This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new Linux.com!

Linux.com

Feature

Review: SmoothWall Express 2.0

By Aditya Nag on March 10, 2005 (8:00:00 AM)

Share    Print    Comments   

In these days of always-on Internet connections, a firewall that protects your network from unauthorized access is indispensable. Though most home routers have some sort of basic firewall capabilities, their rules for incoming and outgoing traffic are often basic and arbitrary. An alternative is to run a Linux-based firewall on old hardware, but configuring this sort of setup is generally not easy. An exception is SmoothWall, a free application you can install on any old machine to convert it to a dedicated hardware firewall. SmoothWall has a friendly interface and more configuration options than standard hardware firewalls.

The download for SmoothWall Express 2.0 is a mere 45MB, 12MB of which is documentation in PDF format. I installed it on an 800MHz Pentium III box with 128 MB SDRAM, a 20GB hard drive, and three network cards (one onboard, two PCI). This hardware is more powerful than the software's minimum requirements -- you can run it on anything upwards of a Pentium with 32MB of RAM and a 540MB hard drive.

The installation is easy, thanks to the excellent documentation provided. During the installation, SmoothWall formats the hard drive, with no options to save any data or make custom partitions. You must choose what kind of network interfaces -- Ethernet, ISDN, or USB ADSL -- you will be using. I chose the Ethernet option. Next, you choose the type of the firewall. There are two options: green-red, where one interface is connected to the Internet (red) and the other is connected to your network (green), and green-orange-red, where you can put any servers that require external access, such as Web or mail servers, in the orange zone. Servers in the orange zone are fully accessible from both the red (Internet) and green (local network) zones, but no machines in the orange zone can access resources in the green zone. The orange zone is also known as the demilitarized zone or DMZ.

I chose the green-orange-red option. I set up the IP addresses of the network cards, following the instructions in the manual. The next step was configuring the DHCP server, but since we already had a DHCP server running, I disabled this. I then set up three passwords, for admin, root, and a setup user. The most important user is the admin user, because that is what you will use for the Web-based administration. The setup user is used when you want to change some settings, such as changing the green-red option to green-orange-red. The final step in the installation process was an option to load a previous Smoothwall configuration from a diskette. The entire installation process took 10 minutes.

By default the firewall is configured to disallow all requests that originate from the red interface. This means that any request that comes from the Internet will be blocked by default unless a machine in the green zone has requested it. You can configure SmoothWall using a Web-based interface at http://<IPADDRESS>:81 or https://<IPADDRESS>:441. For a home user or small business, the only configuration that you will have to do is update SmoothWall, from the updates option in the Web-interface. Savvy users can configure SmoothWall to their liking.

The Web-based interface is organized into broad areas which then contain the specific features. You can run SmoothWall as a proxy server, DHCP server, forward ports to machines in the green zone, and more. As a proxy server, you cannot set up advanced features like per-user authentication or delay pools. This function is useful for smaller organizations and homes, but a large office may want to use a dedicated proxy server. You can configure the address range, WINS server, and static hosts for the DHCP server. You can specify dynamic DNS, offer remote access for SHH, and synchronize with a Network Time Protocol server. SmoothWall also lets you enable SNORT, a popular open source intrusion detection system.

Among the network settings you can control:

  • Port forwarding: This allows you to forward a port from the firewall to a machine inside the green or orange zones. You can use this feature to hide your Web servers behind a single IP address. If you use software like BitTorrent, which requires that other computers connect to yours through a firewall, you must use port forwarding.
  • External service access: You can access any services running on the SmoothWall machine by opening the ports you need.
  • DMZ pinholes: As the name implies, this allows you to open a pinhole from the DMZ to the green zone. This is useful if your externally servers need to communicate with servers inside the green zone. For example, your Web server may need to communicate with a database server inside the green zone.
  • PPP settings: You can set up various profiles, configure up to 4 modems, and use dial on demand.
  • IP block: You can ban specific IP addresses or ranges here.

Smoothwall performs stateful packet inspection using the Linux 2.4 kernel and netfilter. It also has a built-in virtual private network, which makes it possible to securely connect to your home network from an external location.

