Distribution Review: Astaro Secure Linux by Fergal Moran
About 1 year ago, we took delivery of a nice shiny new leased line in our office, so it was time to learn all about firewalls, DNAT, masquerading and all the other black arts of the shady network admin.
First stop, SmoothWall, which on the surface appeared to be the magic panacea to solve all my security problems. After about 4-5 hours of struggling with the terminology I hit the first snag, no support for DNAT and as we are running multiple services on our network, on multiple hosts, this was an essential.
Next I found a German company called Astaro who produce a (semi) GPL'd firewall called Secure Linux which is based on Debian with a 2.4.8 kernel. I say semi GPL because, while the core components are GPL'd, some of the add on components are commercial. The install does give you the option of installing only the GPL components. I am not sure of the exact licensing requirements of the non-GPL version and their website is not giving much away so I would check this out yourself.
Anyway, onto installation. Burn the ISO image onto a CD, pop it into your designated server and turn it on. The installation was extremely smooth, detecting both network cards, asking me for an IP address for the internal one and the external one, addresses of nameservers, hostname of the box and the passwords for a number of the administrative users (root password, 1 for ssh access and 1 for https access).
When the installation is finished, you simply point a web browser at the box and log to the secure site using the username you have created - you can also SSH into the box and administer it from there if you wish. In here you can define your network, both external and internal, add IP addresses to your NICS and setup aliases for all your ports. Once that is done you can go into DNAT settings and define which external IP's should be mapped to which internal IP's which is done on a per port basis. Then you move to the packet filter page to ensure that the firewall will actually allow these ports through.
Astaro Secure Linux also contains a number of handy proxies, SMTP with virus scanning, caching HTTP (squid based), DNS and SOCKS (a must for IRC junkies). It also contains a FreeSWAN based VPN which I cannot comment on as I have not used it yet. Excellent reporting facilities including uptime, proxy utilisation and portscan detection are also provided.
I may not be the best person to comment on the relative merits of firewalls as I do not have as much experience of them as some, however IMHO Astaro Linux was a cinch to setup and has operated flawlessly ever since, providing everything we need to run multilple websites, FTP servers, custom servers, in fact the whole gamut - with relative impunity. The only downsides to it that I can see are the rather woolly licensing and incomplete application of the GPL.
About the author, Fergal Moran.