Slashdot Mirror
SmoothWall Firewall Review
Daniel Goscomb, one of the lead developers of Smoothwall, responds:
In our opinion this article is extremely badly researched and written. Furthermore it shows a lack of knowledge on the author's part.
The main concern he has is that of people being able to log in to the firewall and read configuration files. This point is irrelevant as there is only a single user that can access the shell, root. This also removes the need of shadow password files, if you have access to the machine to get the passwd file, you are already in as root anyhow.
Secondly he complains of plain text passwords for the ppp passwords. This is not our doing. The passwords are stored in this format as pppd requires them to be in plain text in the two files. He also mentions that the permissions of these files are wrong. If he looked a little more closely he would have seen that they are in fact symlinks to the 2 real files, which do have the proper permissions on them.
He also mentions the same "problem" with the shared keys system in FreeSWAN. Again, they are stored like this as FreeSWAN requires them in this format to read them.
As to the part about user authentification of the CGI scripts. This is completely irrelevant. There is no authentication in the CGI scripts. The authentication is done via .htaccess files, and has no interaction with the CGI at all, other than when you change the passwords.
I also find it disturbing that the author gave us no room for comment in his article, nor did i see anything to suggest he had even asked us about these so called "problems". We would have been happy to answer any questions he had.
Sincerely,
Daniel Goscomb.
Chalk it up to lack of testing. A firewall developer should let a team of hackers attack, poke, and prod the firewalls before releasing them to either eliminate or minimize vulnerabilities.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
I think a reviewer just got an electron slap..:)
" The best Bucket is a SCREAMING one "
That doesn't seem to be little more than excuse talk to me.
Join the Free Software Foundation
It's secure, featurefull and easy to configure - what more could you want?
Any moron who doesn't do research before doing a review needs a kick in the a**. Any faults pointed out by the reviewer are not the smoothwall teams fault.
Any real Linux user would know the facts. All it does is make this guy out to be a moron.
If Microsoft was never created, who would we have to hate?
For an affordable, very easy to configure, and speedy (excellent performance on my 386/33 with 8mb ram) firewall/gateway, you just can't beat sharethenet. I had it up and running in 1/2 hour, and there is almost no performance difference when I have my cable modem hooked up directly to my speedy p3 desktop. It "embeds" linux by loading it from a floppy onto a ram disk. If you get hacked, simply restart your machine, and you are back to factory settings. Downside is you need dedicated hardware, but OTOH, that hardware can be very old and still perform.
std::disclaimer<std::legalese> sig=new std::disclaimer; sig->dump(); delete sig;
Do they teach this response when pursuing a Computer Science degree? "Obivously you can't do it, because I can't think of how to do it." Sheesh.
we have an article taking what dang has said along with our comments on the way the article author behaved when collecting his "evidence" ...
our response
neuro at well dot com (when I post, it's my opinions, no-one elses)
as c't is (imho ofcourse) a much respected magazine, and normally I would call it a trustworthy source. I would certainly not expect them to publish such a damaging article without giving the authors of Smoothwall a chance to comment on the findings.
karma capped
I used smoothwall for a short time to evaluate it and technically it looked like quite a nice product, but then I started reading about the attitude of it's creator to the GPL.
Now I'm happy for people to write GPL software if they like, and I'm happy for people to write commecial software if they like, but smoothwall seems to want to get the benifits of both.
They seem to want to get make free use of other peoples work through the GPL, but to feel free to only release parts of their software commercialy. I'm not claiming they are breaking the GPL or anything, but there seems something very unfair about their approach.
Also if you get the GPL edition, there are all kinds of requests on the web site that you donate money to them "SmoothWall developers have kids and families too, and it's all about giving back to the people who helped you.
". And yet I would guess that about 90% of what they are giving out was written by other people and they don't suggest they are going to give 90% of their donations to them.
Again, nothing wrong with that, I just don't much like it.
Basically I suggest that people look at their web site, and search the internet for comments about the creators of this software and how unhappy some people are with them before they go and use it.
Sig is taking a break!
Here here! (or is it 'hear hear'?)
I am assuming you meant complacent, if not then this response will make no sense :) To me it would seem kind of hard to be any other way when you are acting as the glue to pre-existing components. Unless you are planning on re-writing/modifying all of them.
How else do you expect him to respond? Well I don't like the way you comply with this 3rd party product that requires your files to be like this!
This debate seems to be over whether Smoothwall was designed to secure against attack from outside your DSL dialup or against attack from the inside. Shadow passwords are meant to provide a safeguard against dictionary attacks from logged-in users on a multiuser system. c't's complaint that there is no shadow password on a single-user system is valid; if you're worried about people in your own house trying to hack into your firewall.
It is true that internal security against logged in users can help defeat attackers who can only partially penetrate external defenses. If, for instance, you can only use a CGI bug to get ahold of the passwd file, you can leverage this with a dictionary attack if shadowing isn't installed. Provided you can disable the packet filter and attempt to login as root externally once you have the password... or even use an su type exploit from your original CGI bug. Either way, there are a lot of large corporations with bigger security holes than this.
However to claim that his review "shattered the illusion" of Smoothwall being a complete solution for home users is complete hyperbole. A home user who is trying to secure himself from internal attack from other logged in users in his house is probably pretty savvy in the first place and also has bigger problems. If the purpose of this product is have a CD you can ship to your parents to secure their DSL line against script Kiddiez and Hotmail's Traceroute function, then Smoothwall sounds to me like an outstanding effort.
c't': Two demerits.
--
What happens when you outlaw guns
He says shadow files are irrelvant as the box has only one account, root. Whatever happened to rule # 1 of having your web server and CGI's run as a different user ?
So the firewall doesn't have security holes? I think they'll have to add some if they want to make a version for Windows XP...
I hope it is on-subject enough to point out that I believe this is an excellent job Slashdot has done, going out and getting the rebuttal for the review. Although it is not quite perfect -- it acts partially to discredit the link source -- it is much closer to what I think Slashdot could be, a first-run news source with original articles -- for [nerds|geeks]. Until then, while the editors post their comments after a link, it's little more than the second-run movie theatres (which have their place, don't get me wrong). Thanks, Slashdot.
I also find it disturbing that the author gave us no room for comment in his article, nor did i see anything to suggest he had even asked us about these so called "problems".
Ok, so he didn't quote you in his article. Big deal. He saw the program and wrote what he thought. Does he have to say that he asked you personally about a problem? Maybe he asked someone else. Is there a lack of communication in your business?
Passwords should be shadowed even if you are the only user. Anyone can look over a shoulder, or even view the security tapes.
They run as user nobody... it says 1 user with access to the shell.
I was in the Smoothwall IRC channel on several occasions when this reporter came in. First of all he didn't conduct himself like any other reporter I have ever met. He was elusive regarding his motives (ie he wouldn't say he was from the press), he was beligerent beyond belief and gave the impression he already knew what he was going to write. Refusing to even listen to the dev team's answers, the sticking the fingers in the ears behaviour he exhibited was most flattering. I just hope c't are more exclusive in future with regards to the staff they employ. This guy was nothing but underhanded and stubborn.