Researchers keep discovering new security risks, so it is essential that you keep your SmoothWall machine updated. The updates section in the Web-based interface handles this. It informs you of available updates and provides links to download the files. Once you've downloaded the files, you must upload them using the Web-based form. The updates are in tar.gz format, but the upload process handles the unpacking, and also verifies the package signature.

There were six updates available last month when I installed my copy, with the newest dated less than a month before I installed the software. This is a good sign, because it means that the developers release regular updates. Installing the updates was easy, though a couple of them did need a reboot. All the administration can be done over the network, including rebooting.

The documentation for SmoothWall deserves a special mention. The three manuals -- Quickstart, Installation, and Administration -- are very clear, well-written, and comprehensive. In fact, even if you do not run SmoothWall, you can read the manuals to get up to speed on firewalls.

Our college network comprises around 400 users, a Web server, and a mail server. To test SmoothWall, I enabled SNORT intrusion detection and ran a few attacks against the firewall over the red interface. I used nmap, the Metasploit framework, and some other port scanning and attacking tools. In all cases, the firewall was able to deal with them, and the Snort and firewall logs showed most types of attack, the IP address of the attacker, and the time and date. SmoothWall's IP lookup feature can determine and report the origin of an attacker. The tests that I did were simple, but were the most common kinds of random scans that go on over the Internet.

SmoothWall is designed to run without interruption once configured. On my fairly large network, SmoothWall never showed any signs of slowing down. You can log in and check the log files or the bandwidth usage, which is presented in a graphical format, and tracked over a day, week, month, and year.

SmoothWall does not have many quirks. In fact, the only flaw that I could find was in the updates page. As of this version, it is a two-step process. You have to manually download the files to your machine, and then upload them to the SmoothWall machine. Maybe the developers could implement some sort of automatic update that could be configured to check once a week or so, and download and install the updates. But besides this minor design quirk, SmoothWall is extremely well-designed.

While SmoothWall has many of the features required for a home or small office, it is not a fully featured firewall. You cannot implement your own custom iptables rules without dropping to the command line, or perform bandwidth management. The built-in proxy server is also a simplified version, without the more advanced features a larger business may need. But if you are looking for a firewall with more features than the bundled firewall on your router, and you have an old PC lying around, download SmoothWall and try it.

Share    Print    Comments   

Comments

on Review: SmoothWall Express 2.0

Note: Comments are owned by the poster. We are not responsible for their content.

Smoothwall Review

Posted by: Anonymous Coward on March 11, 2005 09:34 PM
While I liked the article, and investigated Smoothwall a few years ago, I found the updates and improvements slow to come. I therefore ened up using IPCOP (www.ipcop.org), a fork of Smoothwall, that I like much better. It has the automatic updates, and includes a number of free add-on utilities. I've been running it on an old PC (125Mhz) with DansGuadian content filtering for the kids, and it does a great job.

#

Been there, done that...

Posted by: Anonymous Coward on March 11, 2005 11:44 PM
I wrote an article for Tom's last December about Smoothwall 2.0, which you can see here:

<A HREF="http://www.tomsnetworking.com/Reviews-178-ProdID-SMOOTHWALL-1.php" title="tomsnetworking.com">http://www.tomsnetworking.com/Reviews-178-ProdID-<nobr>S<wbr></nobr> MOOTHWALL-1.php</a tomsnetworking.com>

#

Re:Been there, done that...

Posted by: Anonymous Coward on April 16, 2005 06:12 AM
I agree with you. GUI based firewalls give me the creeps. Everything looks ok on the screen but you don;t have an idea what's happening under the bonnet. CLI based firewalls give me a more secure feeling. This is because I can see every detail as it is being processed by the firewall in real time. GUI seems to give a false sense of security. Also CLI gives more control over what you want the firewall to do... Just my 2 cents...

#

Re:Been there, done that...

Posted by: Anonymous Coward on April 28, 2006 08:12 PM
Yes, but your article was s**t in comparison to this, you big headed t*at.

#

Don't know why you hate the command line

Posted by: Anonymous Coward on March 14, 2005 03:44 AM
I must take exception to your comment that iptables being a command-line tool makes SmoothWall Express a "not complete" firewall. This is just dead wrong and a misrepresentation of what constitutes a "complete" firewall. For the purposes of your article, we will for now assume that we're talking about "one box" between your trusted network and the Internet, though obviously there's more to it than that.

