Slashdot Mirror

I just downloaded smoothwall to give it a go, I'm running slack 10.2 on a Toshiba Portege 7100 (500Mhz, 320Mb). Since the cd drive gave up the ghost a long time ago and I've only got a floppy for it, getting any OS installed is ...interesting. (USBHD mounted from the slack root disks). Smoothwall only provides isos for installation, the documentation http://downloads.smoothwall.org/pdf/docs/SmoothWal l_FAQ.PDF/ is annoying, the faq answers many questions with "The answer for this question is covered in another document" and even if I mount the iso, in /mnt/cdrom there's nothing I can do with it... oh wait there's a tarball which probably contains a mini live distro and a readme that contains the text "Please see http://www.smoothwall.org/ for documentation". Sorry but that's an rm -R Smoothwall. Anything but Dead simple .
I know this sounds like a whine but that last 10 minutes really annoyed me. Its GPL s/w for chrissakes, just gimmee a tarball! ... whew, now I feel better.

I just downloaded smoothwall to give it a go, I'm running slack 10.2 on a Toshiba Portege 7100 (500Mhz, 320Mb). Since the cd drive gave up the ghost a long time ago and I've only got a floppy for it, getting any OS installed is ...interesting. (USBHD mounted from the slack root disks). Smoothwall only provides isos for installation, the documentation http://downloads.smoothwall.org/pdf/docs/SmoothWal l_FAQ.PDF/ is annoying, the faq answers many questions with "The answer for this question is covered in another document" and even if I mount the iso, in /mnt/cdrom there's nothing I can do with it... oh wait there's a tarball which probably contains a mini live distro and a readme that contains the text "Please see http://www.smoothwall.org/ for documentation". Sorry but that's an rm -R Smoothwall. Anything but Dead simple .
I know this sounds like a whine but that last 10 minutes really annoyed me. Its GPL s/w for chrissakes, just gimmee a tarball! ... whew, now I feel better.

I have a similar machine; 12-year old Pentium/90 that I originally installed Red Hat 5.2 on. Since then, I've turned it into a firewall/router using smoothwall. Dead simple to install and maintain.

Using DansGuardian with Squid is not a difficult to set up. The default blocks are quite comprehensive, and completely customizable. There are even gateway/firewall distros like Smoothwall and IPCop that have drop-in support for DansGuardian.

Now, if more people would just learn the need for a real firewall, and how to configure the darn thing...

"I've had nothing but slow downloads (and yes I've forwarded the ports) and crashes using their client."

perhaps you have a shitty router?

ive seen some routers choke on multiple simultanious connections from say ~30 different addresses. this can sometimes make programs crash on your pc. time to upgrade your router

However, there are several Linux distros that do what you want out of the box. Have you looked at smoothwall (http://www.smoothwall.org/) or coyote (http://www.coyotelinux.com/)?

Is it? Remarkably bad performance for a linux box. I was thinking of this linux distro for linksys routers. Maybe it's the hardware. /shrug

It's still no substitute for a real firewall IMO.

IpCop
Smoothwall
m0n0wall

I've played with perhaps a dozen little firewall distros like these and I'd prefer any of them to the default linksys setup. These three are my favorites for features, power, ease of use, speed, and tinkering ability. m0n0wall isn't easy to tinker with, but runs quite well from a 6MB ISO image and strikes me as pretty unhackable. Maybe someone should hack that onto the linksys.

Well....

Netboz is a solution... it runs off a CD and has many of the popular options.

instead of running it off of the CD, I suggest that you use one of the pre-configured firewall options that installs off of your hard drive. These are just as easy to configure, but host a lot more options and mods.

Smoothwall Express - http://www.smoothwall.org/

or even better yet, IPCOP at http://www.ipcop.org/

Or you have a wired LAN on a separate subnet?

Not hard at all. With Smoothwall, it is easy to setup.

I do not use the radius packages but I have my wireless router (only acting as an access point) with WPA/TKIP, Xbox, and PS2 on that subnet and my computers and servers on a seperate one seperated by the firewall. With the exception of port 22 SSH, nothing can get from lan2 to lan 1. Not perfect but more secure then most.

I've been using Smoothwall Express for over a year and have been extremely happy with my decision to use it. Plus, I installed Adzapper to block virtually every web ad on the sites I visit (including all the ads here at /.).

I've been using this security setup for a while now. Smoothwall has this option available to advanced users. Basically, you configure your network to have Green + Orange + Red interfaces.

The Green interface is where you connect your standard LAN router/switch.
The Red is where you connect your WAN cable.
The Orange is the DMZ your servers go on.

The Green zone has full access to both Red and Orange.
The Red zone (outside traffic) is denied by default unless requested or allowed by port forwarding rules.
The Orange zone is completely denied access to the Green zone. Therefor if someone from the Red zone hacking your servers gains root access to your servers, they will not be able to access or see any of the computers on the Green zone.

