IPCop

from Wikipedia, the free encyclopedia
IPCop
IPCop logo
IPCop logo
developer IPCop team
License (s) GPL ( Free Software )
First publ. 2001
Current  version 2.1.9 (February 23, 2015)
ancestry GNU / Linux
↳ Smoothwall
↳ IPCop (up to 1.3.0)
↳ Linux From Scratch
↳ IPCop (since 1.4.0)
Architecture (s) IA-32
Languages) multilingual
Others Price: free

www.ipcop.org

IPCop was a free Linux distribution that was primarily intended as a router and firewall . It also offered selected server services and could be expanded to include additional functions. Up to version 1.3.0, IPCop was based on the free GPL version of Smoothwall , from version 1.4.0 on Linux From Scratch (LFS for short). In 2017, the end of development was announced. The last version appeared in 2015. The project was discontinued at the end of 2018.
With IPFire and Endian Firewall there are two spin-offs from IPCop that will be further developed.

Server services

IPCop is right after installing a router, a working firewall , a proxy server ( Squid ), a DHCP - server , a caching - nameserver ( dnsmasq ) and an intrusion detection system ( Snort ready). Additional functions such as traffic shaping , VPN and dynamic DNS are available.

System requirements

The computing power required by the PC depends on the area of ​​application. 133 MHz with 32 MByte RAM (better 64 MByte) are required . At least 2 network cards are required ( PCI , PCMCIA , USB , ISA or VL bus), one for connection to the Internet (via DSL or another router), one for connection to the LAN .

The computing power for private use can already be taken over by a 486 if you switch off Squid and the Intrusion Detection System (IDS).

Interfaces

Firewall rules of the interfaces

IPCop differentiates between different networks , which are displayed in different colors. The green network represents your own LAN, the red network symbolizes the "unprotected" Internet . A possibly existing WLAN is symbolized by the color blue, while orange represents the DMZ (Demilitarized Zone). This is used for servers that should be accessible from the Internet ( web server , FTP server, etc.). If this network were now successfully attacked ( compromised ), the other networks would be protected independently of it.

A separate network card with an IP address is required for each network that is used . It is not necessary to use every network. If there is no WiFi, there is simply no blue network. If there is no web server (or similar), no DMZ, i.e. no orange network, is required. The minimum equipment with a red and green network can be extended to up to four additional network cards and thus networks - independent of blue and orange - using add-ons. Each of these networks is separate and protected by the firewall.

Web interface

Versions (selection)
version date
0.0.9 December 28, 2001
0.1.0 January 3, 2002
0.1.1 January 22, 2002
1.2.0 December 27, 2002
1.3.0 April 22, 2003
1.4.0 October 1, 2004
1.4.5 March 30, 2005
1.4.10 November 9, 2005
1.4.13 January 16, 2007
1.4.18 December 1, 2007
1.4.21 July 23, 2008
2.0.0 September 23, 2011
2.0.4 February 16, 2012
2.0.6 October 28, 2012
2.1.4 April 8, 2014
2.1.5 May 2, 2014
2.1.6 October 28, 2014
2.1.7 October 28, 2014
2.1.8 January 25, 2015
2.1.9 February 23, 2015

The IPCop is configured via a web interface , accessible via (before version 2.0.0) http: // SERVERNAME: 81 / or via SSL on https: // SERVERNAME: 445 / (standard ports - can or should be changed for security reasons, since 445 is now blocked by many providers), alternatively to the server name via its IP address. From version 2.0.0, secure access is no longer possible via port 445, but (by default) only via port 8443.

About This Web interface can then settings like port forwarding , open from ports (external access), proxy - and DHCP - server , but also dynamic DNS , traffic shaping , IDS and Time Server ( NTP ) to be configured. The web interface also gives you access to the various log files and their evaluations. T. are also provided as graphics .

The user can also access the Unix shell to create or change more detailed configurations. Access is then via SSH on port 8022. WinSCP and PuTTY are very common and easy to use even without Linux knowledge .

The possibilities of the IPCop can be expanded using add-ons, such as B. with a URL filter, the Open VPN ZERINA or a layer 7 filter. The extensions will be published on the IPCop official website.

Security aspects

IPCop provides many services with the basic installation and can also be adapted with add-ons. But here a compromise is made between the scope of performance or functionality and security, since security can also suffer from increasing complexity . A web server that is not necessary for the firewall functions and an NTP server are already installed with the basic installation; these can be used for attacks. Various add-ons such as Samba can also create additional attack surfaces.

In 2005 the magazine c't presented the c't Debian server as part of a server project , in which IPCop in User Mode Linux (UML), a virtual machine under an extensively equipped Linux home server system with various Network services is running. However, many experts consider this procedure to be unsafe , as an attacker could take control of the virtual host. In the current version of the sample server , these risks have been reduced by using Xen and two virtual servers based on it.

The latest version lacks support for IPv6.

LCD4Linux

LCD4Linux is an extension that enables information to be displayed on an LC display that is connected via the serial interface.

literature

  • Marco Sondermann: IPCop compact: more security for your local network thanks to the free firewall system . Bomots Verlag, 2008, ISBN 978-3-939316-41-1 .

Web links

Individual evidence

  1. Discontinuation, Jack Beglinger on ipcop user list, October 6, 2017
  2. '[IPCop-user] The closing of IPCop.' - MARC. Retrieved January 18, 2019 .
  3. Security gap in file and print server Samba closed , heise.de, December 11, 2007
  4. c't Debian Server from issue 04/2005 ( Memento from June 11, 2009 in the Internet Archive )
  5. Article at IPcop-Forum.de ( Memento from September 27, 2018 in the Internet Archive )
  6. c't Debian Server from issue 19/2008