by David "Del" Elson
|IPCop: An Overview
by David “Del” Elson
last updated March 13, 2001
IPCop is a cut-down Linux distribution that is intended to operate as a firewall, and only as a firewall. It has some advanced firewalling features, including VPNs using IPSec. This article describes the set-up and use of IPCop, and contains a few comments about its features.
This article is based on IPCop version 0.1.1, which was in turn derived from SmoothWall version 0.9.9.
IPCop's main feature is as a firewall system for small offices or home networks. Being licensed under the GPL, it is free to use and therefore the only costs in getting it running are the hardware. IPCop supports up to three network interfaces, and includes the following features:
IPCop is a complete firewall installation, taking control of the machine and replacing any other operating system that is installed. Therefore, it is not similar to packages like ipchains or any of the GUI firewall administration tools. It is not an additional security service you would run on your machine; rather, it is a complete operating system and firewall administration kit in a box that the user would dedicate a single machine to house and run as an Internet gateway.
Where to Find IPCop
IPCop can be found at SourceForge, at or at the IPCop home page. The home page is fairly easy to navigate, and contains the source code, a downloadable ISO image, and some documentation including installation and administration guides.
IPCop and SmoothWall
IPCop is derived from the SmoothWall project but was forked as a separate project for a two main reasons:
Differences between SmoothWall and IPCop
The scripts and installer in IPCop were derived from SmoothWall. The OS underneath it has been rebuilt from the Red Hat 7.2 RPMs. A rebuild was required as both IPCop and SmoothWall use a 2.2 kernel instead of the 2.4 kernel used in Red Hat's distribution.
The code has been modified to run on an ext3 (journalled) filesystem, for added reliability. Some additional fixes and feature enhancements to the SmoothWall product have been made, notably in the area of ADSL support.
Of course, most of what is said in this article applies to the current version of SmoothWall as well as IPCop. If you would prefer to run SmoothWall or require a commercially supported product, then see the SmoothWall home page.
What you will need:
Finding a PC
This is often the hard bit of the installation. IPCop doesn't require a highly powered PC to run on. Since machines are often at a premium in many small offices, a trip to your nearest PC recyclers or second hand shop may be an ideal way to get hold of a PC to use for IPCop.
Of course, it will need to be running and have a reasonable amount of memory (say, 64MB would be useful for a machine that is doing caching as well, although 128MB would be great), and a good-sized hard disk if you plan to Web cache, but processing speed is not important.
Since IPCop is almost completely manageable by the Web interface (requiring the console only to change network interface parameters), it can run happily without a keyboard, monitor, mouse, or any of the other paraphernalia attached to a PC. Most PC suppliers and/or recyclers can be convinced to sell PCs equipped without these items.
The installation process is incredibly simple and is well documented in the installation manual. The installation manual can be found by following the Documentation links from the IPCop home page, or directly via this link: http://www.ipcop.org/cgi-bin/twiki/view/IPCop/IPCopInstallv01.
The installation manual contains complete screen shots of the entire installation process. Rather than repeat or paraphrase the installation manual here, I will simply list the main points:
Network Interfaces and the DMZ
IPCop supports up to three network interfaces. This may be an issue in larger organizations, as I have seen firewalls with as many as 15 network interfaces in the past.
Generally you would run IPCop with at least two interfaces, which would be RED and GREEN, but you may also want to use an ORANGE interface as well, which allows you to have a DMZ (de-militarized zone).
The IPCop documentation clearly explains why you should use an ORANGE interface for the DMZ. An Internet-exposed Web server, for example, should probably live on the ORANGE interface rather than the GREEN interface. Why? Well, this is as a fallback measure. A server on the DMZ, if protected by the ORANGE interface, cannot access anything on the GREEN interface unless a pinhole is specifically created for it. This would usually be done between a Web server on the DMZ and a database server (for example) on the GREEN network.
This means that if a cracker were to somehow bypass the firewall, intrusion detection measures, and other systems that you have in place to protect your Web server, and managed to gain root access on it, they would still be unable to attack your internal network. Sure, they would be able to access the database that you have specifically allowed access to, but they would be unable, for example, to attack your NFS servers, your domain controllers, or other more sensitive devices on your LAN.
Finishing the Installation
Ideally, IPCop would be running on a low profile machine, which would be hidden in a network cabinet somewhere away from prying eyes (and fingers).