As a long-time firewall administrator for a large school district (my "customers", i. e. employees and students, number about 250,000), I should inform you that most firewalls that are actually good (e. g. Cisco PIX, OpenBSD pf) are in fact command-line based. Even the Windows-favoring Check Point, with its history of backdoors installed in the product, at times requires the command line, yes, even on Windows boxes. I have found iptables and netfilter, as well as the OpenBSD pf, to be about as full-featured as a PIX, one of several excellent firewall solutions out there. I would hardly call any firewall based on iptables "incomplete".

By your logic, only SonicWalls and other "home broadband" grade of firewalls that use a Web browser for *everything* are "complete" firewalls. I guess this makes virtually every enterprise-grade firewall "not complete", eh? Gee, I wonder what you must think of routers, then...what type does your school use, and is it "complete" by this standard?

Now, that said, a "complete" firewall solution really is not a matter of "one box," be it a PIX, SonicWall, SmoothWall Express, or otherwise. It encompasses physical security, operational security, personnel security, and a host of other things. By *this* definition, which is the more correct one, all "one-box" firewall solutions are by themselves "not complete", but it's not because they use the command line for certain things.

#

Not *incomplete*, merely lacking features.

Posted by: Anonymous Coward on March 17, 2005 02:54 AM
I never said that Smoothwall is an "incomplete" firewall because of the command line. What I did say was it is not "fully-featured". Let me explain what I meant.

Smoothwall targets the less technically inclined user, who may have no idea of iptables and/or rules for iptables. In such a scenario, the developers of Smoothwall should have made it easier to add your own custom rules for the firewall. Also, Smoothwall does not have traffic shaping. IpCop, another free firewall, does implement these two features.

You seem to be someone who loves the CLI. Well, that's great, and I totally agree with you that nothing comes close to the CLI for sheer raw power. But do keep in mind that while experienced sysadmins like you revel in the power of the CLI, a first time user will have no clue of what to do when faced with a $ prompt (or a # promt, for that matter).

So, let me reiterate. Having to do some things through a CLI does NOT make Smoothwall "incomplete". It simply means that the developers could possibly add some features in the next version, so that even people who cannot for the life of them make rules in Iptables can use it.

As for your sarcastic comments about "only SonicWalls and other "home broadband" grade of firewalls that use a Web browser for *everything* are "complete" firewalls.", they don't need any answering, since the basic premise you started from is incorrect.

#

Re:Not *incomplete*, merely lacking features.

Posted by: Anonymous Coward on May 02, 2006 09:06 PM
Eh,

Complete UI mabe.

It greatly depens on your needs id rather have IPTables + Vi than the firewalls built into a lynksys which are "Complete" also by those standards.

#

Back Pain relief

Posted by: Anonymous Coward on May 28, 2006 07:22 PM
<tt>[URL=http://painrelief.fanspace.com/index.htm] Pain relief [/URL]
[URL=http://lowerbackpain.0pi.com/backpain.htm] Back Pain [/URL]
[URL=http://painreliefproduct.guildspace.com] Pain relief [/URL]
[URL=http://painreliefmedic.friendpages.c<nobr>o<wbr></nobr> m] Pain relief [/URL]
[URL=http://nervepainrelief.jeeran.com/pa<nobr>i<wbr></nobr> nrelief.htm] Nerve pain relief [/URL]</tt>

#

Automatic updates for Smoothwall 2

Posted by: Administrator on March 11, 2005 09:50 PM
Automatic updates can be configured for SmoothWall 2. It really should be part of the main system, or at least an option, though.

You have to use the command line to install and set it up.

Check out:
http://community.smoothwall.org/forum/viewtopic.p<nobr>h<wbr></nobr> p?t=5088

Which points to the script at:
http://svn.hozac.com/repos/swu/trunk/swu.pl

Put the script in<nobr> <wbr></nobr>/usr/local/sbin and make it executable.

Then set up a crontab:
0 2 3,13,23 * *<nobr> <wbr></nobr>/usr/local/sbin/swu.pl -u -r

#

This story has been archived. Comments can no longer be posted.



 
Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya