For those that don’t already know, smoothwall is a very slick and easy way to setup a firewall/nat/dhcp server (and more) at home or in a small office
very quickly even on old computer equipment. I have used Smoothwall 1.0 in the past and liked its features (although at the time, I did have a problem with Snort failing to start after I updated the software with some fixes…). It served on an old Pentium II 400mhz machine with two NICs inside (network cards). One was the ‘green’ interface (more about that later) and the other was the ‘red’ interface. I used that setup for quite a few months, mainly because I wanted to see what alternatives there were to hardware based firewalls (such as DLink gateways/firewalls) that I had been using.
Why did I decide to give Smoothwall a chance ? well quite simply, my dlink firewall/nat/simple router couldnt handle large traffic, and when confronted
with that, would die, stone dead and the only way to fix it was to disconnect the power from it and restart. That’s just about ok if you are beside it, but if you are in Ireland (which I was) and it is in Sweden, then whatever you are hosting is down for as long as you are away.
Smoothwall was recommended to me by a friend who used it to secure his
machines on his home lan, some running game servers, some ftp server and
web. He said it worked great and I should try it, so I did, and dove right
in and used it for approximately 5 months without any problem except for the
afore mentioned SNORT (intrusion detection system) which never ever
restarted itself after I updated smoothwall. I then moved house in September
of last year and brought my smoothwall computer with me, I couldnt get it to
pick up an ip address from my new broadband provider (ADSL based) so I gave
up and re-installed the dlink hardware firewall.
Many months have since past and my interest in smoothwall has re-emerged
with the release of Smoothwall Express 2.0 Final. The software is available
for download right now here, just download the ISO that suits you (I chose the one with inbuilt manuals and it was only 45.5 MB in size) and burn the iso to a CD.
Once you have burned the cd, the next thing you need is a suitable computer
to install it on, I’d suggest something old as the computer itself will only
serve one purpose, running smoothwall. The computer will not need a
keyboard/mouse or monitor once you have it all installed and setup
correctly, but it does require at least two network cards, or one network
card and one modem (who uses modems these days ?). You can remotly manage
Smoothwall from your local network via a web browser interface or via the
internet/ssh.
To install Smoothwall, just insert the CD and boot from the CD itself,
immediatly you are presented with a nice Smoothwall splash screen announcing
the coming installation, let it boot up and choose CD (obviously) as your
installation media method. The Smoothwall quickstart PDF is available here.
Answer yes or no to the questions that pop up (they are so simple that there
is no point in explaining) and off it goes. The only thing the first time
Smoothwall users may find hard to understand is the ‘naming’ convention of
the lan connections, red, green and orange. To simplify things, if you have
two nics (network cards) and one is connected to the internet (wan – wide
area network) and the other is connected to your local network (lan – local
area network) then you can safely assume that green is your lan, and red is
the wan. Stop and go I guess ;-).
Once you have configured Smoothwall (it was quick, wasn’t it !), you are
prompted if you want to restore previously saved configuration changes, if
you have them, insert your floppy disc and it will restore them, I have not
tested this yet, but I did see that within the web based management
interface you can also backup to floppy or make a floppy img file and back
that up to your local hard disc for later retrieval. After that click ok to
reboot, once it reboots you can configure whether you want to enable the
DHCP server (works great for a home network) and whether or not your RED
(wan) interface has a static or dynamic IP address from your internet
provider. You can also specify what the DHCP server ip range is very easily,
which is nice, you dont have to stick with the default 192.168.0.x range if
you don’t want to.
You will be prompted if you are using an ISDN modem (if not cancel it) and
an ADSL modem (if not cancel it) however, and this is a big however,
Smoothwall’s selection of ADSL modems are all USB based, and both ADSL
modems I have at home are not. There is also no option to manually specify
your ADSL modem, which is a pity, and I hope that the next release of this
software has that ability, not everyone who uses ADSL is using usb based
models I’m sure.
So, to get around that, I had to choose ‘disable ADSL’ and my next step was
to manually assign the IP from my ISP to my RED network card. That worked
for all of approximately 5 minutes. I could surf fine and I thought ‘hey
this is truly cool’ but then my internet went bottoms up. By entering my
ISP’s login IP address in my browser (on a machine connected via the green
network to the Smoothwall server via DHCP) I got up an error message from my
ISP. They didn’t like me manually specifing my IP address, so I digressed
and chose DHCP for my RED interface. To my amazement, this worked, and I
could login to my isp on the ‘normal’ pc and was once again connected to the
internet. This was more like it !