If you're very network savvy, you could set this up for free in one weekend.

So what does the Slashdot crowd use when they need to secure their Linux and Windows servers? Does it cost less than US$100?"

This one is great if you don't understand tcp/ip or if people that manage it for you have no idea what tcp/ip is. http://www.smoothwall.org//

Add wwo network cards
Add free Linux 2.4 distribution or higher
Activate netfilter and iptable
See: ttp://www.netfilter.org/
Deploy firewall using instructions in the netfilter how-tos:
See: http://www.netfilter.org/documentation/

Or, if that's too much for you, just get the equipment and add one of the pre-configured firewall Linuxes like SmoothWall (http://www.smoothwall.org/), Devil-Linux (http://www.devil-linux.org/home/index.php) or Coyote Linux (http://www.coyotelinux.com/).

No fuss, no muss.

Steven

Install it on a older box like a 400-550Mhz machine and it will work very well, nice features also.

http://www.smoothwall.org/

Find an old box, put two eth cards in and install Smoothwall Express http://www.smoothwall.org/

http://www.smoothwall.org/

Especially when there are good implementations ready for you to drop right onto a box, like http://www.smoothwall.org/.

I have a Pentium 266 that hums in the background and firewalls my network with Smoothwall. I'm quite pleased with it.

Linksys routers are far from great.

As are most home routers althoug I have found the Linksys routers to be less of a problem then other brands. In fact some other brands are borderline useless. I could give specifics of at least 4 different brands from my own direct experience but the bottom line is many of them have odd quarks and frequent lockups during typical home use. I started years back with a homebrew Linux box doing NAT and rules. I changed gears and went to the home router applicance and tried several different models and brands over about a two year period. With so many problems and lack of configurability, I went back to the headless white box but instead of rolling my own again, I took the easy route and used Smoothwall.

I just moved in with some flat mates from college. We have 5 regular use PCs (2 mac, 2 WinXP, and 1 Linux). Our main internet gateway/house file server is a PIII 900 Dell, 2 10/100 Nics (one taking the internet, the other to my Linksys WiFi), 1 gbE NIC connected to my PC sharing my ripped movies, and cds with everyone. The Dell runs Smoothwall, and a shoutcast server (so everyone in the house can play the same music at the same time). My Linksys router runs WiFi Box. There's plans to build a HTPC for the TV room... but we may just wait for the XBox 360.

I have not had time to read every post, so I apologize if this has been mentioned before. I think putting up a gateway server based on Linux would be very helpful. A product like ClarkConnect (http://www.clarkconnect.com/info/) would serve well in that situation. This is the solution I have used. A quote from their website: "The award-winning Linux-based solution includes firewall and security tools, along with file, print, web, e-mail, proxy, antivirus, antispam, content filtering, VPN servers and more. A detailed feature list is shown in the sidebar below." You could also use something like SmoothWall (http://www.smoothwall.org/) as a gateway as well. By setting up a true firewall you can limit the outbound as well as the inbound ports. This will not eliminate the problem but reduce it to a great extent. Further services like anispam and antiviri will bring the number of issues down considerably. The downside to this is the the computer will have to be somewhat beefy. For 500 users look at 3.4Ghz with 2+GB ram and a few nic cards. I know there is no $ for this project, but that is just not reasonable. Getting the money for this would be VERY easy. Say the cost was $10K this would only be $20 per person (500 users). This could be charged as a one time fee or spread over a monthly payment (barring the school would front the $). You could also start this by charging users a fine for not following documented procedures for using the network. Uncontrolled Virus: $50 fine. Allowing your machine to be a Zombie Server: $150 Etc etc etc.. You would have the money in no time! Good luck with this, it may seem impossible now, but it is really not that hard to fix.

What I did to combat annoying advertisements was to install AdZapper on my Smoothwall box. I rarely see any ads (including Flash-based ads). Plus my pages load a lot faster since I don't have to wait for 3rd party links to respond.

start -> run -> msconfig

Turn off all services you don't need or understand.
Turn off all programs loaded at startup that you don't need or understand.
Install ZoneAlarm
Defragment at least monthly.

Windows will be running lean and mean
(XP home uses less than 86MB RAM used on a 512MB laptop)

For the tech savvy - get a cheap (PII+) 2nd box with 2 nics and install SmoothWall
That OS serves as a firewall + DHCP server and does wonders for the home network - no router necessary, just buy a switch for the local network.

The trick is to use a dial on demand linux box.

Smoothwall or Freesco if you want a pre packaged solution for that setup (both do much more as well). I used Freesco running from floppy on a 486 with 12MB ram when I had dialup and it worked fine.

