When the ALIX.2D3 I’d ordered arrived, I set about installing IPCop,
a secure Linux distribution managed through a web-interface. IPCop has a
huge number of features, and provides good documentation in form of an
installation manual and a separate administration manual. I wanted
IPCop to run off a Compact Flash (CF) card (1GB), so I proceeded as per
instructions, creating the CF image from a staging IPCop installed in a
VirtualBox machine. (If you prefer a ready-made image, look at
EMBCop or read on.) After copying IPCop’s image onto a CF card, I
inserted into the ALIX and booted. The hard part (after I’d found a NULL-modem
cable in the pile of mess I call a cellar :-( ) is finding out which of the
NIC connectors on the ALIX are which. What I did was to, one after the other,
plug in an Ethernet cable and wait until the link status goes up (I can
identify that with
ethtool). I then know which it is (eth0 … eth2) and can
label them accordingly. The interfaces are labelled as per the
terminology that IPCop uses:
- RED is the bad Internet. (And it is bad, believe me. As soon as you have IPCop running, glance at the firewall logs. You might be surprised at the rubbish coming towards you.)
- ORANGE is the DMZ if you need one.
- GREEN is the good network, i.e. your home or SOHO network to which you connect your PCs, Macs and printers.
IPCop supports a number of different network combinations, depending on your
requirements. You can set it up with just a RED and GREEN network (the
simplest combination), or you can expand it to include a BLUE network for
wireless LAN (WLAN or WiFi). IPCop automatically allows or forbids
traffic between these interfaces, but you can override specific ports
with port forwarding or so-called DMZ pinholes. Instead of messing about
with IPSEC VPNs, I decided to install OpenVPN on IPCop. There are a
large number of addons for IPCop, and OpenVPN is provided as
Zerina. After copying the tar file to the IPCop, I had to change the
version check line in the
install file, replacing 1.4.18 by 1.4.21 before
./install. The addon integrates nicely with IPCop’s Web interface,
and allows me to create an SSL root Certification Authority and then add
certificates and keys for road warriors. If you don’t have experience with
OpenVPN, there are a couple of good introductions to IPCop and OpenVPN
here and here. What I particularly like about this setup is:
- Totally silent because it has no fan.
- Great functionality including OpenVPN and Snort Intrusion Detection System.
- Easy to perform a full backup of the CF card without removing it:
ssh -P 222 root@ipcop "dd if=/dev/harddisk" > backup.img
- Simple but powerful Web interface. (Better than most low-cost routers I’ve seen.)
- There exist a large number of useful (and not so useful) add-ons for IPcop. A nice repository is at IPCop addon binaries. Installation is usually just a matter of getting a tar file onto your IPcop with
scp, logging in to it with
ssh, extracting the files (
tar) and running an
./installin the package’s directory.
- IPCop updates are supplied as encrypted GPG files. I simply upload them in the browser and IPCop does the rest.
Check out the IPCop support page with links to mailing lists and support forums. If you read German, I can warmly recommend ipcop-forum.de which offers downloads (for registered members) with ready-made CF images, ready to run on ALIX boards. Further reading: