IPCop Advanced Firewall


IPCop Firewall Main Home Page

paragraph line


Ipcop is an advanced software distribution which turns a dedicated PC into an advanced Internet Router/Firewall.


 A dedicated PC means a good quality PC with a hard drive, two network cards, a hard drive, and a battery backup.   While you'll read stories of users turning old 386 PC's into an IPCop Firewall, PCNS thinks you should use a Pentium 4 Class PC, 2 Ghz or faster, with 512 megs and 40 gig hard drive as a minimum.   This gives you lots of room to expand and spare processor horsepower to run future options and addons.   A good quality used PC like this on the used market should cost less than $200 USD.  You do NOT need a Windows license.  In fact, no microsoft license of any kind is required.

Why would someone use this instead of a Consumer Netgear, Linksys, or Belkin router?   The main reason to use the IPCop firewall is you want to know what's going on with your Internet service, and have more control over what's your family accesses over the Internet.

Built-In Features of IPCop

Some of the more notable features built-in IPCop include the following:

Proxy Server.  A proxy server is a performance enhancement, which accelerates the browsing experience by storing frequently accessed web pages and images, thereby making your web surfing experience faster.   An added bonus of proxy server is the ability for it to log all visited web sites.  You can see entries of websites visited by local IP addresses.  IP Addresses are like phone numbers of PC's.  Suppose your son or daughter is accessing Myspace.com and is from the ip address 192.168.1.100, then it will list this in the Proxy logs as such.  If someone in the household is visiting websites they really shouldn't be on, then you can take steps to block access to the website, via an optional add-on (more on this later).  A sample of Web Sites visited (click the image to see a larger view):

IPCop Visited Web Sites - Proxy Log

paragraph line

How to determine your PC's IP Address

Windows 2000/XP/Vista:  Press the Windows Logo Key and press R.  You should get the run box.   Windows XP Run Box Type CMD, then click OK.  Then type IPCONFIG, your IP Address is circled in the illustation below (in our case it's 192.168.16.150 in the Windows XP example).

Windows XP ipconfig command

paragraph line

Windows Vista IPConfig Command:
Windows Vista ipconfig command



paragraph line

Probe from Roy Richardson

paragraph line

Intrusion Detection and Firewall Features:  If you ever want to know who may be knocking on your Router's door, the Intrusion Detection System (or IDS) allows you to identify the type of attack and in frequent cases, where the attacker originates.  With Firewall Logs, (see the print screen), we see probes from Nederlands, Sweden, and Ireland.  These can be virus or worm infected PC's, hackers running automated tools, or simply curious hackers.  In this screen print, the ip address 200.7.63.74 probed IPCop 10 times over an hour period.

paragraph line

Roy Richardson's Location

When you click the IP Address (the red highlighted items above), IPCop performss a lookup.  A lookup is like doing a reverse lookup on a phone number.  We are therefore able to get the name (Roy Richardson) and his location in the Netherlands.  Note, many Internet Service Providers subscribers have IP Addresses which change, so one cannot assume this 200 address is always Roy Richardson.





IPCop Traffic Shaping

paragraph line

Traffic Shaping.  Suppose you a VOIP phone.  You can proiritize VOIP traffic to have a high priority than, say, http traffic, so your calls won't get choppy or degraded during high periods of Internet use.  In the sample, we have port 6346 (used by Limewire) set to low priority, this means other services, such as web browsing will have higher priority (since it is set to Medium).   However Peer to Peer products like Limewire's ports and be moved around by the user, and the shaping can be circumvented.

Blockout Traffic's Net-Traffic

Useful Add-Ons, tested by PCNS

Net Traffic, from http://www.blockouttraffic.de is a simple add-on which calculates your daily and monthly consumption of bandwidth.  This should be of particular interest to Comcast and, potentially, Time Warner customers.   Time Warner is testing a new Internet Service in Beaumont with bandwidth caps.

This add on informs you how much bandwidth you have used so you know in advanced if you are going over your monthly allocation.

URL Filter in IPCop Top Half

paragraph line

URL-Filter, from urlfilter.net offers a web content filter is much more effective than static entries with typical consumer routers.  Instead of blocking a few dozen websites, URL-Filter can block thousands of websites, based by categories.  Don't worry, you don't have to type in all the thousands of sites.  A small list is included by default, and both free and paid list subscriptions are available, at a fraction of the cost of a business class router.  You can also input manually, specific websites you want blocked, such as myspace.com.

In the print screens, you can select the IP Addresses of Computers which are allowed full access, versus those which should not have any access.  You can also setup time restrictions so, say for over a lunch hour, certain services can be permitted.  

NOTE:  Click on the image to see a larger view. URL Filter in IPCop Bottom Half

paragraph line



Useful Add-Ons, Untested by PCNS

CopFilter (untested by PCNS) Is a product which filters spam, and in-line antivirus detection capabilities.  This feature can be used with the Free ClamAV or via subscription with AVG or F-Prot.

Blockout Traffic (untested by PCNS) is from the people who brought Net Traffic is a "crowbar" style outbound blocking filter which can block everything.   Note the key term is Outbound blocking.  Normally all services are allowed outbound in an IPCop firewall (and most all services inbound are blocked).  This add-on takes the same approach, only for the outbound connections.

The idea here is to let the minimum amount of information out to the web.  When it installs it initally blocks everything.  It has a default service group, which allows basic web browsing, email retrieval, and mail protocols.  In theory this allows only the most essential services to go out to the Internet, and any extraneous TCP/IP services, applications, viruses, worms, and malware will never see the Internet.

paragraph line

Advantages of IP Cop

  • Much more flexibility and control over your Internet connection.
  • The IPCop distribution software is free!
  • Internet Service can be faster by using a fast PC either with or without the Proxy Server option.
  • Ability to see first hand how many hackers, viral and worm infested PC's, and Internet noise are trying to penetrate your network.
  • Web content filter in IPCop means no software needs to be installed on each desktop.   Nothing for computer savvy pre-teens to 'End Task,' and the content filter is just as effective on Mac's.
  • Advanced features such as a highly secure VPN Connectivity built-in make it attractive for Small Businesses on a budget.
Disadvantages of IP Cop

  • IPCop is a technically advanced product, requiring expertise beyond the typical Novice PC user.  PCNS can assist you in its configuration.  PCNS suggests keeping your old router as a backup, in case the PC running IPCop fails.
  • IPCop requires a desktop PC and strongly recommends a battery backup.  The PC takes more energy (IPCop runs 24 x 7), takes more space, and generates a heat load.   Like any PC, it's prone to faults like hard drive crashes and power supply failures.  Note:  IPCop can run headless - that is without a Mouse, Keyboard, or Monitor, if the PC's bios supports it.
  • Many new generation wireless cards are not supported.  PCNS suggests a separate Wireless Access Point, or a Router running as an Access point.
  • If web content lists aren't updated regularly, computer savvy kids may find Proxy sites which can bypass proxy filters, allowing them access to sites which you may have blocked.
  • Because Instant Messaging Clients are designed to circumvent blocking, IPCop, as well as a majority of consumer routers cannot easily block instant messaging applications.
Low cost alternatives to IPCop

DD-Wrt replacement firmware for many routers, including Linksys, Netgear, and Buffalo.  Though not as extensible as IPCop, it offers many more features than the standard factory firmware, giving it business class firewall pretensions.

Resources

Official Site of IPCop Distribution
Cop Filter Website
IPCop Forums
Url Filter Website Content Blocking Filter
Net Traffic