IT nerds. Interesting firewall software.

[carl0s]

I just came across this. The management interface looks rather snazzy and overall it looks really quite interesting. I'm not sure what limitations the 'free download' has, i.e. how much functionality you get without paying, but I'm gonna give it a whirl I think.

 

I currently use pfSense, and I have a couple of sites using Astaro. I've looked at reviews/demos of various others like RouterOS, Smoothwall and IPCop.

 

Anyway I clicked an advert over at lwn.net and ended up at this site:

http://www.untangle.com/

 

Check out the video: http://www.untangle.com/video_overview/

 

Looks interesting doesn't it.

[carl0s]

(I realise I am way behind the times BTW, this thing apparently isn't new)

[Wez]

Interesting, is that just an interface to the device running the software or does it actually run on windows?

[carl0s]

Interesting, is that just an interface to the device running the software or does it actually run on windows?

 

That's a web interface. The system is Linux based (suspect.. haven't seen confirmation of that, but apparently you can install it as packages onto a Debian or Ubuntu system).

 

You download the ISO, let it format the hard disk and install itself onto a PC. They have some Vmware virtual appliances (whatever they are..) to download at: http://www.untangle.com/index.php?option=com_content&task=view&id=290&Itemid=1148

 

It seems that everything is included in free except for the clientless-vpn portal and antivirus, but OpenVPN is included in free, as is the spam filter etc.

[carl0s]

I just hope it's not too dumbed-down. There are always specifics that I get used to using which might not be present.

For example with pfSense I have a schedule set, so that kids computers don't work on the Internet after a certain time.

Haven't seen any mention of IMspector yet either for logging and swear-filtering MSN Messenger.

 

On the other hand, pfSense doesn't show me a list of currently connected VPN users, or allow me to boot them off or see their assigned IP address. This system does. That doesn't matter to me personally (I use win2k3 RRAS), but I have a client using pfSense too and it's been an issue there.

pfSense really is a router/firewall rather than an allround application type gateway I suppose, so there's no spam filtering. I might give this thing a proper look.

 

edit: sorry, virus scanning is included in Free as well. But you can pay for Kaspersky if you want. I guess it's using ClamAV or something similar.

[carl0s]

Somebody over at the forums is working on IMSpector integration.

[JustGav]

I'm a HUGE smoothwall fan with it is clam-av/squid/dansgaurdian/imspector/layer-7 option.. I have had some minor issues with it, and always open to another option.. I'm going to try this as well and see how it goes.

 

Cheers

 

http://www.untangle.com/images/open_vs_professional_table.png

[Thorin]

I'm a HUGE smoothwall fan with it is clam-av/squid/dansgaurdian/imspector/layer-7 option.. I have had some minor issues with it, and always open to another option.. I'm going to try this as well and see how it goes.

 

Cheers

 

http://www.untangle.com/images/open_vs_professional_table.png

 

I used smoothwall years ago but switched to IPCop (originally a fork of Smoothwall), I've not used either for a few years now but I found IPCop better.

[carl0s]

I'm a HUGE smoothwall fan with it is clam-av/squid/dansgaurdian/imspector/layer-7 option.. I have had some minor issues with it, and always open to another option.. I'm going to try this as well and see how it goes.

 

Cheers

 

http://www.untangle.com/images/open_vs_professional_table.png

 

I hoped I would catch your attention 'cause I know you use Smoothwall

[JustGav]

I used smoothwall years ago but switched to IPCop (originally a fork of Smoothwall), I've not used either for a few years now but I found IPCop better.

 

To be fair... the primary reasons in order for the firewall at home are

 

1. Content filtering for the kids

2. Layer-7 filter (Removing torrents/p2p stuff)

3. Web proxy

4. AV/Spam (Not critical as it has hosted based stuff on the PC's as well)

5. MSN filtering.

 

Anything else is a bonus. Smoothwall just seemed to integrate with dansgaurdian which was the key thing. IPcop I seem to remember had some minor issue with something I was trying to do with regards layer-7 filtering.

[SBDJ]

Very nice, especially for home users or small office environments.

 

Personally use pfSense at work, due to it's general flexibility and load balancing capabilities...

[carl0s]

Missus is in bed still, gonna install this thing now and have a play.

 

First problem I ran into yesterday, is that the fancy admin tool shown in the video.. it's a Java Web Start application, and there is no javaws for Linux x86_64, which meant I couldn't look at the online demo system. Have workaround now though.

[carl0s]

Well that's no fun. It just works. Where's the nerdyness in that?

http://www.porn.com is blocked!

 

I haven't actually done anything other than install the Open Source library rack/package set. It's all switched itself on and blocking/protecting/filtering.

 

but of course, I'm allowed porn. It's the kids who aren't. Time to try to make some changes

[carl0s]

meh. You need the Pro package to do scheduling/time based firewall rules. It's part of the Policy Kit

 

could do a crontab entry, but this is a step backwards from pfSense.

