The Cache: Technology Expert's Forum
 
*
Welcome, Guest. Please login or register. September 16, 2019, 01:31:24 PM

Login with username, password and session length


Pages: [1] 2
  Print  
Author Topic: ipcop vs pfsense  (Read 52528 times)
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« on: April 01, 2009, 04:12:55 PM »

Anyone have any input?

the reason I ask is more a matter of long term planning.

ipcop is linux
pfsense is BSD

I am wondering because BSD is a bit more hardened in general, so I wonder if the advantage is there.

in the end they are both basically a wash probably, but still curious.
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #1 on: April 01, 2009, 09:37:01 PM »

Since there are no services immediately exposed on either, I think it's a wash. There's no hacking into IPCop unless you expose services that can be worked, and certainly the same can be said for pfsense (although I've never touched it). I think it's probably more about what you like about each package than hackability.
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
vsloathe
vim ftw!
Global Moderator
Lifer
*****
Offline Offline

Posts: 1669



View Profile
« Reply #2 on: April 02, 2009, 06:14:58 AM »

In a former life, I was an honest-to-goodness systems administrator. I've used every conceivable combination of IPCop, pfsense, Snort IDS, watchguard fireboxes (rack appliance), Debian's Watchdog firewall, etc.

They all do a good job, and any bugs or serious security holes are few and far between, in every single case.

If you're more familiar with configuring a certain type of software, use that. If you're starting from scratch and money is not an issue, I'd check out some of the turnkey solutions from Watchguard, especially the Fireboxes. They're very easy to configure, they run a hardened Linux kernel that you can't touch (read: screw up) in any way. You just plug the box in and open a web browser, browse to its IP and configure it like you would your wireless router/gateway you probably have at home.
Logged

hai
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #3 on: April 02, 2009, 08:10:24 AM »

yea thats all what I figured the answers would be.

It seems the only difference is features.

PFsense has load balancing built in for example, ipcop does not.

watchguard however, you get way too buried under licensing for things like VPNs and such.

Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
vsloathe
vim ftw!
Global Moderator
Lifer
*****
Offline Offline

Posts: 1669



View Profile
« Reply #4 on: April 02, 2009, 09:07:31 AM »

Indeed. I hadn't thought about the VPN angle.
Logged

hai
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #5 on: April 02, 2009, 10:10:19 AM »

that was the only reason i didnt go watchguard. I have watchguard experience, and really liked it. Its just the VPN licenses, and the license for this, that and everything else. I could have gotten a firebox used for about 200 bucks, but the licenses would have killed me.

Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #6 on: April 02, 2009, 10:23:38 AM »

VPNs are a huge advantage to IPCop, I don't know what pfsense looks like from that perspective, but probably similar.

As you note, IPCop does not do load balancing automatically, but there are some round-robin solutions listed at the ipcops forum. I've done a couple and they work satisfactorily, if not intelligently. None of the solutions I saw, for example, would stop routing traffic to a particular address if the box at that address stopped responding.
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
vsloathe
vim ftw!
Global Moderator
Lifer
*****
Offline Offline

Posts: 1669



View Profile
« Reply #7 on: April 02, 2009, 01:34:20 PM »

I'd use iptables for load balancing. It's hacker voodoo like mod_rewrite for Apache, but like mod_rewrite, there's just no replacement.
Logged

hai
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #8 on: April 02, 2009, 01:37:57 PM »

That's exactly how it's done on IPCop ... 33% to this address, 33% to this address and the remains to (that) address for example. If you're comfy about the machines behind the firewall then it's a DAMN fast solution.
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #9 on: August 09, 2009, 10:20:07 PM »

threadbump

I am re-looking at pfSense because I am frustrated with how behind the curve IPCop is. Specifically, handling of hardware - the IPCoppers have not updated to a new kernel in a *long* time and it cannot handle SATA drives at all. The last release of pfSense was fairly recent and they talk a lot about Ver 2 over at their boards coming soon... wondering if anyone has any newer experience than me here. I went out to purchase machines for some new IPCop installs and just had a hell of a time. Don't like the trajectory of that line of thinking.

I also like the fact that Ver 1.2.2 supports IPSec, OpenVPN and PPTP - it looks more robust than IPCop does now. Just read a thread from late last year on another board where a guy did a head-to-head and pfSense came out the winner, based on some rather wonky bits, but the winner nonetheless. He specifically like traffic shaping and status over IPCop, although IPCop took top honors for ease of install and maintenance (it's mentioned often that pfSense is more technical cryptic in places).

There's also the failover clustering thing in 1.2.2 that looks really good, endeavoring to eliminate the single point of failure. I just downloaded the ISO and am going to give'r a go, but wanted to know if anyone had any more experience since this thread went up.
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #10 on: August 10, 2009, 08:13:07 AM »

Not more experience with it, but at the same point you are. I also have run into a few frustrations with cop. Traffic shaping is simple on cop, but a little too simple. And frankly doent seem to work right.

My goal when I get back is to do a vm network test of it. The defcon use of it has made me reconsider. Plus a few other thing like external monitoring, plugins, and shorter maintenance update schedule. One final thing is the ability to install your own code, like vmtools, so it can be turned into an ACE install, meaning you can run the firewall off a thumb drive... Mobile VPN anyone?
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
vsloathe
vim ftw!
Global Moderator
Lifer
*****
Offline Offline

Posts: 1669



View Profile
« Reply #11 on: August 10, 2009, 08:27:34 AM »

I think I'm going to setup a pfSense box later this week.

Put 5-6 wifi cards in it and do outbound load balancing across all my neighbors' wifi connections. Just like old times  Devilish
Logged

hai
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #12 on: August 10, 2009, 09:11:37 AM »

@ VS - nice meng, indeed, just like old times. But it's NICs instead of modems LOL

@ Nuts - I thought that pfSense was completely runable from a thumb already... did I miss something there? And yeah, with OpenVPN I believe a mobile VPN is totally doable, where IPSec seems to be a PIA. isn't PPTP what Windows uses? Wouldn't that have eliminated one of the problems you and I discussed a bit ago re. IPCop and mobile Windows VPNs?
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #13 on: August 10, 2009, 09:23:35 AM »

Yes it can BOOT from thumb. I want a plug in gateway.

My thought is that I run of in a vm. Set the gateway of the host machine to my vm. The vm would already be set to dhcp for RED. Bam, VPN on any box with idiot simple setup.

Theory of course.

But that way, I carry a key, problem, find computer (win,mac,Linux) and plug in and go.
Yeah!

Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #14 on: August 10, 2009, 09:37:41 AM »

Hmm... I was reading on it last night and there's commentary about how you can run the entire thing from a CD, and the whole thing from a thumb drive. I specifically remember discussion about read/write issues with thumbs (they only have so many really) so when you configure one to do so, you set options for pfSense to set up it's own RAM drive for logging and such... I think there are people in the forum there that are doing *almost* exactly what you are... I don't know about the virtual thing yet though.

If I hear you right, you're saying you'd have 2 virtuals on a stick - one for pfSense (or whatever) and one for your apps... then you could boot up, get pfSense running and have your machine all ready to go too... is that right? That sounds overly complicated to me... perhaps I'm missing something.
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
Pages: [1] 2
  Print  
 
Jump to:  

Perkiset's Place Home   Best of The Cache   phpMyIDE: MySQL Stored Procedures, Functions & Triggers
Politics @ Perkiset's   Pinkhat's Perspective   
cache
mart
coder
programmers
ajax
php
javascript
Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks


Valid XHTML 1.0! Valid CSS!