-- Steve 'Hellcore' Hughes: Graphics + Concepts @ SmoothWall. http://www.smoothwall.org http://www.smoothwall.co.uk
I don't recall that the smoothwall runs any web services, does it?
Your rule #1 of having the webserver and CGIs run as a non-root user should be backed up with a rule #0 of not running a firewall *on* the webserver...
Specialization is for insects. - R.A.H.
it has cgi-based configuration scripts which would imply a webserver as well.
the point is that smoothwall is NOT SECURE. its does stupid things because according to the developers the daemons concerned require it to be that way. thats just STUPID. those daemons are GPLed. how long does it take to add a small encryption routine to a piece of GPLed source ? its trivial and the developers deserve to be bitchslapped HARD for this STUPID RESPONSE to a perfectly valid article.
Whenever I go to purchase any kind of consumer electronic whatever, I scope it out on Shopper.cnet.com . I get pretty dang good information from them, and usually decent feedback from the users also.
However, if a vendor is aware that a review is going to be done of their product, it is obviously in their best interest to make sure that the reviewer has all the information they need.
When that is offered, and the reviewer doesn't take advantage, what recourse does the vendor have?
My sig hates me. That's ok, I never cared for it much anyway.
I'm running gibraltar -- does anyone else, what do you think? It's cd based and creates a ram disk for all the config, saving them to floppy on shutdown. I got it running in 1/2 an hour, no trouble.
zadok.org.uk
Any firewall; in fact any system you care to mention, that a hacker has shell or cmd line access with Admin rights is history.
There is a single user on SmoothWall.
This is by necessity root.
The fact you HAVE to be on as root to get to these files in the first place makes the reviewers comments irrelevent.
Product reveiwers should take note to do some research before submitting such rubbish.
MacGyver
those faults ARE the fault of the smoothwall team. they could easily modify the daemons concerned to be more secure instead of whining about the default configuration and leaving passwords in cleartext.
Tsstss.. Look at this excerpt from the article that this SmoothWall guy is complaining about:
I also have a strange feeling about other "security" options that they choose. For example: Not using shadowed password files. They say it wouldn't be neccessary since the only user available is root anyway. But what is the _sense_ of not using shadowed password files? (And what is the sense to require the user to be root to configure the system? Even Apache is supposed to be quite secure, but nobody will run it as root because there still might be holes. Impossible in a hacked-together firewall distribution?) The bytes in length on the harddisk they would have saved would be a joke.
All in all, I believe there are some truth- and insightful bits in the c't review, even if the reviewer did a mistake.
btw: To complain that the passwords had to be plaintext because PPPd and FreeSWAN required it is complete nonsense for a Firewall! Sources are available, so why not add a patch to have the passwords encrypted if this is supposed to become a Firewall?
(Sorry, had to emphasize this, since this is not some desktop distribution but supposed to be a Firewall.)
42. Easy. What is 32 + 8 + 2?
I have noticed that the founder of Smoothwall, Richard Morrell has some issues to deal with. He has a huge ego and does not like users that do not pay for his "open source software." He enjoys complaining about how much money he has spent on making CDs and giving them away for free and how people don't donate to him. I have a few quotes that I have collected that he has said on the mailing lists for smoothwall. "i have contacts with people at the kernel team that none of you have... i know people who can get this fixed and i'm on top of it... so stop complaining because you don't know what you're talking about" "i used to work for microsoft, i know how they work" (he worked in the sales dept selling licenses) "You're also not a paying customer - I'll email DIRECTLY my friend who WROTE the official driver. Friendships help. Thats why I'm richard@linux.com" "this is fuck all to do with SmoothWall its hardware level" Also, Mr. Morrell decided to turn it into closed source "enterprise version" that isn't free with extra features. So he's not allowing open source developers to add new features to the open source project because it will compete with his private closed source project.
First off reviewing a firewall like that is just whining by a non-techie. you want to review a firewall? crack it... Show me times it took and what kiddie tools took it down or circumvented it because of a flaw in the firewall. bitching about how the scripts are written is clutching at straws and trying to add content to an already empty review.
Why is it that we all will not listen to a SQL review without stats and figures but a firewall review get's any attention at all if it isnt even tested properly by the reviewer?
This review was like a review about ram and bitching about the color and shape.
Do not look at laser with remaining good eye.
if a cgi script running as "nobody" is compromised, then it is possible that the user "nobody" can gain shell access as well. A shell is simply another executeable, just like the CGI script itself.
After trying several different Firewall products, I found smoothwall to be the easiest to setup and maintain. As far as the reviewers points, most are irrelavant, since the only access to the web interface and to SSH is from INSIDE your network. Unless you go out of your way to activate these things exterally, they're simply not seen to attackers. But then again, if you changed the way the product is shipped, then it's really working like it was intended anyway.
A paypal link on the front page, and a brief explaination as to why you should donate next to the download link
For paypal users, helping the company has a nearly zero transaction cost. I think it is a good idea that more freeware projects should embrace.
--------
It's OK to be social, just don't tell anyone about it.
But I wouldn't use it for my business network.
SmoothWall is nice and easy way to isolate my home network from the Internet. It took me about 20 minutes to install and configure it. It does exactly what I need it to do.
Phear The Phat Penguin
Okay, maybe I was a little hasty, but if someone gives you a bad review, and this was a bad review, you should just suck it up.. Imagine Microsoft sending out a press release everytime someone at /. gave them a bad review - they'd have to pay Taco to incorporate random-ms.pl
Join the Free Software Foundation
He actually stated that the only shell-access account on the box is root. This means that the only way you can get a command prompt is if you're logged in as root. Theoretically, if you can exploit a CGI bug, you could execute /bin/sh and have a shell, but they've probably disallowed that.
The Dachstein images from the LEAF Project are set up similarly. Root is the only shell access, CGI/Web runs from another user.
You thought that this sig was what you think that I thought you wanted me to think. I think.
As long you as use a strong root password things should still be secure. Although it is a pretty dumb move to not use shadow passwords. C'mon... how much room/cpu do they really take up?
well it's the only "bad" review we've had out of a raft of them, so go figure ...
neuro at well dot com (when I post, it's my opinions, no-one elses)
I'm assuming that apache is run a nobody. I can't see how any would be dumb enough to run it as root.
As your momma always said: 'If you don't have anything good to say about someone, don't say it' or 'if you someone keeps "bothering" you, just stay away from them.' It's as simple as that.
So if you don't like Richard Morrell, head of the SmoothWall project, consider:
Personally, I'm sick of the "one-sided" reporting on Mr. Morrell. I've seen way too many people "complain" about him, but never comment on various personal details that are partially the cause of this -- let alone the daily on-slaught of Windows users who've barely heard of Linux, who don't bother reading the FAQ, let alone demand that SmoothWall automagically support every little, crappy-designed Windows application and their proprietary protocols that don't work well with firewalls anyway. After a week of being on the SmoothWall lists, I'd kill some very rude and ungrateful users well before Morrell. If you feel Morrell is "really bad for the project," then that's his problem, not yours!