Getting off topic here but anyway..
I am using Smoothwall at home now on a P200/128Mb with 3 nics and fully optioned (DHCP/Snort/Squid/DDNS/DMZ etc) and it is running great. It seems every single home router I've tried has some very annoying issues or some bug somewhere in one form or another and I finally got frustrated and built the Smoothwall box. One model home router would not work with the PS2 headset regardless of DMZ status or ports forwarded and would randomly drop computers off the local network, one model would slow to a crawl when passing pop email and would stay at crawl speed until rebooted, one model would choke with heavy multiple connections (bittorrent, some games, and usenet) and would not recover, it also took up to 20 minutes with multiple reboots for it to get a DHCP address from Comcast. The list goes on and on. I understand these are home routers but you'd think they would at least work. Funny how I rarely see firmware updates for them either. I have not tried any of the Linksys models but Dlink, Netgear, SMC, and ATT have failed me.

1. Get an old POS PC from a trashpile
2. Install Smoothwall on it. It's free..
3. Install Ad Zapper following THESE directions.

Any and ALL system that you connect into your lan will have ads blocked whether they want to or not.

Now why would Apple put a second ethernet port in a low-end consumer product designed to keep costs LOW when they don't put a second ethernet port in ANY of their machines (except XServe)? If you want a firewall or router, build a cheap PC and do it with Linux (i.e., Smoothwall, etc.) I think this is not as much a "missing feature" as much as it is you're missing the point, IMHO.

You could use a smoothwall router. Only cost is standard hardware.

I don't have a chance to dig up links for these, but diagnostic tools are a must if you really want to lock stuff down. First, generate and read logfiles whenever possible. Check things out with nmap, tcpdump, ActivePorts, Look@Lan, Kiwi syslog Daemon, Portlistener XP, Bazooka Spyware Utility, Spybot Search and Destroy, Socketlock ... the list goes on. Generally try any tool you can and you'll get a feel for what is actually to your tastes and useful.

I use SmoothWall on a P200 with 384mb ram and a 10gb hdd.

There's been upwards of 20 PCs on the network and there's been a few times when 1 of us will been on the phone (VoIP), 2 of us are downloading a lot of files via p2p and another downloading ISO after ISO off of MSDN - all at the same time.

The little smoothwall box handled it all wonderfully, plus there's a fairly large community out there writing custom modules and addins for it.

The best part? Well, besides the transparent web proxy, I really like how you can have an internal-only network and a seperate DMZ network to hang your web services off of.

It's not as small or sexy as that 3com, but for me it's a perfect fit - handles a lot, plenty of ways to monitor it, and the price is right. Give it a shot, see what you think.

Can't believe no-one has pointed out that you can use some of the working parts from old machines and a piece together a nice firewall. I've set up a dozen or so Smoothwall firewalls http://www.smoothwall.org/ with 486 parts. My personal Smoothie is a P1 with 160 Megs of RAM. While it runs like a dream, the old setup, a 486-100 with 64 Megs RAM did the same thing. The only difference was the web interface speed.

With everything that the smoothie box does, for the price of a couple of NICS and cables, I'm more than happy with the performance and security that Smoothwall brings to my cable connection. So don't be so quick to make yourself a key chain or clock, when you could be adding some security to your network and have Linux running 24/7.

Prior Slashdot coverage http://it.slashdot.org/article.pl?sid=03/12/08/215 7248&tid=172&tid=106

Try SmoothWall Firewall. A great open source and easy to set up and use firewall.

IMO, if I understand what you're suggesting correctly, frames are still not necessary even for web-based applications. I've never used SlimServer, but there are web-driven appliance interfaces that never need to invoke frames to control their backend. AFAIK (and tell me if this is a bad comparison), neither SmoothWall's nor Media Player Classic's (if you were to use MPC to run a media server) web interface felt it necessary to use a framed layout.

I thought about what advantages frames would give you in a web-based application situation. I think that the most practical thing I could see it being used for would be to refresh the current playing song in the top or bottom while you manipulate the config or controls in the main window. If that is the case, then an alternative to the frameset could be coded in a similar fashion to Gmail. It might require heavy Javascript, but all of the form information or whatever could be left in tact while the code goes out and checks for an update on current song information.

But, in a web-based application, the disadvantages of frames are reduced to almost nothing anyway. Everything should be rolling around inside of the frames at that point and if there is ever a need to externally link, it should have been handled and tested properly by the developer.

I own one copy of Windoze 98. To move the rest of my computers would cost big bucks and leave me with considerably less reliability, function and value.

I don't know why you keep getting and extra point added to your post score.

I'm an old fart with excellent karma, gained by wasting many hours and submitting many stories. You could say it's earned, mostly by sharing useful information, like what follows.

Is setting up a firewall on Linux as easy as checking a single checkbox?

