Astaro Security Linux

In the last year and a half (or so), I have used five different Linux firewall distros or scripts to protect my home network from the evils of the net, and to provide NAT. If you don’t know, NAT is short for Network Address Translation. It is also referred to as Masquerading. This is the process of allowing n-number of machines on a private LAN to share a single public IP address.

NAT can be accomplished a number of different ways. The most common method in residential settings is a Cable/DSL router from vendors such as Linksys, DLink, and Netgear. These devices are often paired up with an internal WiFi access point. The benefit to the end user in using such devices is ease of setup, and low cost. Unfortunately, what you gain from that, you loose in flexibility of configurations, and a robust feature set. The only catch with using a Linux firewall, is you need a donor PC.

After using a 256/256 SDSL line for a year and a half, I switched over to a cable modem. As a result of the switchover, I lost my static IP addresses (I had 13), and therefore required NAT for my LAN machines to continue accessing the Internet. Since I had been learning/hacking away at Linux for a few months, I decided to setup a machine as a dedicated firewall. The machine I eventually used was my first Linux box (“reggie”), and I purchased a new machine (“jordyn”) to take its place.

So, like any good Linux h4x0r3, I mulled around the Netfilter/IPTables mailing list, and the #debian IRC channel. After a few quick HOWTO’s, I was NAT’ing my whole LAN onto the the Net. Now, if you know anything about me, I have an overwhelming need to over engineer any solution. Like Tim “The Toolman” Taylor used to say, “I need more power! <grunt> <grunt>”. It was this desire that has resulted in my home LAN being behind so may solutions in so little time.

I figured that it would be beneficial to my fellow über-geeks to share my experiences. I will enumerate each setup and give the pros and cons that I found with each.

  • MonMotha’s (Pentium 166, 64MB, 2.6GB)
  • The first attempt at a “structured” approach to a Linux firewall was MonMotha’s. This is a Bash script that you edit by hand. The settings are near the top of the file, and you edit accordingly. My only big beef is that I contributed to his script, and didn’t get a shout-out. Oh well, I don’t use it any more anyhow.

    • Pros
      • Light weight and simple to use
      • Run on any 2.4 distro with either the netfilter/iptables modules loaded or compiled into the kernel
    • Cons
      • Light weight and therefore doesn’t have an large feature set
      • No sort of GUI for configuration.
      • No native software RAID support
      • Dynamic DNS support must be setup separately
  • BBIagent (Pentium 166, 64MB, 2.6GB)
  • I found out about BBIagent from a Windows XP tweak site, ironically so. Unfortunately, I can’t remember the site, or I would post the link to the article. This full fledged firewall distro resides on a single floppy disk. You goto their website, fill in a form about the target machine this will run on, and you then download an img that you load onto a 3.5″ 1.44MB floppy. The admin GUI is a Java applet that you download separately, and then upload to the firewall once it’s up and running.

    • Pros
      • Single floppy install
      • Highly fault tolerant (don’t worry about power failures corrupting a hard drive)
    • Cons
      • No persistent of port forwarding definitions and packet filtering rules
      • Limited feature set
      • No native software RAID support
      • No update checks
      • No Dynamic DNS support
  • Smoothwall (Pentium 166, 64MB, 2.6GB)
  • This is actually a commercial product based on Linux. The folks at Smoothwall Ltd. have released the commercial product in an open source community edition also. The product is actually quite nice. It comes with a decent web based GUI, and it has support for a DMZ. My main objection to Smoothwall is the fact that support is an IRC channel populated by some of the rudest basement dwellers of all time (the RTFM Mafia as I like to call them). One in particular is Hilton Travis. This guy is a grade A prick. Oh well. The mailing list is equally insulting.

    • Pros
      • Full distro
      • Web based admin
      • DMZ support
      • Dynamic DNS Support
    • Cons
      • Horrific support
      • Not quite “there”
      • No native software RAID support
      • Update check must be initiated manually
  • Clark Connect (Pentium II 233, 128MB, 2.0GB)
  • This is another community edition of a commercial product. This is also the first use of “frankie”, my latest machine (in a 2U chassis none the less!). Turned out I couldn’t put another NIC into “reggie”, so I built a new machine from eBay parts. I named the new machine “frankie”, because Frankenstein was too much to type. CC (as the insiders call it) has a nice and friendly feel. Once nice feature is its ability to “phone home”, so you can pay for Point Clark Networks’ Gateway Services. The only problem that I found was the there was no ability to define packet filtering rules without logging into the box via an SSH session, and execute the iptables commands yourself. Also, to make use of my Windows 2003 server (“mattingly”) as a VPN server, I needed to add the GRE forwarding rules myself.

    • Pros
      • Full distro
      • Friendly threaded support forum
      • Easy setup
      • Dynamic DNS support via Clark Connect’s DNS
    • Cons
      • Limited DMZ Support
      • Update check must be initiated manually
      • No packet filtering rules
      • No native software RAID support
  • Astaro Security Linux (Pentium III 400, 256MB, 8.4GB)
  • ASL, as its known, is a commercial product. The latest version, and the one I’m using, is 4.007. For home use only, you can obtain a license that allows you to use the product with a slightly reduced feature set. If you pledge to support the forums, you can get a power user license that will allow you to use the entire product. If you noticed, the hardware specs changed. ASL requires much more horsepower than the other packages. Then again, this isn’t the other packages. PPTP, extensive proxies (SMTP, HTTP, POP3), DMZ, VLAN, and threat analysis are just a sample of what it can do. According to the specs, ASL will support 20 NICS! So, next time you have 5 quad NIC’s handy, plop them into your ASL.

    I have been using ASL for about a week now. After a couple of trial and error attempts, I was able to setup PPTP from my XP box at work to the ASL box at home. Also, I have started to play with the built-in HTTP proxy. Unfortunately, even though I can authenticate users against my Active Directory server (!), ASL is using Squid 2.4, and for NTLM support, you need 2.5. I’m waiting. If they implement that, then I have no need to install an ISA Server at work.

    • Pros
      • Full distro
      • Very hardened security
      • Excellent web admin interace
      • Extensive NAT and packet filtering rules
      • RADIUS, NT-SAM, and LDAP (MS, Novell, OpenLDAP) user authentication
      • PPTP endpoint (only supports RADIUS and internal userlist for user auth)
    • Cons
      • hefty minimum hardware requirements
      • No Dynamic DNS support
      • No native software RAID support
      • No NTLM authentication for HTTP Proxy

    Just as a point of note. I tried Mitel Networks’ SME Server in between Smoothwall and ClarkConnect. IIRC, there was no clear DMZ support, and therefore I moved past it. Once feature of SME Server though was native software RAID support. As you can see though, I’ve had experience with enough packages in such short time, that I can speak intelligently (I think) on the topic. If you want the “Jerry’s Last Words”, I would recommend Smoothwall if hardware is an issue, but if you can spring for a beefier platform, go ASL.