act as a router between the 2 VLANs. Obviously you will also need a switch that supports VLAN tagging. One VLAN could be connected to the Internet, the other to the local network. Hope the interface supports VLANs.

In my opinion using Snort with iptables would be ideal, not sure if the hardware is sufficient for snort to work satisfactory though. Will try it when it finally arrives.

Re: Firewall

Posted: Tue May 22, 2012 11:21 pm
by Arne.F
Today i have released a first testing-image of IPFire for Raspberry Pi.
IPFire is a IPCop fork which is also available for ARM.

http://planet.ipfire.org/post/ipfire-on ... first-test

I have tested with a second USB Ethernet dongle yet. Wireless AP with a Ralink RT73 USB Dongle should also work but I have not tested this yet.

But keep in mind that only basic features work because the low computing power of the RPi.

Arne

full or partial Firewall appliance on raspberry pi

Posted: Sun Feb 24, 2013 5:43 pm
by chewchew
error404 wrote:pfSense is by far my favourite router for small to medium sized setups
As a novice to diy firewall appliances I would appreciate your thumbnail comparison of IPfire v pfSense [v IPcop (mentioned a few posts down)]. The request is RPi topical as i have some parent/child concerns about RPi as interweb device given ease of swapping out SD. One of the two or both should allow rules requiring use of particular NS resolver but articles on the topic presuppose familiarity I lack. Searching the interweb has become irksome with high volumes of spam results and "articles" which exist to churn ads.
fusiooon wrote: make the LAN port a trunk port and use tagged VLANs to separate traffic.
I'd like to learn more about that. If you have some URLs up your bookmark sleeve that'd be great.
Arne.F wrote:IPFire is a IPCop fork which is also available for ARM.
ohh. Nonetheless I would like to glean a bit of wisdom.

Arne.F wrote:Today i have released a first testing-image of IPFire for Raspberry Pi.
IPFire is a IPCop fork which is also available for ARM.

http://planet.ipfire.org/post/ipfire-on ... first-test
That following this harsh critique is inspiring:

http://planet.ipfire.org/post/the-raspberry-pi-dilemma (April 14)
- SoC that is working on the RPi board is old. I mean really ooooold.
- not make benefit of a fast GPU
- LAN ports are connected to the USB bus which causes very poor performance.
And wow, arne.f, continues chugging away at RPi IPfire:

http://planet.ipfire.org/user/arne_f

though I cannot determine if the feb posts are 2012 or 2013 with lack of year in the post timestamps

I'm going to need a larger stack of SD cards! Mine is merely six tall now.


arne_f,

if your project is still active would you consider also releasing it in BerryBoot ready format. I haven't been able to BBoot convert an image yet.

Re: Firewall

Posted: Tue Nov 28, 2017 2:23 pm
by APratham
Hi!
I believe I am acrually quite a novice to Linux and coding, nevertheless I have got this project I will be finishing over the due course of time in the coming year. We want to connect the Pi to the internet and enable ssh access. I know that means we are going to compromise on a lot of security. A few of the posts here concern on lots of commercial firewalls which we may not require. What we require is some amount of basic protection so that someone on the internet looking at our Pi Cluster which is running image processing must not be able to host basic attacks on the RPi. So can I have a basic firewall using iptables on the RPi?

Re: Firewall

Posted: Tue Nov 28, 2017 3:03 pm
by B.Goode
The thread you have resurrected is nearly 6 years old.

Maybe it would be better to Report your own post to a Moderator and ask for it to be raised as a new topic.

On the one hand, the basic principles of Linux and network security are still pretty much the same.

But on the other hand the recommended and supported Raspbian Operating System has been superseded twice in the intervening period, so some specific details may well be different.

There is a guide published by the Raspberry Pi Foundation that might kickstart your thinking: https://www.raspberrypi.org/documentati ... ecurity.md