You should unplug any keyboard, mouse, and monitor, and do the environment a favour by re-using them elsewhere on your network.
Installed out of the box, IPCop is pretty much a blank although functional template. It has the necessary rules in place to allow access from your protected network to the Internet, and deny access from the Internet inwards to your network.
There are a few things that need configuring once IPCop is running, however:
Starting the Administration Interface
Administering IPCop is a simple matter of using a Web browser, from anywhere on the GREEN network. You need to know the GREEN network interface address that was assigned when you set up your IPCop server. Simply start your preferred Web browser and access the address http://<green_address>:81/
For example, if your firewall is configured with the address 192.168.1.1, you could enter the address http://192.168.1.1:81/ into your browser and you would see the configuration interface.
To get past the first page of the interface, you will need to know the "admin" account and password that you assigned during installation.
There is also a secure access to the configuration interface of IPCop - https://192.168.1.1:445/ if you prefer to use an SSL connection, although IPCop generally will not have a valid certificate so you may get some warnings from your Web browser when you use this type of connection.
Probably IPCop's most important feature is the integration of the Squid Web proxy server. This proxy service is disabled by default, but can be started from the configuration interface. Choose "Services" on the menu on the left-hand side of the interface, and then from the menu you see at the top of the page, select "Web proxy". The Web proxy is enabled by checking the box marked "Enabled". If your Web proxy is also your main gateway, then you may also want to select the "Transparent" option, which means your Web clients will not need to set up any proxy settings in their browsers, the proxy service will function automatically.
Most of the other settings in this area can be left blank.
IPCop contains a simple DHCP server, which is capable of serving dynamic IP addresses for a small LAN. Because I'm the sort of network guy that likes to know what address all of my workstations have, I prefer to use a different DHCP server that allows me to assign static IP addresses by MAC address.
If you want to use IPCop's DHCP server, however, it is very simple. Just go to the "dhcp" tab in the "Services" menu, and tick the "Enabled" box. You will also need to assign a start address and end address for the DHCP range, and enter some DNS details to be passed on to DHCP clients.
IPCop includes the Snort intrusion detection system, which is quite a powerful system for detecting various attacks on internal servers. If you are using IPCop to protect a server or two (either on your DMZ or your GREEN network) then you will find Snort quite useful.
IPCop makes setting up Snort very simple. Just go to the "IDS" tab on the IPCop menu, and tick the "Enabled" box. Remember to check your log files regularly if you are running Snort! These are accessible from the "IDS" tab as well.
An IDS such as Snort (or a firewall, for that matter) is in no way a substitute for the need to ensure that your Web servers are updated regularly with the appropriate service packs and security fixes as soon as they become available from your vendor, be that Debian, Red Hat, or Microsoft. Be aware of any vulnerabilities as soon as they are announced (the BugTraq mailing list is a good source of this information), because there only needs to be one cracker who discovers the vulnerability before you update your IDS, and you may very well be in trouble.
Port Forwarding and External Service Access
The Port Forwarding and External Service Access tabs in the "Services" menu are used together to allow access to your internal servers from outside of your network (the Internet).
As a simple example, assume that we have a Web server and a mail server running on the DMZ. We have assigned the address range 192.168.200.x to our ORANGE network, and the Web server is at address 192.168.200.10 with the mail server at address 192.168.200.20.
Web services typically run on TCP port 80, while mail (SMTP) traffic happens on TCP port 25.
The entries that we would make are as follows:
Note how the Source Port and Destination Port under port forwarding are usually the same (unless you wanted to redirect an external port to a different internal port), and how those same ports must also be enabled under external service access.
DMZ Pinholes are only used in IPCop for allowing access from the ORANGE network to the GREEN network. Note that access from the GREEN network to the ORANGE network is enabled by default.
This type of access would normally only be used where a Web server on your DMZ needed to access a database server inside your network. You will need to find out the port number that the database server runs on (for example, for MySQL it is 3306, for other databases such as Oracle or Informix you will need to ask your vendor or consult the documentation).
Enabling the pinhole is a simple matter of selecting the "dmz pinholes" tab on the Services menu. As an example, to allow our Web server on the DMZ shown previously to access a MySQL server on our internal network at IP address 192.168.100.4, we would enter the following information:
On Line Documentation for IPCop
In addition to this article, there is a wealth of documentation on the IPCop home page.
