Excerpt from the book "Configuring IPCop Firewalls: Closing Borders with Open Source"

Introduction

IPCop is a firewall for the Small Office/Home Office (SOHO) network, which is extremely easy to use and is released under the GNU General Public License (GPL). It provides most of the basic features that you would expect a modern firewall to have, and what is most important is that it sets this all up for you in a highly automated and simplified way. It's very easy to get an IPCop installation up and running and takes very little time. For features like those in IPCop, you would usually have to pay for a high-end firewall system or string something together using a collection of other tools. IPCop takes some of those powerful Linux tools and creates a pre-built package for you. IPCop was created to fill a void in the market, where users with small networks need some features that only large networks can afford, as far as expertise or money is concerned.

If your network is relatively small and has a single Internet connection or you have a couple of sites with separate internet connections that require linking together in a medium-sized business then you can certainly benefit from using IPCop. Since IPCop itself is free your only expense for the firewall is the cost of the hardware (which can be a low-end older computer left over from a previous upgrade) and the time spent administering the machine (which is relatively low due to the easy-to-use interface). For smaller networks this is a very attractive system.

Systems such as ISA server and Checkpoint are extremely expensive and require a great deal of background knowledge to configure and secure properly. Compare this to IPCop, which functions as a well-secured router and firewall almost immediately on installation. Larger enterprise systems also have much higher hardware requirements and are overkill for smaller networks. The expense and time it takes to set these expensive systems up is unlikely to provide a good return on investment for networks outside the larger enterprise. IPCop also benefits from simplicity that is not available when using a general purpose OS such as Windows or even a Linux distribution because of all the unnecessary services they usually install by default. IPCop has a single specific role, so many of the standard services and applications are not installed leaving you with a simplified, specialized firewall installation.

When evaluating IPCop for use in your environment, you should look at the various functionality it provides and determine if it will be the most effective solution for your network. Generally for a small to medium sized network IPCop is extremely effective and can simplify network administration greatly. However, for very large networks with a variety of segments all interconnecting with varying mechanisms you may find IPCop inadequate. It's important to figure out how exactly your network will fit together and then choose IPCop, if it fits your needs. For the SOHO network this may be a very simple topology and may require very little planning. In a larger network IPCop can be used for specific roles within the infrastructure, for example as a gateway for key remote networks like branch offices.

The four types of network interface -- Green, Red, Blue, and Orange -- supported by IPCop have differing levels of trust associated with them. Here is a simple table outlining what traffic is allowed to go to and from which interfaces. This table, and the knowledge contained within it, should form the basis of our planning when considering how many interfaces to use and what to use them for. This is basically the Traffic Flow diagram from the IPCop administrative guide (www.ipcop.org/1.4.0/en/admin/html/section-firewall.html).

In visualizing the way in which traffic goes through the IPCop firewall, we can see it as a sort of giant junction with a traffic cop (literally, an IP Cop -- hence the name!) in the middle of it. When a car (in network parlance, a packet of data) reaches the crossroads, the cop decides in which direction the packet should go (based on the routing tables IPCop uses), and pushes it in the appropriate direction.

In the case of a Green client accessing the Internet, we can see from the previous table that this access is OPEN, so the cop allows the traffic through. In other instances, however, this might not be the case. If a Blue client tries to access a client on the Green segment, for instance, the cop might allow the traffic through if it comes over a VPN or through DMZ pinholes -- but if a client on the Blue segment has neither of these things explicitly allowing the traffic, it is stopped. The car is pulled over, the occupants victims of some virtual time in the cells!

Note that (generally) when we illustrate IPCop Configurations, the Red interface is uppermost (North), the Orange interface is to the left (West), the Blue interface is to the right (East), and the Green interface is to the bottom (South).