Now if you still want something like SmoothWall without the SmoothWall(TM), take notice that others have forked the project into a new one called IPCop. Version 0.1.0 features SmoothWall 0.9.9, all the major post-0.9.9 patches and various enhancements. A final 0.1.1 release is to follow shortly before the team starts to work on version 0.2.0, an Linux 2.4/Netfilter implementation.
For all I care, you can think of IPCop as "SmoothWall without Morrell." Just don't say it outloud since many of us are all sick of hearing it!
-- Bryan "TheBS" Smith
Independent Author, Consultant and Trainer
This is the 3rd time I've been modded down this week for stupid reasons. Being called a troll because I said I had a 56k modem, being modded 3 times as over-rated when no one has modded it before..and being modded as redundant when my post was near the first. This has got to stop.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
if you are running CGI's you can exploit a bug and login as nobody. since nobody can run /bin/sh as well as root there are TWO users on the system, nobody and root. in other words youre full of shit just like smoothwall.
I agreed that it was a bad review... but at the same time, I think he was being overly complacent.
Join the Free Software Foundation
A very common configuration of a firewall is to let some incoming ports translate themselves to other boxes inside the network via NAT - this is to allow things like email services, web services, etc. be accessed. Even with all ports turned off to the outside world, Windows boxes receive email/word/AOL/etc viruses and trojans all the time. Therefore, the boxes *inside* a firewall are also never 100% safe from attack, meaning that a good firewall's security on the internal network interface is nearly, or in a large organization equally, important as that of the external interface.
Daniel Goscomb, one of the lead developers of Smoothwall, responds:
... reading on
...
...
/bin or /sbin directory that even remotely resembles a shell or mount program (ie do not use perl, use mod_perl, do not use php, use mod_php, etc)
... why take the chance ?
.htaccess files, and has no interaction with the CGI at all, other than when you change the passwords.
... wether or not he did I cannot verify, but if he quotes answers from you ("That doesn't matter"), he probably did contact you, and you certainly confirmed that comment with the above reply, I politely wonder about the next part of that sentence ( ... was about the politest of all comments comment.)
In our opinion this article is extremely badly researched and written. Furthermore it shows a lack of knowledge on the author's part.
sjah
The main concern he has is that of people being able to log in to the firewall and read configuration files. This point is irrelevant as there is only a single user that can access the shell, root. This also removes the need of shadow password files, if you have access to the machine to get the passwd file, you are already in as root anyhow.
so you only have one layer of security ? The inability of any attacker to get a shell ? That's it ? I must admit I have not checked if you do that or not but
In my opinion you should at least take a number of these precautions
-> no shell access for nobody but root (of course this is enforced by putting a check in the main loop of bash, which mails "murder" if anybody tries differently)
-> all binaries --x--x--x, on a single partition which is the only one mounted without the "noexec" and with "ro" flag
-> *all* daemons chrooted, none have anything in their
-> *all* programs compiled from source
-> there is no such thing as an irrelevant permission
Secondly he complains of plain text passwords for the ppp passwords. This is not our doing. The passwords are stored in this format as pppd requires them to be in plain text in the two files. He also mentions that the permissions of these files are wrong. If he looked a little more closely he would have seen that they are in fact symlinks to the 2 real files, which do have the proper permissions on them.
plain text ? wrong permissions ? why would you take a chance ?
He also mentions the same "problem" with the shared keys system in FreeSWAN. Again, they are stored like this as FreeSWAN requires them in this format to read them.
again
As to the part about user authentification of the CGI scripts. This is completely irrelevant. There is no authentication in the CGI scripts. The authentication is done via
user authentication is only irrelevant until a hacker gets by the first layer of security (which apparently on your system is the *only* layer of security)
I also find it disturbing that the author gave us no room for comment in his article, nor did i see anything to suggest he had even asked us about these so called "problems". We would have been happy to answer any questions he had.
to quote the other article :
When a group of developers- more than ever one active in the spirit of GPL-want to successfully distribute a good product, they are usually interested in feedback, in order to improve their product. My concrete indications of security problems within SmoothWall found sheer disinterest with Richard Morrell, developer and project initiator. "That doesn't matter" was about the politest of all comments comment. Trust in the developer's competence and integrity is a basic pre-requisite for the usage of security relevant software. Morell has thoroughly destroyed mine."
this suggests he has contacted you
You can disallow buffer overflows so they can't run a shell? How?
My company has used Checkpoint FW-1 in practically everything we've deployed up to this point, but I'm itching to experiment with a much cheaper IPTABLE's based approach. Of course, it has to be SECURE first and easy to use second -- a leaky firewall is worse than none at all as it gives a false sense of security.
I've hand crafted a few firewalls myself and run them on custom-built Linux kernels and stripped down distro's. Still, I'm not quite certain I trust myself on this, and I'd like to hear from anyone who's had experience with a good, free, IPTABLE's based fw script in a production environment. My goal is something that can displace a Nokia IP330. It has to do NAT, port forwarding, and allow logging of suspicious packets. Floppy-based stuff is highly preferred if possible to lower hardware requirements.
Recommendations, anyone?
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
There's also a support community.
Some companies such as Pyramid are reselling Astaro with hardware and support.
-------
Warning: Slashdot may contain traces of nuts.
I mean where do opensource develoepers get off writing a secure firewall distributiont thats easy install, has a good configuration front end and can be up and running in less than 20 minutes?
I mean seriously, come on? Where is the l33tness? How can I possibly claim to be cool when I use this product, it's just too easy to use. Damn them and damn their software ethics. Even my friends using Windows have started mocking me because I use something with a clear and concise configuration system.
I demand hard configuration, bad and broken installation, no updates for at least 6 months, I mean, with this software I have no excuse but to work. Damn them.
chris at darkrock dot co dot uk
http colon slash slash www dot darkrock dot co dot uk
I'm sorry this is extremely o/t. I just opened up slashdot and saw a story called Test from Christd. I was going to another website just as I noticed it and by the time I opened slashdot again it was gone. Anybody know what this was?
to repeat my other post, a shell is an executeable, just like a CGI. If "nobody" can execute a CGI, it can also execute a shell, or even more simply "echo 'Content-type: text/plain'; echo; cat /etc/passwd; cat /etc/ppp/pap-secrets" . Since the files are admittedly world readable anyway.
This is like super-basic security, folks.
stop posting obvious and redundant shit.
Once again, another ipcop troll/spam. ipcop is a project whose manager is spamming unrelated mailing lists about their SmoothWall fork. Yes, that's all it is, a fork. Plus it's a project that's having to be reminded by SourceForge of their obligation as a GPL-derived project by giving proper and full due credit to the project they are derived from.
neuro at well dot com (when I post, it's my opinions, no-one elses)
Wake up people. You have to be logged on as root to see these files anyway? Show anyone a system that is not junked when a hacker gets root/admin access? You cannot... You cannot get root access to a Smoothwall (the box is physically secure and no remote access to the machine, just how are you going to do that?) MacGyver
I've tried Smoothwall's firewall. It's appears fairly capable for home use. I prefer using the Gnatbox firewall. It's based on a commerical grade firewall and runs off a floppy that boots into a ramdisk. The free version is limited to 5 computers when registered. The unregistered version is limited to 2 computers.
