When the ALIX.2D3 I’d ordered arrived, I set about installing IPCop, a secure Linux distribution managed through a web-interface. IPCop has a huge number of features, and provides good documentation in form of an installation manual and a separate administration manual. I wanted IPCop to run off a Compact Flash (CF) card (1GB), so I proceeded as per instructions, creating the CF image from a staging IPCop installed in a VirtualBox machine. (If you prefer a ready-made image, look at EMBCop or read on.) After copying IPCop’s image onto a CF card, I inserted into the ALIX and booted. The hard part (after I’d found a NULL-modem cable in the pile of mess I call a cellar :-( ) is finding out which of the NIC connectors on the ALIX are which. What I did was to, one after the other, plug in an Ethernet cable and wait until the link status goes up (I can identify that with ethtool). I then know which it is (eth0 … eth2) and can label them accordingly. The interfaces are labelled as per the terminology that IPCop uses:

  • RED is the bad Internet. (And it is bad, believe me. As soon as you have IPCop running, glance at the firewall logs. You might be surprised at the rubbish coming towards you.)
  • ORANGE is the DMZ if you need one.
  • GREEN is the good network, i.e. your home or SOHO network to which you connect your PCs, Macs and printers.

IPCop supports a number of different network combinations, depending on your requirements. You can set it up with just a RED and GREEN network (the simplest combination), or you can expand it to include a BLUE network for wireless LAN (WLAN or WiFi). IPCop automatically allows or forbids traffic between these interfaces, but you can override specific ports with port forwarding or so-called DMZ pinholes. Instead of messing about with IPSEC VPNs, I decided to install OpenVPN on IPCop. There are a large number of addons for IPCop, and OpenVPN is provided as Zerina. After copying the tar file to the IPCop, I had to change the version check line in the install file, replacing 1.4.18 by 1.4.21 before launching ./install. The addon integrates nicely with IPCop’s Web interface, and allows me to create an SSL root Certification Authority and then add certificates and keys for road warriors. If you don’t have experience with OpenVPN, there are a couple of good introductions to IPCop and OpenVPN here and here. What I particularly like about this setup is:

  • Totally silent because it has no fan.
  • Great functionality including OpenVPN and Snort Intrusion Detection System.
  • Easy to perform a full backup of the CF card without removing it: ssh -P 222 root@ipcop "dd if=/dev/harddisk" > backup.img
  • Simple but powerful Web interface. (Better than most low-cost routers I’ve seen.)
  • There exist a large number of useful (and not so useful) add-ons for IPcop. A nice repository is at IPCop addon binaries. Installation is usually just a matter of getting a tar file onto your IPcop with scp, logging in to it with ssh, extracting the files (tar) and running an ./install in the package’s directory.
  • IPCop updates are supplied as encrypted GPG files. I simply upload them in the browser and IPCop does the rest.

Check out the IPCop support page with links to mailing lists and support forums. If you read German, I can warmly recommend ipcop-forum.de which offers downloads (for registered members) with ready-made CF images, ready to run on ALIX boards. Further reading:

Hardware, Linux, Security, ALIX, firewall, and IPCop :: 14 Jan 2009 :: e-mail