All of the IPCop documentation is maintained in a system called Twiki (a WikiWikiWeb engine written in Perl). This enables people from outside of the IPCop development team to freely contribute documentation for the project, after registering, and has meant that in a reasonably short space of time the documentation available for the system is comprehensive and complete.
The IPCop documentation can be accessed directly from the IPCop v0.1 Documentation Page
There is a full installation manual and an administration manual available via the above link.
Setting up a VPN using IPCop
Setting up a VPN on Linux is a relatively complicated topic. This is primarily because the main VPN system available (FreeS/WAN), while being highly comprehensive and having many features, is also very complex to set up and understand.
Fortunately, the IPCop system simplifies the process somewhat, and makes setting up a VPN between two IPCop systems much more straightforward.
There is some documentation in the IPCop documentation tree on setting up a VPN, including a VPN how-to. This is a fairly comprehensive document, which can be obtained by following the links from the IPCop home, or directly via the IPCop VPN How-To page
Another useful document for understanding IPSec based VPNs and FreeS/WAN in particular can be obtained via the FreeS/WAN home page.
Configuration of the VPN
Configuring a VPN between two IPCop machines involves the following steps:
Ensure The Machines Are Connected
This is the first important step - ensure that both VPN machines are connected to the Internet and are switched on and running. You will also need to ensure that they can ping each other.
Also ensure that a machine behind each firewall can ping the external IP address of the opposite firewall. So, if your firewalls are at addresses A and B, make sure a machine behind firewall A can ping B, and a machine behind firewall B can ping A.
Most VPN problems are caused by a problem with this basic connectivity.
Decide On A Left and Right Interface
One of your IPCop firewalls must be designated as "Left" and one must be designated as "Right". This designation does not change through any of the next steps.
You need to establish the following information:
Although it might sound strange (from a network administrator's point of view) to have to do so , you must provide this “next hop” information. The KLIPS (Kernel IP Security) component of FreeS/WAN bypasses the normal routing machinery, so you must give KLIPS the information even though the routing tables already know it.
Enable the VPN settings
Enabling the VPN settings on each machine is simply a matter of going to the "VPNs" menu on the IPCop administration page, and selecting the "control" tab. Enter the external (RED) address of each firewall into its own "Local VPN IP" entry box, check the "Enabled" box, and press the "Save" button.
Set Up the VPN Connections
After enabling the VPN settings, click on the "connections" tab in the VPN menu.
You will now need to enter the LEFT and RIGHT interface information that you gathered earlier. In addition, you will need to enter:
When you are entering the LEFT and RIGHT information, remember that the LEFT machine remains LEFT at both ends. Don't make the common (but understandable) mistake of entering firewall A's information as LEFT at one end and RIGHT at the other.
Once your connection details are entered, you will need to return to the control tab and Restart the VPN settings at both ends. It may be that the VPN takes a little while to become established, but once it has you should be able to ping any machine on the A network from any machine on the B network.
If you cannot ping between the A and B networks (LEFT and RIGHT) once the VPN is established, then go back and check your connection details. Make sure that the same information is entered at both ends of the connection, and read carefully through any error messages in the log (on the connections page) for messages that may indicate the cause of the problem.
Connecting a VPN From IPCop to Other Systems
Another popular Linux-based firewall is the commercial product, Watchguard Firebox II. This is sold as an integrated hardware and software device, and also supports IPSec-based VPNs. Because both the Firebox II and IPCop use the industry standard IPSec protocol for VPN connections, it is possible to set up a VPN between a Firebox II and a machine running IPCop. There is even a special how-to on this at the IPCop Web site: http://ipcop.sourceforge.net/cgi-bin/twiki/view/IPCop/IPCopWatchguardVPNHowto
Or follow the links from the IPCop home page to the IPCop documentation tree, and select the Watchguard VPN HOWTO under "Other Documentation"
It is also possible to set up a VPN between an IPCop system and a Check Point VPN-1 firewall, although how to do that is beyond the scope of this article. However, keep your eyes open for an upcoming article on Linux and IPSec, in which Check Point and IPCop will be discussed.
This article originally appeared on SecurityFocus.com -- reproduction in whole or in part is not allowed without expressed written consent.