It has a webserver running on port 81 on the green side.
I don't want to buy a product made for stopping criminals that is called "SmoothWall". This is like calling a Rottweiler "Sugar". Gimme a better name, like "Brickwall", "Barbed wire" or "Minefield.
Mikael
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
There's a very good reason not to store passwords in plaintext -- even if the file containing the passwords has restricted permissions.
/tmp and blindly allocates disk space. He then closes it and reads what it contains.
Adam decides to change one of the passwords. Adam loads the password file in vi, makes the change, exits, and walks away from his console, happy.
Bill, a guest-class user who wants higher-level access for nerfarious purposes, creates a file in
Well, when Adam saved the password file and closed, vi did the following: It created a new file containing the revised information, then deleted the old file, and finally renamed the new file to match the original file. The space allocated by the original file was released to be reused. When Bill allocated space for his temp file, he happened to get the same space the original file used -- and its contents.
Bill identifies the file fragment as having belonged to a password file. While one password was changed, there may be others which haven't; or the format of the password used may allow Bill to make some educated guesses about Adam's new one.
While this form of attack isn't always successful, password data can be exploited; and the more passwords on the system that aren't encrypted, the more likely one may be discovered. In other words: Routinely encrypt passwords!
Maybe if people would tell me a good reason why they modded me down I wouldn't post such 'obvious and redundant shit'.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
Smoothwall .99 with 6 patches.
./bash*
./sh -> bash*
-rwxr-xr-x 1 root root 316848 Aug 17 2000
lrwxrwxrwx 1 root root 4 Jan 3 22:27
no remote access to the machine ? when the machine is running CGI SCRIPTS ?? and a WEBSERVER ??? and is passing PACKETS and running rules on them ?
HUH ? one buffer overflow and the firewall gets OWNED. REMOTELY.
they modded ya down cos you posted obvious and redundant shit. ...a firewall developer should let a team of hackers poke...well duh, you genius. i coulda never figured out such a friggin obvious statement.
i quote -
Linux with LIDS installed is reasonable secure even assuming that root access gets hacked. Check out www.lids.org. The trick is that the password that gets logged on, doesn't give you complete access to the box, there is another layer of security where the password is compiled into the kernel in a completely hashed format that you have to know to remove the restrictions so root becomes a super user again. Granted, it can be subverted, and overridden like all security measures. It just stops a lot of script-kiddie attacks because it is different and more difficult to attack.
I've used Coyote Linux (http://www.coyotelinux.com) for about a year now, and it works great. It's a single floppy distro that runs on a dedicated 486 with 8 or meg of memory. It supports PPPoE and dial-on-demand (among other things), and is remotely manageable with ssh, if so desired. Just my $.02.
Geek used to be a four letter word. Now it's a six-figure one.
In our opinion this article is extremely badly researched and written. Furthermore it shows a lack of knowledge on the author's part.
Poorly. Poorly researched and written.
Ah, irony.
- reid
change nobody's shell to /bin/false then ? im sure that wouldn't break any cgi/webserver scripts/functions
"I keep looking in the want-ads under 'revolutionary' but there don't seem to be any listings.. "
In most of these cases, c't is right. I think we can expect an exploit very soon... ;-)
Claus
OpenBSD is a good solution for anyone with a 486 and 8MB RAM. It is fairly simple and easy to use. (If you are familiar with Unix).
./ heart...;-)
You can find all kinds of examples of how to set one up like here.
Older distro's used IPF, but as of 3.0 they use pf. You can read about pf here.
OpenBSD has gone 4 years without a remote hole in the default install. Pretty impressive.
But hey, only use it if you are SERIOUS about security AND don't want to pay anything.
Although you should consider helping fund the project out of the kindness of you
apparently the company that released this didn't figure it out. it's not a redundant post.
youre underestimating the dumbness of the smoothwall dev team. assumption is the mother of all fuckups.
It has no external access to the machine.
yup. proving that EVERYONE can run sh including nobody.
yay for the smoothwall dev teams non existent security.
running one executable doesn't necessarily allow you to run others. I posted the permissions on bash and sh below - are there any problems with them?
while in real life that's hardly the case. practical usage is a term they seem to be far removed from. even in benchmarks, lab tests... they are 'lab tests' after all.
I have not used the product in question. Nor do i plan to. but that decision is not based on the criticism from that article. if anything, i'd be more tempted to try it out for myself.
I would like to challenge authors to give people the ability to rate their reviews. but then, i'm just a programmer, what do i know about reviews?
That does not matter because we don't know how to do it better and still want to sell our product you ignored the fact that the CGI interface is already password protected.
Claus
Sorry but I i have the artical in front of me ( as paper and HTML) and saw... CT: "My concrete indications of security problems within SmoothWall found sheer disinterest with Richard Morrell, developer and project initiator. "That doesn't matter" was about the politest of all comments comment" Why does Daniel Goscomb say that nobody asked him about the promlems? THEY DID!!! in fact!!!
What company? SmoothWall GPL, which is the version reviewed, is released under the GPL by a volunteer team of developers, testers and helpers.
neuro at well dot com (when I post, it's my opinions, no-one elses)
Twice this evening I've tried to get questions answered about their gpl'd smoothwall because my boss saw this slashdot article. And both times I've been nothing but insulted by Richard Morrell, the founder. The first time I was childish and incompetent all because I had the nickname 'nameless'. The second time I was k-lined from the server and he insults me because I have a german last name.
smoothwall.org.txt and smoothwall.org2.txt
Makes you wonder how these guys really act to customers.
Are you speaking of me? Must be.
Anyway, I do not know the gentleman that posted that little piece. However, I do have a tendency to agree with him.
As for the spam. OK, if you see it that way.
Also, I never claimed that it was anything other than a fork. As a matter of fact it's plastered in every piece I write on my site. http://slydder.homelinux.com
I hate not being clear on matters.
As for having problems from SourceForge, I don't think so. But then again if we did it could only be because a certain person keeps on us to remove all mention of SmoothWall. hehe. What a character.
chuck
IT Admins Group: Where you decide the content
I wanted to use SmoothWall as my firewall, but I have a USR Sportster 128 ISDN card, and I can't figure out how to get it to work with smoothwall (or redhat, the documentation is sparse and tends to be in german).
Anyone know if Smoothwall will work with this card without alot of configuration effort?
the point about "don't run the CGI's as root" is moot. the web interface is only accessible to the "green" or local interface. the user has to take several steps to open that up to the outside world. if you're worried about the script kiddies rootin' ya, don't open it up. and if you're worried about the people on the local network, you got bigger problems to worry about :)
Every part of the system has a (hopefully low) propability to be successfully hacked. The more barriers you have, the securer your system is.