Next thing I did was to fire up my web browser based management of Smoothwall, which by default is located at https://192.168.0.1:441/. After accepting the security certificate, I was presented with a newly designed (and very nice) web based management interface for Smoothwall, much cleaner and better laid out than Smoothwall 1.0.
On the first page of Smoothwall Express Final 2, you will see a whole bunch
of tabs at the top of the screen (very like their web page actually),
clicking on any one will prompt you for username/password to gain access.
Enter your admin details and you are good to go. Once logged in, the front
page will notify you if you need to get an update from Smoothwall, In my
case, I needed one update, which is fairly simple to apply. You must click
on the maintenance tab, and then updates, then click on the update listed,
download it locally, and then use the management interface to browse to the
update file, and upload it to the Smoothwall server. If it sounds difficult
don’t worry – trust me, it’s easy. I do have a suggestion for Smoothwall
about this however, on the home page, instead of merely informing you about
the update, how about linking directly to the updates page (which currently
it does not).
On the subject of updating, the update available for me, was SWP-2004:001
‘updates for smoothwall express to correct linux kernel local security
vulnerabilities’, and seeing as the kernel version that ships by default
with the downloadble ISO is 2.4.22 I started downloading and updated to
2.4.24-final cf (2.1MB download). After applying the update, I was informed
that all was ok, however… the kernel listed in ‘about your smoothie’ under
the ‘advanced’ section was still the old one, so I rebooted. Perhaps it
should have told me to, I don’t know, but from RedHat and previous linux
experience a kernel update means a reboot. To reboot the machine, click on
the ‘shutdown’ link, and the ‘reboot’ button. You will here it beep a few
times while it’s rebooting (doh, ray, me) and that signals that it’s up
again which is handy when you don’t have a monitor connected. After the
reboot, ‘about your smoothie’ reported the correct and updated kernel.
In order to see Intrusion Detection system at work, you need to enable it,
so click on the ‘services’ tab and highlight ‘intrusion detection system’.
Enable it and click save, (note, if you have not configured your red/green
interface properly, it will not start.) After some minutes, check the status
of the IDS by clicking on the ‘logs’ tab. You should see some attempts by
various foreign IPs’ listed in there. Next thing to look at is your
firewall, click on the firewall tab and you can see Source and destination
ports/ips attempting to enter/leave your network. Very nice.
Ok so you’ve got IDS setup and you’ve looked at your firewall and IDS logs,
now what ? well, you can open ports and forward them to specific ips on your
local network (port forwarding). To do this click on the networking tab and
select port forwarding. You can enter the port you wish to forward (for
example port 80) and the destination ip/port you want it to go to (for
example 192.168.0.205:8080). Next choose TCP (or UDP if you wish) and click
Add. The rule will now be added in a list which you can easily later remove
or edit.
What other cool stuff is there ? well, you can block IP’s, by clicking on
the ip block tab in networking. Just enter your chosen ip (the one you don’t
like) and decide if you want Smoothwall to drop the packet or reject it,
and of course, you can log this. Very cool. You can also configure
Smoothwall to block ICMP ping requests, IGMP, ignore multicast traffic and
lots more. There’s just an awful lot of cool stuff in this OS and the best
way to find out what it offers is to download it and test it.
I successfully connected via a VPN through Smoothwall, and using PcAnywhere,
without any problems. If you feel that perhaps Smoothwall isn’t secure
enough then get another wan ip address and nmap your Smoothwall box, and
watch the output on your firewall/IDS logs, it’s impressive to say the
least. I’m confident that anyone who see’s this will be impressed and will
want to set it up for themselves. It’s not perfect of course, for example
there is the USB ADSL modem issue (I don’t have a USB ADSL modem, mine is a
Zyxel Prestige 600 series), and the PPP settings tab in networking does list
PPP, PPPoA and PPPoE connections, but from the drop down list I could not
pick anything but standard modems on com ports 1 through 4. In other words,
I could not make it autologin my ADSL modem and in the end, had to login via
the web. Smoothwall is free and its a really useful thing to do with old
antiquated hardware, I’m certaintly glad I have it running again on a box at
home protecting one of the two ADSL modems at home, and sharing the internet
to the pcs on that local lan. I am going to run this version of Smoothwall
for a few weeks and see if it does the business, if it does (and I think it
will) I will once again replace the dlink hardware firewall on the other
ADSL connection with this setup that I have now.
I give Smoothwall Express Final 2 a huge thumbs up for improving on the old,
almost tired looking Smoothwall 1.0. Please do yourself a favor, and give it
a try, the 45.5MB download is well worth it.
