A very interesting article, and usefull if you have a sensible broadband connection which I unfortunatley dont have. I am stuck with DSL via satelite which greatly confuses the building of a Linux router.

First of all the satelite card I have does not have Linux drivers which is a great start, the upstream is via ISDN and downstream is via Sat link in another country, oh joy! The router also needs to be a proxy server to differentiate between the 2 sorts of connection and to provide ports for all the different web services. I am at the point of abandoning the project.

btw YAST is Yet Another Setup Tool.

Use IPCop. You can get a linux router up and running in about 20 minutes.

As the Anonymous coward above pointed out there are alternative options for setting up a *nix router. Distro's such as IPCop, Smoothwall or M0n0wall are all designed from the ground up to be routers, and will probably be easier for someone who is new to linux to setup! I do admire the author tho for doing it this was as it allows for a much greater control over the final appliance! I'm quite happy (atm!) with my Linksys WRT54G running the custom DD-WRT firmware, one of the one's released under the GNU/GPL license that adds features to the original linksys firmware, for the moment! I've often been tempted by having a linux router but can't quite justify the effort to myself yet!

A well written, well thought out article. However, the notion that you need a 500mhz CPU to run your router/firewall is a bit excessive. In the past I've set up and run IPCop on Pentium120s and PII-200 boxes with anywhere from 64 to 196 megs of RAM. Plus there are a lot more of those old boxen out there that can provide years of service as firewalls. Currently I'm running M0n0wall on an old Acer PII-233 with 128RAM and a "huge" 2 gb hdd. SUSE is a good distro, but there are plenty of others that can be used. Smoothwall, Redwall, IPCop, and others, or just use the distro of your choice and set up ipchains yourself. Thus the beauty of Free Software is revealed.

Cheers,
Alisdair (but you can call me Al)

I really enjoyed this article! But I think you are being way to hard on yourself..

I personally use IPCop for my own personal firewall/Snort IDS/Squid proxy/Gateway/Proxy/SSL etc. Its really important to have tight security if you are taking control like this.. but no sweat!

Can anybody comment on the relative strengths of some of the router-specific distributions (IPCop,Smoothwall, Monowall).

I would love to hear about people's experiences as well as what the security maintenance commitment is for these projects as a router is something that you only want to touch every five years, once it has been installed.

I'd like to thank everyone who's commented so far on this article. I noted that many people have indicated that ipcop is a great alternative to doing it all yourself. This is very true. I looked at ipcop, as well as a couple of other alternatives such as ClarkConnect and mOnOwall. The biggest problem I had with these pre-packaged solutions is the lack of flexibility. They assume that I to do exactly what my 59 dollar appliance does. Not true. If I wanted exactly what the appliance offered, I'd have just used one to begin with (I DID use one for a long time, in fact).

I also wanted to play with iptables to try and tailor my kids' access to the internet. I supposed I could have dug into the distribution source that was legally obliged to come with these pre-packaged linux router distros, but it was simpler to access iptables and the rest of the network sub-system from a more complete Linux distro.

Another reason for my choice was that this was a learning experience/experiment which continues to this day (and into the future, I hope). I access my linux router as if it were a regular machine on my home network - I use VNC to access display session 0 on this headless box (no physical KVM). I've installed the programming packages, so I can work on Linux programming projects router.

Finally, I get to choose which network services I make available through the publicly accessible internet address on my router, such as web server, mail server, ftp server, etc. The choices are not limited to whatever I can find for the particular flavor of Linux on my router. A more popular Linux distro such as SuSE or RedHat opens the door to many already compiled binary installation packages of most free software projects. Of course, this can be done with port forwarding to another machine on my NAT, but since my router is beefy anyway, I don't see the harm in overloading it a bit.

The beauty of of a complete linux distro is its power and scalability. You have built much more than just a router. What you want to do is just a matter of how much software you want to enable and configure. Using Samba you could include windows file server functionality. Installing Squid and Dansguardian you could have a web content filter. I figure if you are using all that electricity 24/7, you might as well make it as powerful as possible.

I'm using Clarkconnect on my own gateway/server and it works fantastic. You state that one is "locked-in" like an internet appliance, but this is not true. Although the server is configured via a web-based configuration (much like an embedded linux router), one can overcome the limitations of the web-configuration by editing the configuration files remotely easily using ssh. This doesn't have to be done in the command line. Use the "fish://server/" protocol on a linux client machine in KDE's Konqueror and you'll see what I mean.

Great article by the way - it just understates what you have built.

You can also try “CacheGuard OS”: A Linux based Web Gateway Appliance. “CacheGuard OS” is a fully integrated solution to optimize and secure Web Traffics.

Tools and Linux distributions you are talking about are pretty good but are just an addition of multiples powerful software while CacheGuard is a highly integrated software appliance.

“CacheGuard OS” is free for a limited number of users (excellent for a family). See www.cacheguard.com.

I'm pretty good with Linux's iptables, so I decided to see if I could replicate this with OpenBSD and its included packet filtering software, PF. Turns out that PF's syntax is easier for humans to read and understand than that of iptables, though the OpenBSD install might scare off the GUI-lovers. Like with Linux's iptables, you have total flexibility. It's worth your examination.

And yes, I still like iptables and will continue to use it, too. Not bagging on it at all.

BTW, among Linux distro's, I wouldn't recommend SuSE for a firewall. It's just too fat. Same with Fedora or CentOS, much as I love them for other applications. I would, though, recommend either Slackware or Ubuntu Server Edition. They're small, easy to install, and run well on older hardware very well. I run an Ubuntu mail server on a 270MHz SPARC box, and it's not even breathing hard; took me a couple of hours, including install time, to get going.

spitz@cmosnetworks.com

I have a Linksys WRT45G that is setup to run OpenWRT and x-wrt[1] which gives me a really simple setup and config throught the web interface but also linux command prompt using ssh should I need it. You can pick the old linksys routers up for next to nothing on ebay upload the new firmware and off you go. As you don't really want to run any other apps on your firewall it has plenty of grunt to do the job.
It has live throughput graphs, Quality of services, and all the things you would expect from a modern router and it's no larger than a book and takes very little power compared with an old PC and makes no noise!

I'm off to get me a NSLU2 and some Debian images![2]

john
[1]http://x-wrt.org/
[2]http://www.cyrius.com/debian/nslu2/

I may just not be looking in the right place, but I'm unable to find a cheap concentrator. Could you provide a link to an actual concentrator? Many thanks.

I think anyway.

I think spitz@cmosnetworks.com is right. For a firewall, SuSE or Redhat is too big. Slackware is more stable than those and úses less resources. *BSD is also alternative for such purpose.

Sveasoft just released their Talisman firmware to the public. You can download it directly from their web site.