It's also worth nothing that the only interactive account is root. There are daemons running under different user ids (I assume in favor of the SW team). As with every remote exploit, these daemons are the entry gates. Also note that remote exploits by definition don't relate to any interactive accounts!
Now, if one service has been hacked, the whole system is already compromised because there are no shadow passwords, files have the wrong permissions, etc.
You can argue about the passwort files for remote connections. You can't argue about not using shadow passwords, that's just plain stupid.
It's like leaving your safe unlocked because there is already the locked front door...
Claus
Several months ago, I was messing around with Smoothwall as a possible simple solution to my home LAN situation. It was the eve of the 0.9.8 release, and I went on the Smoothwall IRC chat area and joked about getting an early copy of the release. Joked. I know that doesn't happen, and figured that with a technically oriented crowd, that I'd be understood as kidding. At the time, it seemed that I was. However.
A couple days later, after having installed Smoothwall and found it to be almost-but-not-quite-right, I popped on and asked a pretty simple question. Why wasn't there a copy of any compilation tools present, or any other services that someone on a small, personal network might like?
The response was pretty terse. "It's a firewall." Repeated inquiries resulted in various forms of the same answer. Now I understand that a firewall has one main purpose, but the -attitude- I got from the developers was really too much. I figured, after being booted from the channel, I'd email Richard and hope that a cooler, more corporate head might reside at the leadership of the Smoothwall project.
Unfortunately, I could -not- have been further from the truth. The situation escalated with Richard harassing me VIA email for several days, after repeated requests of mine not to email me any longer. He continued, his crude insults became -threats-, and it took three days for the matter to settle.
I am currently an assistant administrator at a small college using Linux as a gateway/NAS solution that's desperately in need of updating. Smoothwall might have once been a contender for this, but definitely not now.
I have posted a rather extensive website airing the entire situation with Richard, my own warts and all, at my Smoothwall site for the perusal of anyone interested. Sure, I might have made a mistake or two, but I don't feel anything I may have said justified what I recieved.
Anyone else have similar experiences?
My own pointless vanity vintage computing page
there is no such thing as an INTERNAL webserver. its on the net with a non routable ip. boo friggin hoo. someone spoofing packets can get into it if they do it properly. or 0wn one internal box on the network. unless smoothwall filters email and other viruses to potential M$ targets behind the firewall.
The point, I suppose, is that it *can* be done, if you know what you're doing.
You were saying something about a line of "complete BS"? The post *was* informative.
Being a geek *and* the firewall/vpn admin for a large network I was compelled by geekiness to set up a tunnel between the corporate network and my home network. The lack of desire to spend way too much money for an IPSec compliant appliance I opted to try numberous open source solutions, including Smoothwall 0.9.9se. Despite a few shortcomings, I found the "Smoothie" to be quite impressive. A 23 Meg ISO image yielded a bootable CD that installed without a hitch, identified all the hardware and prompted well for install input (reading the install docs is of course advisable). The box was online is just about 10 minutes with internal clients playing quake and surfing for porn. A quick, yet educated review of the default configurations and a nmap scan and I was confortable with the security... onto the VPN config: A straight forward, web based config menu has fields for all the usual Free-S/WAN VPN stuff, like gateway IP's, site network IP's, next-route-hop IPs, preshared secret, but lacked some specific config options that are needed to create a tunnel with a Checkpoint FW-1/VPN-1 gateway (the reason I was trying this product). Manually adding these config options to the ipsec.conf file was easy enough and in just a short while I was enjoying an IKE/3DES/MD5 tunnel into work.. well.. maybe "enjoying" isn't the right word. My next step was to add a few additional work subnets to the tunnel. This is done by creating an additional connection.. like a second tunnel with the same addresses and preshared secret.. piece of cake.. except, adding more info to the VPN configuration overwrites the ipsec.conf file with a newly created one. Doh!. Fortunately, the web interface is well written and it was pretty easy to add some code to make the admin script create the new ipsec.conf file with the Checkpoint specific changes. Total time invested for a fully functional, easily configurable firewall/VPN: just a few hours. Satisfaction level: 90% Summary: It's easy, fast and works as advertised. Pros: Fast install, Works with Static or dynamic IP's, Many other good features (check the website for details)., Easy to customize the code for personal gratification. Cons: it could offer more flexible IP chains config thru the web interface, Could use those additional VPN options for Checkpoint interoperability. I like it and the smoothwall folks can expect documentation of checkpoint compat. fixes along with a PayPal donation very soon.
chown -R us
Smoothwall GPL requires seperate hardware interfaces (modem/nic) per ip. The internal NIC can only view the splash page of smoothwall, and the external can't see it at all. By merely spoofing packets you cannot get to the internal ip.
But then you don't actually have an example of this spoofed packet that will fool smoothwall, do you?
Yes, smoothwall doesn't filter email. It's a conventional firewall. It's not a virus-checker. Compromised machines on the internal network can view the splash page of smoothwall. The splash page reveals the smoothwall version number and " 1:19pm up [REMOVED] days, [REMOVED], 0 users, load average: 0.38, 0.54, 0.57".
Anything more and you need http authentication. Show a theoretical exploit or calm down, please.
And probably still will. Here is my feedback on the issue relating to the Smoothwall review.
1: Plain text passwords as sufficient security on a single-user system. OK. THis is sufficient security because the only user is root and thus if you are on the system you have complete control over it. However, it is not optimal security, which is what you really want in a firewall. If the root user changes the password, you know this as soon as you try to log in again and can take action, but if they can read the password, they cannot always be detected easily. Therefore encrypted passwords are important on a firewall because they can allow more freedom to an intruder after the first intrusion. Therefore, encrypted passwords are still useful and should be implimented.
2: Protection of VPN keys is not exactly necessary either but it is good practice because it prevents someone from masquerading as your trusted server.
3: Protection of your PPP password is less of an issue IMO, though with the modern wave of DMCA complaints on the part of the MPAA, it would probably be good...
Therefore all the normal security rules for multi-user systems are beneficial for these dedicated firewalls, but for different reasons. For many people, the Smoothwall system as described is probably sufficient, but it si not for high-security environments.
LedgerSMB: Open source Accounting/ERP
Suse also has a firewall that is well worth a look. www.suse.com
Ok, First off most of you have no idea of the type of commitment and work that goes into SmoothWall and the amount of dedication these people have. All you people who are going on about the insecurities and such... Do your homework, until the shut your goddamn mouth. You say you get your head bitten off or snapped at when you go into the IRC room? Try answering the same question 40 times a day, that is in the manual. Give these people a break they are tryin to help YOU. Grayson. (mope)
Yeah, I read your response.
Interesting that in your opinion, "rude is rude," but we should be forgiven your IRC "chat antics" where you "blow off steam."
I smell a double standard.
