March 18th, 2002, 05:51 PM
To hell with IPSO..
After requesting some information about porting applications to IPSO from Chris Arnold founder of the GNUkia project, I got this reply..
The porting was fairly easy, actually. Much of it built perfectly
modification. I built every package on a FreeBSD 2.2.6 box (since that
what IPSO 3.4.x is loosely based on) with the default
that came with the OS image. All building was done against the IPSO
libraries and linked statically. I'll be stripping and pruning the
in the future.
I'm pretty impressed about the fuss that Nokia makes around it's OS, seems like it's time to bench Nokia boxes in favour of <whatelese...>.. So, in the 'running IPSO on other hardware as Nokia' thread on the FW1-wiz list, I was right about getting everything to work as expected on IPSO, so to hell with Nokia and their IPSO..
ANyone out there using IPSO in a non-production enviroment and wanna test any sploit? just get the compiled binary of any FreeBSD sploit and run it on IPSO, It would be pretty funny to get a rootshell that easily on Nokia's 1337 OS...
Nokia : GTH!
March 18th, 2002, 07:38 PM
Nice find etsh911. I never much liked those Nokia things, now I have a real reason not to.
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
March 18th, 2002, 10:06 PM
mrwall....you are abandoning us!!!
IPSO is just another freebsd box that has anything that is not needed stripped out. Removing anything that is not necessary is what can make any OS secure. i would be willing to bet that you can try any freebsd sploits on the nokia box, and you will not have any luck.
Nokia has never denied that ipso is really freebsd. I am sure you can take any OS...including Solaris, and strip out everything, and you will be left with one thing. A pretty damn secure box...as is IPSO. Although it would be nice to say that IPSO is not really freebsd, you can't fault them for choosing a rock solid OS to base their systems on, right. How many IPSO exploits have you ever heard of?
These boxes work very well, and i see no reason to abandon them
And KD (Solaris Boy)...of course you don't like IPSO...because it runs Checkpoint
BTW...this is very interesting info...good post...
March 20th, 2002, 11:08 AM
Completely agreed on, but my point was more of a 'what if' Q. What if some admin installs some BSD proggy that would make his life easier? or if some guy in a SOHO/SMB decides to turn his lil IP330 into an all-in-one box? Then whom would you blame if CP or IPSO fails to do the correct job? Also, why would I have to pay that much for an OS that doesn't run anything while it's actually a normal FBSD box? Simply, one could get CP NG to run on FBSD ith some tweaks and use Webmin instead of Voyager, and it wont cost him that much..
Why Nokia? Nokia had the lead for quite a long time, 2yrs ago I wasn't able to find any one that deserves to compete with Nokia. Nowadays, Intrusion.com's boxes outperform Nokia's and they're built on Linux, that allows me to run whatever software I like plus having the chance to customize the box to my exact needs..
About that exploit point, I'm sure nothing will work against a default install of IPSO, but I would really like to know how would IPSO make any diffrence once built-for-FBSD software is installed on IPSO? Also if you'r familiar with tcl/tk goto your cgi-bin dir and check the 'ugly' code, I'm sure someone will spot an issue over there some time soon..
Maybe it's time for CP and Nokia to realize that having one box that does routing and firewalling isn't what we really want. I prefer to have a box that does what I want and not what Nokia wants...
BTW, I'm not abondining CP <hmm, maybe Nokia infavour of an Intrusion box? > but this is just a rant about how weird the world is, hehe
March 20th, 2002, 12:02 PM
No one forces you to use them as routers, i find the vrrp functionality very useful to group them in pairs behind my cisco 7200 routers although you have valid points regarding the ludicrous cost of the boxes considering the samller Ip 330 and 440's contain hardware that you wouldnt find in the bargain bins on most pc hardware shops.
They are an absolute peach to look after if you have them in the soho enviroment or in places that are not easy to reach, I have have some sprinkled about around the world all managed from here and i find them eay to support and upgrade and if there was ever a hardware issue Nokia being a truly global player offer fantastic response times even in some of the more remote parts of the world.
Still its horse for courses, i ended up with my first nokia as there were issues with the number of zones PIX would support at the time and still using both i find pix on occasion less than helpful but that is my personal opinion and lergely due to greater exposure to IPSO and CP.
Anyone looked at CP's NG? apart from being a bit slow does anyone have any other thoughts?
If you have any peanuts that you could sell to the midget at the bus depot, he will give you a pair of his magic shoes.
March 20th, 2002, 01:28 PM
I will reply again to this later...I am a bit pressed for time right now though...
March 20th, 2002, 04:24 PM
Ugh, NG isn't slow, I'm an NG user since it was out in the markets <hmm, about a yr ago?> and I can't find any troubles with it so far, it's mroe than perfect, it's speed issues are related to the experimental mode of integrating with the systems's kernel <actually, working without a kernel> ie. u no more have to do all that ARP Proxy buggy-**** for NAT...
it's pretty nice,
Invicitus : u got my mail, drop me a couple of lines about that DoS that u guys faced, I think I could help, I've been playing with alot of fragmentation issues befor and u could see when I last DoS'd my own FW in the 'Port Scanning Crashing My box' thread...
March 20th, 2002, 04:36 PM
I didnt say it wasnt nice to look at its just some of my older firewalls are IP440's with a 300mhz processor and they tend to slow things down somewhat when under heavy NAT use now and I have read mixed reports about its speed. What platofrms are you running it on?
Ive only run NG on similarly specced NT machines to have a bit of a play with it. I avoid NAT like the plague as it isnt really necessary just i get lazy when it comes to external access to low traffic temparary development servers.
March 20th, 2002, 04:46 PM
a cpl of IP740's doing HA using Rainfinity's RainWall solution..
I run it on a 1.1 Gigz Amd Athlong with 256 megs of Ram <home PC> running Rh 7.2...
Otherwise, it's a couple of Nokia and Solaris <SPARC > boxes...