 

So I have gained a web filter and lost time restrictions

[SBDJ]

As long as you're not running a load balancing environment, you could run Squid with SquidGuard on your pfSense box, which will allow you to do a fair bit of content filtering...

[carl0s]

As long as you're not running a load balancing environment, you could run Squid with SquidGuard on your pfSense box, which will allow you to do a fair bit of content filtering...

 

I'm pretty certain I had a go at this and got nowhere. I seem to remember it doesn't actually do content filtering, maybe just malware removal. Can't remember, but it wasn't possible when I tried. pfSense forums confirmed it wasn't possible at the time.

[SBDJ]

SquidGuard definately allows basic content filtering, I use it at work to block various site types. I don't run it directly on pfSense, but it can definately be done, as I was using it about a year and a half ago (although I had to do the package myself).

 

squidGuard can be used to

• limit the web access for some users to a list of accepted/well known web servers and/or URLs only.
  
• block access to some listed or blacklisted web servers and/or URLs for some users. **)
  
• block access to URLs matching a list of regular expressions or words for some users. **)
  
• enforce the use of domainnames/prohibit the use of IP address in URLs. **)
  
• redirect blocked URLs to an "intelligent" CGI based info page. **)
  
• redirect unregistered user to a registration form.
  
• redirect popular downloads like Netscape, MSIE etc. to local copies.
  
• redirect banners to an empty GIF. **)
  
• have different access rules based on time of day, day of the week, date etc.
  
• have different rules for different user groups.
  
• and much more..

I know dvserg on the pfSense forum has now packaged it... some comments here for example:

 

http://forum.pfsense.org/index.php/topic,8417.0.html

 

I suspect some of the more advanced features won't yet have GUI entries (but you could obviously edit the config file directly) although I've not seen has package so couldn't be sure...

[carl0s]

I remember the problem now. You had to maintain a list of blocked urls, and that list started off empty.

 

Has that changed now then? That's more url blocking rather than content filtering IMO. I realise that most 'content filtering' systems probably do just use massive outside maintained url lists, but I was looking for something that intercepted and filtered the content, or at least an existing outside-maintained category based url blocklist.

[SBDJ]

You're right in that SquidGuard doesn't come with a list, although I don't know if this package supplies one.

 

I can't remember where I grab mine from, but I can have a look on Monday if it helps

[carl0s]

You're right in that SquidGuard doesn't come with a list, although I don't know if this package supplies one.

 

I can't remember where I grab mine from, but I can have a look on Monday if it helps

 

Sure, why not. I might not use it yet but it's good info to have

[carl0s]

You're right in that SquidGuard doesn't come with a list, although I don't know if this package supplies one.

 

I can't remember where I grab mine from, but I can have a look on Monday if it helps

 

I think my problem was that I was seeing what I could do through the GUI interface, rather than through the console. With an outside list like you're using, and configuring through the console I guess it will do what I wanted. Thanks for the heads up.

[JustGav]

Missus is in bed still, gonna install this thing now and have a play.

 

First problem I ran into yesterday, is that the fancy admin tool shown in the video.. it's a Java Web Start application, and there is no javaws for Linux x86_64, which meant I couldn't look at the online demo system. Have workaround now though.

 

I was going to do the same, but just realized I ran out of blank cd's...so just popping off to get some.

[carl0s]

I was going to do the same, but just realized I ran out of blank cd's...so just popping off to get some.

 

 

Well, I think I've decided I don't like it.

I'm not sure if it's because I feel dumbed-out by it, or if it's because I can't be arsed trying to manually get IMSpector in place, and manually overcome the lack of scheduling/time based firewall rules*.

 

I was going to persevere and try to alter the inbuilt "no rack" policy default to block-all rather than pass-all. This would have allowed me to do time based filtering in the free version, because although you can't create multiple racks & use policies to apply them to different machines @ different times etc, there is an inbuilt "no rack" to go alongside your configured rack. The problem is that this "no rack" config is an allow-all setup, rather than an allow-nothing setup.

 

Anyway, I would have to get off my arse and go into the shed ("comms room" ) and plug a screen into the machine to enable ssh so I could have a play from inside here. No ability to turn on ssh through the admin console has just taken me over the dumbed-out line for today.

 

Note to self: Use a spare hard drive next time

 

I'm gonna look at some other things now. I never have actually tried IPCop. I'll try it now. I remember reading some posts probably 4-5yrs ago from the Smoothwall developer which left a very sour taste in my mouth so I won't be going down that route.

 

*without paying. Although for up to 10 protected IPs it's only $225/year. Acceptable for business use I reckon.

[carl0s]

No PPTP on IPCop. I don't need this, but I would rather evaluate something I could use for customers. Not seeing much mention of web content filtering either.

 

hmm. Wonder what else is out there as a pre-packaged firewall/gateway system like these.

[carl0s]

Now downloading Endian 2.2-beta3 http://www.endian.com/