Smoothwall Limited (the company behind SmoothWall) deliberately restricts the development of the GPLed SmoothWall Express to encourage people to buy their Corporate Server product instead. (For one of the most glaring examples, does SmoothWall GPL even use a journalled filesystem yet?)
IPCop (http://www.ipcop.org) is a fork (now quite established in its own right) of the SmoothWall codebase, and has pretty much the same functionality but without the inherent conflict of interest mentioned above.
http://www.ipcop.org/ IPCop is a fork of the last GPL release of Smoothwall (1.0) and it seems to have all the features detailed in the article. I use IPCop with a pentium 75 and it runs like a dream.
The IPCop team is working on some interesting stuff for the next release. Moving from being based on Redhat to Linux from Scratch, wireless support (blue interface) and traffic shaping are notable. http://www.ipcop.org/cgi-bin/twiki/view/IPCop/RoadMap
Looks nice, but I still prefer setting up an OpenBSD box with PF. Don’t get me wrong, I love Linux on the desktop and for certain types of servers, but from a security perspective, I just feel a lot safer trusting my firewall to OpenBSD. Additionally, the documentation is excellent, which easily compensates for the slightly more difficult initial setup.
Never been able to get Smoothwall or IPCop running behind my landlord’s Linksys router for my own LAN. OpenBSD had no problem and runs like a dream. No fancy GUIs, just secure, functional, free.
IPCop is not a fork anymore, it was on the beginning.
I prefer IPcop always over Smoothie, and it works like a dream, absolute flawlessly.
SmoothWall Limited was founded by a deranged monster of a man, the aptly named Dick [Richard] Morrell. A Google trawl will reveal some of his posts to the support lists, and some juicy quotations can still be found in the comments of the Freshmeat listing (http://freshmeat.net/projects/smoothwall).
Aside from the personal abuse he loved to hurl around, he tried to make the product no longer Open Source, and attempted to close down the support lists, claiming that the users of the GPL version were nothing but leechers and were thus unworthy of any support whatsoever.
Given the combo of the founder’s personality and the deliberate restriction of development which continues to this day, it’s really not hard to see why IPCop was created.
I just thought this background info would be useful to forestall the inevitable “How dare they – they’re depriving the company of money that’s theirs by right!” comments which appeared in droves when OSNews covered the porting of QT GPL to Windows. SmoothWall Limited’s actions more than justified the fork.
I just burned the ISO for Devil last week to check out, but haven’t gotten around to it yet (I need to install a floppy disk in my ol’ PII 400 that’s currently running Linux off the hard drive for this same job).
Anyone have any experiences with Devil vs. IPCop vs. Smoothwall??
Noticed their site’s down
I now recommend m0n0wall http://www.m0n0.ch/wall/
DM
You can download it off of Sourceforge.
You could just use closedbsd (http://closedbsd.org/) from a floppy or cd.
http://wind.prohosting.com/smoothwa/
Yes, that sounds like the guy alright.
I can’t find the particular emails in question cross-referenced anywhere else, but that really doesn’t matter.
Just search Google Groups for “Richard Morrell” and a certain four-letter expletive/swearword (begins with the letter F, rhymes with “duck”) and you’ll have all the corroborating evidence you could ever need.
Anyone have any experience getting a webmail server to work on either smoothwall or ipcop?
Don’t know about the others, but monowall is easy to install, easy to setup and has a small resource needs. To me it’s the best.
Another excellent software is Firewall Builder http://www.fwbuilder.org/. Its graphical interfact is very similar to the commercially available firwall devices.
I use it on a 12 years old 486DX 100 with 48 Megs of ram as the server with a cdrom and no hard drive.
Gentoo is used as the OS. I compiled a minimal version with only the required components and customized it to boot from a disk and then kicks on the cdrom as its bios can’t boot from the cdrom directly.
Only the files that are required to be writable are available in the ram file system as links. The rest are available from the cd in order to conserve ram and to minimize hacking impact if any, no one can modify the /etc/shadow and passwd files or almost anything else of a value.
The iptables firewall script is generated by Firwall Builder that is available on another box.
This machine is up for over a year and is rock solid and very secure.
On another note, Linux, FreeBSD and OpenBSD are almost equally secure if configured correctly. I don’t really have a reason of using one versus the other short of personal preferences.
These PC based firewalls are cool to play around with, but for home use I think a Linksys/Netgear firewall router is often times going to be a perfectly suitable choice. A computer (even an old one) wastes a lot of electricity and generates a lot of heat and noise.
