October 18, 2004

IPCop firewall polices your neighborhood

Author: Preston St. Pierre

IPCop is a Linux-based open source firewall system that can secure anything from a single home computer to an enterprise-level network. It goes beyond the simple security guard analogy and provides services like routing, logging of entry attempts, reporting of traffic patterns, and regulation of inbound and outbound traffic.

A firewall acts like a virtual security guard for your network. Data coming in over the Internet is checked at the gate (firewall), and if it's OK, the firewall passes it through to its destination (a machine on your network). If it's something bad, it's dropped on the spot, without any information going back to the sender. Every computer attached to the Internet should go through a firewall.

I've been happy using IPCop 1.3.0 for about a year. Version 1.4.0 has lots of new features that make using a firewall even easier than before, such as:

  • iptable network filters
  • Support for four separate network cards:
         Green -- internal trusted network
         Blue -- wireless semi-trusted network (can be used as a second Green)
         Orange -- DMZ for Internet-accessed servers
         Red -- the Internet connection
  • DHCP client support on Red to receive an IP address from ISP
  • DHCP server for Green and Blue
  • NTP server and client for setting IPCop clock and supplying a common clock for internal Green and Blue networks
  • Intrusion detection for all four networks
  • Virtual private network (VPN) support
  • Proxy support for both Web surfing and Domain Name Services
  • Performance graphics for CPU, memory, and disk utilization and network throughput

The main enhancements over 1.3.0 include a new Web interface, more graphs, and support of wireless networks. Having a separate Wi-Fi leg makes sense, because while it isn't open to the Internet, a wireless network is open to anybody within range of your access point. Under 1.3.0 you'd have to wire your access point into your trusted (Green) or DMZ (Orange) network. Now you can put your access point on a separate network leg and have an easier time tracking users and activity.


To get started, download the ISO file and burn it on a CD. It won't take very long, since it's only about 40MB in size.

Grab any old desktop machine with at least five open PCI or ISA slots. I started out with a 200MHz Pentium box with 64MB of memory and a combination of 4 PCI and 3 ISA slots. I stuffed in three Intel PCI 10/100 network interface cards (NIC), a Digital/Tulip PCI 10/100 NIC, and an old 2MB ISA video card. You could use ISA-based NICs too, but you'll limit traffic on your networks to 10Mbps speeds. My box also had a CD reader and a 3GB IDE disk.

For the installation, I hooked up a keyboard, mouse, and monitor. After installation, those components are no longer needed, as you can make changes via a Web browser or SSH into the firewall over the trusted (Green) network. You could even remove the video card and CD reader when you're done.

Loading IPCop couldn't be easier, because the developers have automated just about everything. Simply pop in the CD, boot up the machine, and follow the on-screen directions. The installation will re-partition and take over the entire disk, so make sure you want to do that before you continue.

The setup program will walk you through setting up your host name, network configuration, passwords, and other settings. I set the firewall to use all four NICs and assigned IP addresses according to the following table:

Trusted Green
DMZ-Web Orange
Wireless Blue
Internet Red ISP-DHCP

If you get a static IP address from your Internet provider, use that address for your Red interface and select Static instead of DHCP. Once you've gone through all the screens, you'll be able to reboot and use any Web browser connected to the trusted (Green) network to manage the firewall.

Sorting out the networks

With four network cards, how do you tell which is which? Log in as root on the IPCop console and type ifconfig. You'll see the normal output for the loopback (lo) and the four network cards device names from eth0 through eth3. A quick and dirty way to identify the cards is to plug your active cable or DSL modem Ethernet cable into the topmost NIC and rerun the ifconfig command. Look down the ifconfig listing and see which device changes the RX packet line. Run ifconfig a couple of times, just to make sure. Mark the card using a marker on the back of the PC with its corresponding device name (eth0, eth1, etc.). Mark the rest of the NICs following the same procedure.

When you're done, unhook the modem cable right away. I logged a couple of access attempts within the first couple of minutes of firewall operation. You don't want someone hacking into your firewall box because you forgot to unhook the Internet cable from the trusted Green or Blue network leg.

Next, while still logged into the firewall console as root, perform the following:

    #> cd /usr/local/sbin
    #> ./setup

Use the Tab and arrow keys to travel down the menu to select Networking. Move down and select Drivers and Card Assignments. Look at the list and you can figure out that Green will probably correspond to eth0. In my case Blue was eth1, Orange eth2, and Red eth3. Go back up the menu structure to get back to your root prompt.

Now you can hook up your cables and rerun ifconfig to make sure the appropriate data is moving across each NIC. Power down the firewall (with shutdown -h now), remove the monitor, keyboard, and mouse, then power up the machine again. You may have to power down the cable modem to get a new IP address if you're using a dynamic IP address from your ISP.

Web-based management

After the firewall reboots, take a look at the Web-based management interface. Use a browser connected to the Green network and go to, or use the Green IP address that you assigned and add the :81/ port. You'll see a splash screen and login prompt. Enter "admin" and the admin password that you set during installation.

Now you can click through a tabbed interface to see the settings and information you need. Here's a description of some of the more useful tabs.


The Status tab lets you keep track of what's going on inside your IPCop system. Some of the more useful menu items include system and network graphs and network status. The system graphs are useful for monitoring CPU and memory usage, to make sure that your firewall can handle the data flow. If you've recruited an old 300MHz Pentium II machine for your firewall, you can check usage as you add users. Six months from now, when you've tripled your user base, the system graph can tell you if you're maxed out and need a more powerful machine.

Likewise with the traffic graph. You can watch the amount of traffic flowing over each network leg. Naturally, you'd assume that the largest amount of traffic would flow over the trusted (Green) network. A large increase on your wireless (Blue) network might mean that unauthorized users has found your access point.

Another screen you'll find useful is network status. Here you'll see network interface information (much like the output of ifconfig), Red network DHCP information, LAN-side DHCP clients, and routing table data.


You'll want to regularly look at the Firewall and IDS screens to find out who is trying to break in and what kinds of threats are coming in over the Internet. If you click on the Summary menu item you'll see a nice compilation of all the IP addresses that have tried to access your firewall's ports, what network the probes came from, and how many times it's happened in the last 24 hours (default). To track intrusion attempts on all four networks, click the enable boxes under the Services -> Intrusion Detection and click Save.

Wrapping up

I was impressed with IPCop 1.4.0. It was easy to install, easy to configure, and provides more status information than 1.3.0. The IPCop team built a new Web GUI that's intuitive and functional. It also added welcome support for the fourth (wireless) network. I like having a semi-accessible network leg with logging capabilities.

An IPCop firewall can be an important network protection device for your medium-sized business or educational organization.

Rob Reilly is a technology consultant who specializes in helping clients communicate effectively. Many of his published articles are geared to the use of Linux, portable computing, and presentation technology, especially as it relates to communication in business. Send him a note or visit his Web site at http://home.earthlink.net/~robreilly.

Click Here!