Pretty much every one of you who has DSL or cable at home with a wireless router has a hardware firewall, even if you don't know it. A firewall is important to keep intruders off of your network and potentially infecting your computer with viruses, etc.

I run servers at home and access them remotely. For a home firewall, I installed something more extensive than your typical home router's called IPCop, on an old PC. You don't need much of a PC to run a firewall; a 10-year-old box will generally work fine. But you need at least two network cards in it, one to connect to your DSL/cable connection and one to connect to your inside network.

IPCop is Linux based (and free!)> It's really easy to setup ( http://www.ipcop.org ). It's got neat features for mapping your hosts, etc. Plus I added on OpenVPN so I can get into my home network securely from outside. It's also got something called Snort built-in to help you detect and block intrusion attempts to your network.

One little achilles heal of running a home firewall off of a computer with the hard drive is...the hard drive! These things are mechanical and they can and do fail, and when that happens, your internet connection in and out dies. One solution is a competing product called m0n0wall (aka Monowall). It's FreeBSD-based (similar to Linux) and very small, designed to be embedded. It can boot off of a CD or flash card and run entirely out of RAM, no hard drive required.

I am sticking with IPCop because it has features I like (for example, OpenVPN if you want it). But I recently moved it to a flash card instead of a hard drive. I found these cheap ($2 each) adaptors to use a Compact Flash memory card in an IDE drive connector. I also found a hack to run IPCop mostly out of RAM, because flash cards can wear out too if they are written to too much. The hack limits writing to the card.

So I just installed this new firewall on an old HP Brio workstation - Celeron 433MHZ - and what's cool about this old beast is that it doesn't even have a CPU fan! Just the power supply fan - the only fan (it blows on the CPU heat sink). It's SO quiet without a hard drive! It's really cool!

Andrew

For a VPN client, I love Crossloop... It's VNC based but offers a code to get into the computer instead of worrying about bypassing the firewall on certain ports.

Anytime I want to help a friend from home instead of driving there I have them plunk on this little app and its awesome for windows based machines.

www.crossloop.com

I use Hamachi and VNC to do the same thing (to support computers of friends and family remotely). I use OpenVPN for my home network because it doesn't rely on a 3rd party to make the connection. And, it's built into my firewall, which is always on, anyway.

Andrew

I like using a Cisco 831 router and programming it's IOS to work both as a hardware firewall and a VPN server. Then with the use of Cisco VPN client software very easy and very secure remote connections. No need for a PIX....you can program any IOS router with the right feature set with this! Way beyond your normal run of the mill home box! There ain't no GUI with Cisco either so if you no speaky IOS then you be hurtin'!

I ran a Linux box, in a fashion similar to what Andrew is doing.

My new DSL router runs Linux, so it's just that at the moment. I'm into a little home net burnout, so it's all shut down right now. Really like that configuration however. It's cheap, powerful and does what you want it to do.

I've had no end of trouble with the Cisco VPN not working through lower end routers. Ugh..

One of the vendors I deal with has a cool little thing called appshare. One party sets up a conference, the others join in, then control and screens can be passed around at will. Great support tool, OSS too, but they've tied it to windows server for authentication, otherwise I would have one of those running at home.

It's very similar to the link chaps posted. I'm gonna check that one out.

The flash drive bit is getting to be a big deal. IMHO, it's really gonna change workstation computing. A good friend just purchased a 60GB flash drive for his laptop.

The lack of seek time and the full on regular peak thoughtput it brings to the table is nothing short of amazing! One high-end CAD application I work with has a typical 20 second load and init time.

With the flash, this is a coupla seconds!

If you run virtual machines, these things are gonna be a must have. The primary bottleneck with VM's is I/O to the virtual file. One I use regularly is 45GB in size. Needless to say, it's a real monster to manage. If it's fragmented at all, things slow down right quick, and that's with the full compliment of RAM permitted under win32.