I use to have a PII 233MHz Linux “server” setup that I used for various things such as a firewall/nat/ftp/file server/samba/etc… That didn’t feel like quite as big of a waste since I was doing various things with it. But even still 95% of the time it’s only task was to direct traffic from my LAN to the Internet. I just couldn’t ever get it out of my head how much power was being wasted by that computer so I bought a Netgear router and retired the server. I’m sure the money I spent on the Netgear router/firewall ($40 I believe) has long since paid for itself in power savings.
Granted though, some people are going to need something more than a Netgear router (like the guy in the article pointed out – his needs exceeded the capacity of his router).
This may be obvious but since the reviewer did not know, I will state it. In process and industrial control “red” is running equipment and therefor unsafe; “green” is stopped equipment and therefor safe. Thus, the “red” LAN is the unsafe LAN; the “green” LAN the safe one.
This whole smoothwall episode reads better than a soap opera!
On another note Guardian Digital http://www.guardiandigital.com also produces a linux based FW, which is free for home use, and quite good if you like the point and click GUI admin style.
and hasn’t been for close to a year. He has *NO* connections with Smoothwall anymore. If you see/hear Dick speaking about Smoothwall, ignore him. He was fired a long time ago, for very obvious reasons.
I can find no mention anywhere of the guy being fired, only that he “left”. Do you have any sources to back this up?
On his own web page (http://www.dickmorrell.com/news.html) he claims that in fact he sold his stake in the company and moved on of his own volition.
The rest of the SmoothWall team/company did very little to oppose his behaviour whilst he was there, and therefore they should (IMO) share some of the responsibility for his actions. SmoothWall Limited has also not (AFAIK) made any effort to apologise for his actions since he left.
Lastly, on http://www.smoothwall.org/team/kudos.html they even go so far as to thank him for his “hard work, generosity and passion”!
Instead of recommending product X over Y, wouldn’t it be better to simply tell people that if they want a firewall with more features than a D-Link or a Linksys, they have many software options to choose from ?
In the defense of SmoothWall Ltd, as of March 2003 Richard Morell is no longer an employee or director of SmoothWall Ltd.
SmoothWall have a press release about this at http://www.smoothwall.net/information/press/pressitem.php?id=6 and I shall leave you to your own conclusions about what this actually means. Although it does have a certain “politically correct” feel to it.
SmoothWall now has a new commitment to the GPL project (redubbed Express) and sees the launch of Express 2.0, it’s subsequent launch party and revamp of of the smoothwall.org website as the start of a new long term focus on both Express and GPL projects in general.
It should also be noted also that Express does support EXT3 (journalled filesystem)
The things I like about smoothwall
a) Easy patching
b) supports PPPOE to my isp – (I think I set my red interface up as a PPP client, rather than adsl or dhcp)
c) automatically maps to a dynamic dns service on restart.
Thanks to osnews for carrying this nice review! Along with other positive reviews and comments we’ve had for SmoothWall Express 2.0, I’m sure I speak for the team that we’re really pleased all the hard work thus far has paid off.
As to other firewalls, it seems to me that open source Un*x distros – and vertical ones such as appliance-like firewalls – will always be a partitioned space, with proponents and defendants shouting their corners. Every recent computer age has had them: Commodore 64 vs Sinclair Spectrum, Commodore Amiga vs Atari ST (Jack Tramiel clearly had a lot to answer for!), Sega Dreamcast vs Sony Playstation, et al. The sheer level of choice afforded by those prepared to defend their patch of the Internet is due not only to the rich variety of offerings, but also to the number of talented developers the world over prepared to devote their time to the causes of security and open source. It also means flame wars from time to time – I hope that for our part at least, there’s no need for that kind of thing to happen any more. I tired of the arguing a long time ago, as did a lot of people, so just use what you use and enjoy it, but make sure you keep on top of it in terms of updates – no point having a firewall that’s not been updated in a year or four!
I obviously love SmoothWall. I almost eat, sleep and breathe it. Others love it too. Others still have their own choices. Perhaps this review, and others like it, will make people reconsider their choices, or perhaps not – that’s the point of open source, and it’s great!
I personally feel privileged to be a part of this grand endeavour. Yes, Kon, it has felt like a bit of a soap opera at times, but all the best sagas have a bit of drama from time to time! A long, long MTU path ago, in an IP fragment far far away …
Because this site is about opinion.
Funny noone mentioned ClarkConnect. (http://www.clarkconnect.com)
I’ve tried both IPCop and Smoothwall,
and they’re nothing compared to ClarkConnect hands down.