But if the permissions on the passwd file were setup so as to only be readable by root, it is effectively the same as having a shadowed passwords, which would require the user to already have root privilages read the actual hashes. It would be rather trivial to do since it's a single user system and its use is rather specific.
I'm not saying this is what the configuration on this device is, but the article doesn't really deny this either.
We run an OpenBSD firewall at the lab I work in but lately it's been flakey and I'm the only one who knows how it works. So I was sent on the task on seeing if we should switch to another firewall since I have to rebuild the machine anyway, or stick with openbsd :] OpenBSD does have the easiest setup for what it does with ipf/ipnat. However, you actually have to know what you're doing to set it up. I highly recomend openbsd for all your firewalling needs if you want something you can just setup and never touch again.
but the CGI is running as root so it would have root access to any file no matter what the permission was...
Mode 700 on /bin/sh and any other shells, exec* fails. It also prevents a multi user system which in this case is ok.
The thing that may be interesting is forgoing the shell and executing direct commands, I do not know the product well enough to comment on the feasibility of that.
I have installed SmoothWall four times, for friends, on machines running the gambit from P100/12mb ram to P166/96mb ram, and using ethernet cards for DSL/Cable, it's a dream. That is, as long as the distro has drivers for your card (damn Tulips).
:-) and buying no fewer than four modems, I found one that should work. After another day or so of frustration, I contacted the helpful people at SmoothWall.org and I actually chatted with Mr. Morrell directly on their irc server. In five minutes, he'd set me straight and it was up and running. It was a CEBCAK (Computer Error Between Chair And Keyboard), naturally.
Then, for my parents who live in rural east Texas with a dialup connection, I had to figure out how to get an internal modem working in Linux. After reading the entire internet
For all the people bellyaching about how one guy represents the GPL developers, or doesn't use shadow passwords... whatever. At the end of the day, all that matters is getting the job done. And I recommend it to anyone who has a spare PC lying about, too.
Any connection between your reality and mine is purely coincidental.
You might be interested in what Mr Morrell has to say about IPcop...
The Slashdot Paradox: "100% Overrated"
It is fairly simple and easy to use. (If you are familiar with Unix).
Is it just me or does that qualifying statement completely negate the previous statement?
Of course it's "simple" and "easy to use" if you already know what you're doing.
I realize I may get flamed/labeled troll here, but this is too much. As much as /. bags on MS, we've NEVER allowed them to post a response right next to the article. Just because this is released under the GPL, we'll make a special exception? What about the kernel devs or the mutt developers when a bug comes out? Shouldn't they get a shot?
THEN the guy goes on to blame pppd and FreeSWAN which comes bundled with the product for using plain text passwords. Are you joking? If you want one that's secure write it yourself. I don't care who wrote the thing originally, if you want a secure product, then follow the openbsd model and check and recode every line yourself. We don't blame MS Indexing Server (the cause of many of the recent MS bugs), we blame IIS.
I'm sorry but this is just terrible.
What is the difference between using iptables in Linux, versus Linksys/2wire home products, versus corporate/ultra-expensive products? I'm using a pretty tight iptables setup on my Linux system and my friend just got a 2wire system and he's all hee hawing about how 2wire kicks ass and Linux firewall sucks.....
Wait, let me guess, this is one of those "Let me login as root and I will root your box things", right?
/kernel and login as any user I wish. Wanna see it?
Seriously, if you are going to have access to directly address the fucking filesystem you are going to need root.
It is BS and if you don't believe me I've got this 3r33t 0 sec exploit where I directly address the memory used by
Even though the Smoothwall developers argue that shadow passwords are not required, I think they are. I have a box running right here with it. Apache runs as the user "nobody", and therefore can read /etc/passwd. If shadow passwords were enabled, reading /etc/passwd would not matter.
.htaccess files.
By default, smoothwall does not allow access to the web interface from the outside, but, very frequently, people open that up to the world so they can get at it from anywhere (which is very easy to do through their menuing system). The box does not ask for a password until you actually get into the configuration screens, but cgi's that give you information are not protected by
I wanted to install it on a box that only had SCSI on it awhile back, but they ripped support out of the free version for SCSI. So I joined the irc channel and asked about it. They told me to wait until the commercial version was out and to buy that if I wanted scsi support. So I grabbed their *SDK* as they call it, and it had nothing useful in it at all. I joined back up to the irc channel to ask how to compile everything, they asked why, so I told them I was building in SCSI support so I could run it on the extra box that I had laying around. No one would talk to me after that.
I found a different machine to run it on, but the only reason I'm still running it is because I haven't had time to get something else. I used to recommend smoothwall to people, but not anymore. The developers I talked to were conceited jackass's. If they had helped me out, I probably would have even donated a few dollars to them.
Need Free Juniper/NetScreen Support? JuniperForum
The CGI is not running as root. It's running as 'nobody'.
Mark me as a troll or whatever, but why is this article even posted on Slashdot?
They have a product. It's not especially earthshattering. It's just a firewall product that you can buy.
I read the IRC logs that mwhahaha (apologies on spelling) posted, and yeh these WeakWall lamers seem like pricks. I read the rebuttal to the c't article, and it seems the article made some mistakes.
But no matter how you dice it, it's just a stupid little turf war that has no bearing on my geek life whatsoever.
Did these SmallWall guys pay to have this Slashdot article posted or is this just a pet project with one of the editors?
fifth sigma, inc.
The reviewer is correct - regardless of whether you can imagine the way in, there will be one. Granted that (and if you don't grant me that, move on to Windows and stop pretending you have a clue about security), it's negligence or incompetence to ignore common best practices, which include all of the negative points the reviewer raised.
Which is why Sun, HP, and of course Microsoft can use the code (all three do) to steal marketshare from people like you and Sendmail, Inc..
They're laughing their asses off while your family goes hungry; they think you are stupid because you gave them the product of your labor and then let them make it into their property with no compensation.
And maybe they are right?
The GPL may not be perfect, but it's not the invitation to programmer abuse that the BSD license is. It is an attempt to prevent your innovation from becoming a weapon of your own destruction.
Come up with a better answer - but one that doesn't involve suppressing inovation or giving away the farm - and I'll be the first to climb on your bandwagon.
--Charlie
makes sense to me... for example:
windows is hard and annoying to use, and completely unintuitive. (if you are familiar with unix)
but i'm sure if you already knew what you were doing, then moving from say 2k to xp wouldn't be that big a deal. same for me, moving from debian to freebsd isn't that big a deal. a lot of it is the same stuff.
-------
"don't smoke, don't drink, don't fuck
at least i can fucking think"
Minor Threat
mocom--
If you're used to FW-1, try fwbuilder (www.fwbuilder.org) - It builds iptables rulesesets from a GUI that will look strikingly familiar!
Its pluggable back ends are interesting too - 'one day' it could generate PIX, ipchains, cisco etc. rulesets too....
It's just you.....
I have visited irc.smoothwall.org only once. I do feel, however, that my experience there alone was almost enough to discourage my use of the product. I joined the #smoothwall channel in hopes that I might find answers from knowledgable users or developers that I had been unable to find in any of the available documentation (all of which I read in its entirety).