Guarddog. OK, you have to click more than one button, but a firewall with one button might not work so well. Smoothwall is as easy to configure as any WAP. If you don't like that, you can copy an ipchains script like Ian Hall-Beyer wrote.

Smoothwall is exactly that, a custom Linux distro with boot-from-cd install that only requires you to hit "enter" a couple dozen times to turn any old 2 nic pc into a pre-configured modern firewall with internal NAT and DHCP.

I use it and find it very handy (lots of old PC hardware about)

I don't have any experience with DSL -- but i.t wouldn't surprise me if it works the same way.

Simple Solution:
Put a smoothwall box or another router between your home network and the new cable modem (as I'm sure many of us already do). Although the wireless access would be nice to use, 802.11b/g access points are pretty cheap these days.

turn them into smoothwalls for your friends and neighbors.

Seriously... I've recycled a bunch of old pentium-class machines that were headed for the landfill by setting up a "smoothie" and giving them away to ppl.

Doing my part to stamp out worms and viruses.

Microsoft selling Linux? www.smoothwall.org dumped linux for win xp... but only on April Fool's Day.

Could Sun be having an April Fool's hangover?

1. http://www/smoothwall.org

2. http://adzapper.sourceforge.net/#install

3. http://martybugs.net/smoothwall/adzap.cgi

Get them. Do it.

Try all you like, you filthy, rotten marketeers, but you won't be peddling your wares in MY house...

Hahahahahahha!!!

The easiest robust solution that I have found that I would recommend building for family and friends (not sure if it is quite easy enough for them to install themselves yet) is an old computer running smoothwall

Go to Computer Surplus Outlet Buy one of the cheap Pentium II systems they are offering. Get Smoothwall, and install it on the cheap P-II (be sure to read the User's Manual included on the CD) you just bought. Sit it between your PC and cable modem. Got ghetto Broadband? Run Squid on it. You will have all the security of a Linux based Router/Firewall, and the speed advantage of a Squid Caching Proxy Server.

http://smoothwall.org/ rocks like none other

Apparently the person who modded you up didn't check on what you said or just doesn't run Linux.

Ever heard of Firestarter? That's one GUI firewall I can think off the top of my head. Let's see here, how about fwall?

As far as your corporate firewall question, you might check into PF and OpenBSD OpenBSD As far as Smoothwall did you try the corporate version or just a free download? Googling, lookg what I found as far as your remark about outgoing ports and Smoothwall.
Haven't seen such a blatantly uninformed post in a long while.

We setup two firewalls facing the Internet, a MS Proxy server and a redhat9.0 as a test server. The redhat was compromised using sendmail and samba exploits and

Why the fsck would you have sendmail and samba running on a firewall?! The whole point of a firewall is to be a bare minimum system that's basically got nothing that's possible to hack into. If you know enough to know you should set up a firewall, you should certainly know it shouldn't have ANY services running on it.

I did not use iptables to block unneeded ports on the outside...

Not much of a firewall if it doesn't block any ports, is it?
You didn't set up a firewall...you set up a desktop system that just happened to be a router, too.

If you really want a good firewall setup without all the screwing around, try SmoothWall.
http://www.smoothwall.org/

I think he left SmoothWall off the list ( smoothwall.org). It's in the bootable-business card, minimal firewall distro category.

I probably live in the dark ages, seeing as I don't remember reading anything about Cisco buying linksys, but still... Maybe they did it to stop linksys from making even more crappy products? Not trying to troll, but they have given me nothing but grief. The DHCP server in the Router I bought from them died, the Wireless USB adaper I bought for my wife is constantly flaking out, and the WAP11 I bought for wireless access doesn't seem to understand multicasting.

I'm still stuck with the two wireless products, but finally threw together a FreeBSD firwall that I use for my router now (200MHz pentium machine that cost me $40cdn, less than half the price of a linksys router dealy).

Check out ipcop, or smoothwall if you want alternative firewall/router solutions.

(Yes, I read the docs for tc, and I'd love to have an HTB shaper instead of the standard qdisc one I use, but I'm too busy to spend that much time for the small advantages a truly custom firewall box would offer.)

The best thing for me to say in reply to this is go check out the SmoothWall Community forums, as I'm about 15 seconds away from disappearing to bed :)

I had to laugh when I read this:

it was weird to find out from the horses mouth that there are now more than 23 times the number of downloads for IPCop than there are for SW GPL (both versions), that there are on average 15,000 more visitors per day to the download pages for IPCop than SmoothWall

and that for every four visitors to SmoothWall, three then click through to IPCop and download 1.3.0.

As for the final comment, if this were the case, how could any commercial security vendor survive? There will always be a market for boxed product, while the degrees of openness within such product will invariably differ from product to product, market to market, and over time.

> USE IPCOP ITS A FREE PROJECT

So is SmoothWall, and always has been.