Funny noone mentioned ClarkConnect. (http://www.clarkconnect.com)
I’m probably going out on a limb here, but I’m guessing it’s because ClarkConnect is a commercial product and costs $$$.
I suspect your average OSNews reader is much like your average Slashdotter in that Free (as in beer) comes out miles ahead of Not Free (as in… Well, ClarkConnect).
I’m just guessing that from a quick persusal of their website thoough. I’ve never actually used it.
ClarkConnect is an excellent program…. Free or Not
There are two versions.
ClarkConnect Home
ClarkConnect Office
ClarkConnect Home is free. (non-commercial use only)
Just this week I installed the new ClarkConnect, the free Home edition. I was also * extremely * impressed. It is very easily configurable, and very extensible. Moreover, by just applying a little elbow grease it’s relatively easy to get most of the features of the Office edition. Perhaps I’ll write up a review of it for OSNews.
I encourage anyone to give it a try. Its scope goes beyond that of simply a firewall (additionaly providing many types of servers), differentiating it a bit from the likes of smoothwall. In my opinion the long term costs (in power and time spent) just don’t justify using a software firewall-only box.
I think a solution like ClarkConnect, which provides so much functionality, is the right option for a dedicated box.
Has anyone tried sme server (used to be called e-smith)? I think its a similar product to ClarkConnect, and I’m curious to hear people’s opinions.
ClarkConnect is free for non-commercial use.
astaro is an awesome product, albeit not free if you want to use their web interface
i was evaluating it for use with some clients one time, and as long as you are willing to license the features, there is very little it doesnt do as a firewall/vpn gateway/proxy server that i would ever think i would need to do.
for here i use ipcop, but i like how you can customize it beyond what you can do with a netgear/dlink/linksys router
Yep, its simple to install (and for me that’s essential). BUT… While the incoming firewall protection has been excellent on my Smoothwall 2.0 Express (normal) box, any comments on whether the ‘Final’ version improves on outgoing protection? Why is the default outgoing firewall protection so lame? G:)
Richard is like a Elephant in a Glashouse – this is well-known, even for german readers, as published in c’t
magazine long time ago.
…was created, because for the behaviour of Mr. Morell,
and being alltime that aggressive to loyal users, that was
where it all begun. No bashing, but everyone’s knowing for
today that Richard is a big A**.
IPCop uses ext3 for ages!
As has SmoothWall had ext3 for about 18 months.
Dick Morell is long gone since march 2003 which was a good move by the project and the company. Why can’t people just move on and stop blaming good people for what he did and the way he acted and his lies.
SmoothWall Express continues to be developed and supported and paid for by the company as it always has been. It also has dedicated staff to produce patches quickly.
If you are going to diss a distro or firewall at least get up to date on it!
Some SmoothWall Limited employees kindly took the time to get in touch with me and set me straight.
I take back what I said in my earlier posts. Please evaluate their offerings on their technical merits, and not on the company’s past actions under Richard Morrell.
good on you for taking it back,
give smoothwall a chance, the review was written with an open mind, and I must confess I like smoothwall,
it’s still running and will no doubt continue to run !
I hope that others will read the review and consider using smoothwall based on the information supplied and not on past experiences with certain people.
cheers
Niall.
I’ve been using it for my home server for a while. I lump it in with the distros that are very easy to use in default configurations, but very hard to use in non default configs. I also had a lot of problems getting things like weblog software, port opening, etc. to work because of changes they made in directory structure. Their templating system is asinine.
get a shell, and run setup.
Under Networking
Have fun.
There is another linux-based firewall distro out there, called FreeSCO (as in FREE ciSCO, not that other evil company). It cna be run off a floppy or hard drive.
http://www.freesco.org
“Has anyone tried sme server (used to be called e-smith)? I think its a similar product to ClarkConnect, and I’m curious to hear people’s opinions.”
i have used it for about 5 years and think it is a fantastic product, lots of contribs for it
unfortunately, Mitel has decided to no longer develop SME server
there is a community of folks looking to keep it going over at
contribs.org
so go check it out
M0n0wall, based on FreeBSD is imho a very cool firewall, run it either from cdrom or hdd (or soekris) –> http://www.m0n0.ch/wall and only a 4 Mb download
We have used Smoothwall at our small business for about 3 months and it has worked perfectly. It is a very good free product which meets our limited needs. If our future needs require greater capabilities I will certainly consider the company’s commercial offerings as well as Shorewall and other open source offerings.