:: Please do not expect free
Upon joining the channel, I was bombarded with the omnipresent topic, "Welcome to #smoothwall
support if you haven't donated. http://redirect.smoothwall.org/donate"
Ignoring the blatantly anti-open-source sentiment, I proceeded to ask about features and functionality that I feel are paramount to implementation of a device designed to secure my entire network. Before anyone so much as regarded my first question, I was bombarded with "Have you paid yet?" A simple 'not yet' got me my first response: "Can't you read the f**king topc?!"
Of course, I wasn't looking for support -- simply answers to questions about the products capabilities. Off to a great start.
In the end, my questions were answered, privately, by MacGyver, whose answers unfortunaely indicated that features I think are critical in a firewall are only available in the commercial version. To suggest a few:
- No support for multiple IP's on the external interface
- No ability to write filter rules for outbound traffic
- No inherent ability to manage IDS policies used by Snort
- No immediate planned support for a stateful kernel
etc...
Granted, I could accomplish all of these tasks through custom modifications to the product -- but that would defeat the purpose of the product in the first place -- to create a secure filtering firewall that can be easily and securely managed through an integrated portable interface without the need for extensive customization.
To comment on the article posted this evening, I think that despite the article author's process for review or lack thereof, SmoothWall's response was unacceptable. To say that passwords are not shadowed because the box has but the root user would be to say that Bind and Sendmail need not be firewalled because their latest revisions have no vulnerabilities...
yet.
To say that the open-source security packages that comprise the firewall _require_ clear-text passwords is to insult the intelligence of everyone here who knows better or has found more secure alternatives to the same problems in the past. The open-source community is not ignorant, nor are we fooled by any comapny's efforts to conceal laziness.
Security is an unknown. We place our confidence in hybrid hardware and software solutions that provide protection from the exploits we've identified already, but we expect that new vulnerabilities are inevitable. We cannot neglect commonly accepted security practices because our products have not yet been broken. The correlary would be to argue against home alarms because we already have a lock on the door.
A single layer of security is never enough. ESPECIALLY for a firewall. If this were to be an end-user distribution sitting _behind_ a firewall, the lack of external access would _probably_ be enough. However, as a firewall, such neglect for security practices that have a negligible effect on performance but provide such a significant measure of protection is both arrogant and ignorant at the same time.
In conclusion, neither the product's lackluster featureset, nor it's father company's poor customer support practices would have individually discouraged my using it.
Couple those with questionable security practices, though, and I can assure you that SmoothWall will never be enough to protect _my_ network...
What is so hard about setting up a firewall? RedHat 7.2 sets up a fine one for newbies. Block all incoming ports except 22, 80, 443. What's so fookin hard about this?!
When I outgrew that I loaded iptables and now I have flood protection and all sorts of stuff. Again I ask, why would anyone buy a software firewall to run on Linux when it comes builtin?
This is why I like ZoneAlarm. Can't get much simpler than that. And it WORKS.
I join the long list of people who have either observed (my case) or been directly insulted by Dicky M's Tude.
You can feel freel to not believe-but subscribe to the mailing list for Smoothwall GPL and you'll get an eyeful of a nasty, mean, selfish Dick and see what I mean.
Hey Dick-
-If you wanna sell your damn product, then sell it and shut your pie hole. Your constant pissing and moaning about people not donating is sad.
-It's not the cure for cancer, just a commercial firewall product. Here is what you do Senor, MAKE IT, SELL IT FOR MORE THAN YOU MAKE IT FOR, REPEAT. DUH!
If you don't want to offer any support, advice, etc. to people who don't pay for your product than DON'T. Just don't pretend that you do by letting any Tom, Dick and Harry sign up.
I'll never use Smoothwall, never ever (and as a very experienced high level System Admin no one I can EVER influence will use it either.) Buying the Smoothwall developer's attention when it's obvious they despise their users but love their money is a recipe for a F'ed up user experience.
Good luck Dick. Buh bye...
Funny! True, but funny.
No question that Rodney or whatever his name is is a bit of a RudeBoy, but there's also no question that you fed the flames as eagerly as he returned them. Granted, he sounds like a bit of a dork, but he has that right, as do we all.
**>>BELCH
Please consider this:
- When I had my first experience with Unix, it was Solaris 7 / x86. I didn't learn
- squat from it because of that damn CDE shell -- I didn't know where to look for anything, and (with my windows-addled brain) I didn't understand where the equivalent of the 'control panel' was.
The moral of this story:Fast forward (slightly) to 1998. I now had a cable modem, and wanted to share it between several computers. I had learned about the differences between proxies and NAT, and tried several products that would run under Windows. All of those were commercial demos, with rather aggressive pricing. I was not impressed.
I had seen comments here about OpenBSD, so I looked into it. I took an old P-100, followed the directions, and had a working NAT firewall in a day. I had learned more about UNIX in about a week (this includes reading time) than I had in 4 months with Solaris!
Today, it's still there. The same hardware, at least -- it just got upgraded to OpenBSD 3.0
(Yes, I know -- that can be a big "if.")
On a side note, I installed OpenBSD 2.8 on a Thinkpad last year... it found the sound card, the peripherals (3com ethernet & US Robotics PCMCIA modem), and setting up XWindows was a piece of cake -- there were config files readily available. Perhaps not incredible, but it was easier than installing Windows on the same machine, and that is impressive!
"...America's great minds of today, teaching America's great minds of tomorrow. Poor bastards." -- A Beautiful Min
..I think enough /.'ers are sufficiently interested in the idea of "turn key" open source security solutions to warrant discussion of the product.
Isn't that enough?
Please mod this post only if you think others should/n't read this. I have enough ego^H^H^Hkarma. Thanks!
Some of this post is very on-topic, but I include the rest for context. Moderators, please be kind.
I and a buddy recently completed a network installation for a small business. They had about 25 PC's in a 100-year-old wood-frame office building with asbetos everywhere and wanted these people to be able to utilize the Internet for such tasks as tracking packages via web sites, etc. They wanted to reduce costs by eliminating some 6 dialup accounts and free up phone lines for voice. They were less than a quarter mile from the local telco POP. So, they tried ADSL on one PC and consistently got about 1.5 Mbps down and about half that up. They loved it.
They asked me as an independent consultant what they should do to get the access to the other PC's. We looked at wiring the building, but due to the structural nightmare of the building, we decided that for their needs we could go with 802.11b. We dropped several CAT5e lines to three locations in the building: the computer room, where their mission-critical apps run on an AS400, and two access point mounts we set up.
We set up a SmoothWall box as their NAT since the evil ISP would only give us one static IP. It looked a lot better than FreeSCO. It was painless, absolutely painless to configure. But it had a shortcomming: it did not support PPPoE, which was necessary for the ADSL drop. Schucks! So we double-NATed using a little Linksys NAT/switch thingy to actually negotiate the PPP for us. We thought this would be nice because if someone were trying to hack in, they would have to circumvent 2 NAT's. We also thought it would have no significant impact on throughput. Big mistake (read on). Regardless, the NAT solution could remain in place should they ever want to add a stateful packet inspection firewall or something like that, or switch to better broadband, or even wire the building.
