Re: Higher-End Home FW Question

From: E. (loony_at_aliensmoke.org)
Date: 12/14/04 

Date: Tue, 14 Dec 2004 18:01:04 +1100

Leythos wrote:

> In article <3266v9F3gfa5iU1@individual.net>, loony@aliensmoke.org
> says...
>
>>Leythos wrote:
>>
>>
>>>In article <3253gnF3guuq0U1@individual.net>, loony@aliensmoke.org
>>>says...
>>>
>>>
>>>>I have a *major* issue with your approach. It basically stops P2P
>>>>programs from running or communicating *after* the spyware-riddled
>>>>shitware has been installed.
>>>
>>>
>>>I agree, with a properly configured firewall appliance at the border
>>>users would not be able to download installers from the web in order to
>>>install those types of applications. As a simple example, unauthorized
>>>users behind our firewalls can not download any executable file using
>>>the http interface, and don't have FTP access either. All email is
>>>scanned for attachments and any executable file is removed from the
>>>email. We don't worry about those types of things making it in. We also
>>>ban the use of portable memory in the office, except for authorized
>>>actions.
>>
>>I just built an IPcop box for a client that does exactly that. Certain
>>types of downloads are banned (exe's, installers etc) chat sites and
>>programs are blocked as well as 'bad' sites and content.
>>A bit of thought, the right product and you can eliminate problems from
>>happening.
>>Viruses are basically a non-event for my customers now - even unknown
>>ones are blocked due to content rules and attachment filters.
>>Spam filtering is still a bit hit-and-miss though.
>>E.
>
>
> I just started messing with RedHat FC3, it's a great platform, at least
> better than SUSE or Mandrake. It's the polish that does it for me - a
> GUI for every task that I might want to do.
>
> I'm going to have to look into some stand-alone linux build firewalls
> with filtering, but WatchGuard has just made my life sooo easy.
>
IPCop/Smoothwall is a good place to start. Easy to get up and going,
plenty of online material etc. Just make sure the NIC's are supported.
Unfortunately I don't get to do much with the Watchguard prods anymore
as I can do the filtering stuff with IPcop and VPN's with netgear boxes
a lot cheaper.
I advise clients that Watchguard's support is the best I've ever had,
anywhere, advise them of the features available but they generally make
decisions based mainly on initial costs. PLus the live sec sub's and
warranty renewals seem high to end users. Don't ask me why.
E.

Relevant Pages

  • Re: Local Lan DNS Problems
    ... > I've only added the two entries below to the ipcop hosts file as I ... > understand, correct me if wrong, that as theothers use DHCP then they ... Dnsmasq cannot assume that the two requests are from the ... without a client ID.) ...
    (comp.os.linux.networking)
  • Strange VPN messages - freeswan
    ... I've setup a FreeSwan vpn through IPCop using a road warrier setup. ... Only one client at the moment who seems to be connecting ok but I'm ... initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK to ... response to our first IKE message ...
    (comp.os.linux.networking)
  • Re: need help to get VPN connection
    ... > i have IPCop 1.2.0 firewall server at my office. ... Do i need to install OpenVPN ... Or IPCop 1.4.0 version would suffice. ... > access office LAN by just making a new VPN client at home. ...
    (comp.os.linux.security)
  • Re: ipcop ports
    ... the "ext service access" will only open the port for the ... IPCop itself; so it won't work and may create security issues; to do ... set the client machine behind IPCop to "static IP" so you'll be able ...
    (comp.security.firewalls)