I toyed around with loading Linux on the laptop to increase the RAM and I/O (better caching), but after seeing the flash drive performance, I'll leave win32 on there for business purposes, and just run the flash.

100GB ones are coming soon. That will drop the price of the 60s to a nice, sweet point.

Where windows is concerned, high performance has always meant turning on the registry key that keeps the windows executive in RAM always. Nice boost. Again, the flash just negates that for the most part.

Memory laden computers, running one of these things, will improve enough to be worth it. Suddenly a RAM to storage swap will have far less impact.

Cheap flash drives will transform laptop computers in the next five years as the prices come down and capacities increase. They will allow for more reliable, cooler, quieter operation. You won't need to use standby mode anymore on a laptop - hibernate/resume will be so quick that you'll gladly pay the extra 2 seconds to resume to save your battery.

Failed hard drives are the worst reliability problem in laptops and flash drives - while not themselves immune to failure - should be much more reliable.

I love my little IPCop box in part because I love the idea of finding good uses for old computers. This Celeron 433 box thing would be in a scrap heap otherwise, yet it's still doing useful work, thanks to the innovation of the people who created IPCop and Linux.

Missing, definitely try OpenVPN if you're having VPN issues. It's extremely easy to set up and use.

Oh, and while I don't have a Cisco firewall, I have an ancient Cisco 678 DSL modem, which is extremely reliable. It never needs to be rebooted. If Qwest continued to use modems this reliable, they would never be telling people "reset your modem to try to fix your problem" when you call tech support, LOL! But the 678 isn't all that easy to configure; it has no web interface! You have to program it with a serial administration cable (my current laptop HAS no serial port(!), and the USB2Serial converter I have didn't work). It's got a CBOS command line interface, which I'm perfectly fine with (hey, I write Perl scripts all the time). Since my DSL connection uses transparent bridge, configuration for this modem is a snap.

I even bought a spare used 678 just to have one in case something happens to this one. I don't want to have to risk trying a new modem.

Andrew

Oh man, don't even get me started on how good the 678 really is!

I had to trade up as part of a connection change. (bastards!)

The 678 has excellent traffic shaping. Not that it was a specific feature, I just loved how it handled high traffic loads. I could just bury the thing both upload and download, yet small, interactive traffic remained viable.

The modem I have now does somewhat better at high speeds, in terms of sheer bits moving in or out, but that comes at the cost of interactive traffic.

It is completely possible to configure the 678 without a serial cable --and there is a web interface, but it's largely useless.

I'll look for the notes, but I did my updates via TFTP and configuration via telnet (inside only). Only used the serial cable the very first time.

---wait, I just saw bridge mode. That means you gotta use the serial. Sorry.

What's the deal with bridged mode? I never liked it because it's putting machines right on the net. Don't get me wrong, that's really how things were supposed to be, before we got the combination of too many baddies and NAT.

The 678 had excellent NAT options, being able to map both inside and outside ports to home network hosts if you want. (few routers do this as well as the 678 does)

So I went PPP and just did my mapping and was done.

Missing kskd, you really need to work on developing your own critical thinking skills.

"DD grow the fuck up and stop asking questions even my four year old knows the answer to."

Is that critical thinking?

The irony of the last post is impressive.

Missing, IPCop has traffic shaping built-in also. I actually prefer bridged mode, because then I can do all the firewall stuff in IPCop which is presumably much more upgradable than CBOS (Cisco stopped supporting it years ago; Qwest offers only legacy support that is several years old.) Bridged moded is just less complicated. I agree that if you have a single PC it is less desirable. You'd prefer that the computers on your network all be behind a NAT firewall.

That makes sense.

I was scared of bridging when I first setup my DSL. I think it was either 98 or 99, which ever year Qwest first offered it. Firewall stuff was harder then as well.

When I was running stuff out of my home, I used ports. One for SSH, one for WEB. That's all I needed incoming.

Nice setup Andrew. When I get off my retro kick, I'll give it another go. It may be worth it to host a VM or two for testing / evaluation by prospects.