We spent almost an entire afternoon trying to configure the blasted access points. They were DLink 1000AP's. I followed DLink's instructions to the letter. I have a little beef with DLink about requiring a Windows machine to configure the things, but I can overlook that. I installed the configuration software on my laptop and was ready-to-rumble. The software failed repeatedly to detect the access point using a DLink branded 802.11b client device (USB DWL120). So I tried step two, isolating the AP's on an Ethernet segment. They failed detection again. So I fed the software MAC addresses manually. This failed. I was using only one machine with a known-to-work crossover patch cable. What the *(!@?
We eventually tried swtiching PC's, and then we noticed that the typeface DLink used to print the MAC addresses on their AP's made 5's look like 6's because the ink ran too much. I was really pissed. Upon getting the conf software to work on a desktop, I went back to my laptop to try again. It flat out wouldn't work with either of my 3Com CC10BT PCMCIA cards in different machines. Don't know why to this day; DLink couldn't help me on that one. But it did work on a desktop wit a 3Com 3c509b.
So, we got the access points set up and clients on all the PCs. We set up WEP encryption and tried to hack around a little to get in without the keys. We made sure we altered the default network ID and set good hard-to-guess passwords. It was like butta, for just one day.
Next weekend, we came back and hooked up more PC's. We went up to say 18 from 12. This is where we started having problems.
We used MAC address control on the APs as we promised the company we would. But after hours and hours of trial and error, we discovered that after adding more than 17 MAC addresses to the control list on one AP, the AP would spontaneously loose all of its configuration data. This worked this way on both AP's. DLink was not helpful. We would later RMA one of these and the replacement would do the same. So, we ended up having to have control lists that were local instead of network-wide. This defeated the roaming feature of 802.11b entirely (although nobody has a laptop there right now, I don't like it one bit). It also causes more difficulty in configuring the damn things. My friend, who is an Apple Campus Rep, haunts me to this day with suggestions of buying their AirPort brand equipment and says it would work better. Anyway, we choose DLink 'cause it was a hell of a lot cheaper than Orinoco.
We saved the company lotsa money on their dial-up. Next, we moved their web pages in house on a Red Hat box on a DMZ. DMZ wasn't all that in SmoothWall at the time (no hole poking), but it did what we needed it to. We moved their primary DNS to publicdns.org and set up MX records, the whole works. Set up a sendmail box. Set them up with PHPGroupWare. And, we encouraged them to make donations to the various projects which provided them with these fine products and services. I felt all warm and fuzzy. I had turned them into a free-software shop on commodity hardware and it all worked.
After a while, I started getting phone calls from them saying their web pages were only accessible to some clients. I looked into this. I left myself a way to get in (a port forwarded to a pc with sshd, I had permission to do this), and so I hopped on in and looked around. I became acutely aware that my ssh sessions were being dropped very frequently. I kept getting some sort of error from my ssh client during sessions.
We went back down to isolate the problem. We kept removing pieces of hardware from the network to figure out what the &*^% was going on, but found nothing. Then we learned SmoothWall had added support for PPPoE. We scrapped the Linksys, and we had no more dropped TCP sessions. It was freaky . I have seen the same problem affect two other people who used port forwarding since then with Linksys boxes (I help folks out on Mandrake Expert). SmoothWall had also added better DMZ support. I just have to say the system works beautifully.
Other issues we encountered in the project were users compromising security by using AOL clients. AOL clients create VPNs which in theory could allow hackers to circumvent your company's security. Don't let your users do this.
Oh, I almost forgot, the AS400. Up until we set them up with a network, they were using this shitty twinax serial network to talk to their AS400. It was expensive. It required shitty ISA adapters to be installed in every PC. It almost made me puke.
At the start of the project in our proposal we told them that they should use encrypt everything, even internally, and that that was just common sense. We told them they could put the AS400 on the LAN and use ssh instead of those card-and-twinax interfaces. I even verified this with my fiancee's dad, an old-AS400-fart himself, before I promised them this. WE WERE WRONG.
IBM told us they COULD NOT RUN SSHD WITHOUT BUYING A NEW MACHINE. That is such a load of crap, but we, having no experience with AS400's, could do nothing about it. The IBM man convinced them to run telnet. We told them we would take no responsibility for that. End-of-story.
Hope this has been an informative venting session for all of you. Please note that there was some relevant content in here, and that SmoothWall solved some of my problems, and I think it is a great product.
if it has become flakey look at what has changed and undo it. if nothing has changed you probably have a hardware issue. simple.
Why does't slashdot go to both sides more often for both sides of a story? Why did this guy get 'special treatment'? It seems like the slashdot articles have a decent rate of being incorrect of half-informed. I'd like to see more of this fair reporting, and I hope this one time wasn't just a fluke.
If you agree, vote with upward moderation.
Send an html-email with an "img" located on the firewall. Make the url cause a buffer overflow of your choice in one of the cgis. There's your insider attack.
Yes, really.
Unix has a very useful construct known as "sparse files". Almost all Unix filesystems support them, though "non-native" filesystems (like FAT or ISO9660) do not. A sparse file appears to be just like any other file except for certain disk-block-sized "holes". The holes are not written to disk, do not count against disk free space or your disk quota, but in all other respects behave like regular disk blocks. If you read the file you get zeroes where the holes are. If you write to a hole it is "filled in" (of course, if you write less than a full block, the rest of the block is zeroed).
Thus you can have a 30-megabyte file on a 10-megabyte filesystem, where the 30-meg file really only has 8 megs of non-zero content and 22 megs of zero blocks that don't really exist. If you try to write to the whole file, of course, you'll run out of space.
Aside: this was the source of an interesting glitch with Samba. Windows Explorer copies files by creating the destination file the right size first, to make sure there's room for it, then filling it in (and not doing sufficient error checking on the latter part). The Samba developers had to "fix" Samba awhile back to make sure it created a non-sparse file in that situation.
Similar deal happens with memory. You might think allocating memory would give you access to all kinds of potentially juicy stuff left over from the last process to use that memory. You'd be wrong. The OS clears the memory before letting you use it. With many modern processors, it's possible to optimise this, using memory management tricks, so it doesn't cause the performance hit you might expect.
"How can you claim that you are anti-crack, while still writing a window manager?" — Metacity README
Poorly. Poorly researched and written.
Rather obscure, perhaps.
> If I were them, I would have pounded your IP
/. admin care to post what IP that enligtening comment came from ? Is it the same as any AC posts to this thread ?
> with a day of DoS for good measure.
Hmmm obviously another member of the Mr Morrell fan club. Any
Curmudgeon
Works very nice for me.
Idempotent operation: Like MS software, wether you run it once or often, that doesn't make it any better.
I have been using it for about 2 years on a lowly Pentium 120 with a 500 MB disk. It's great. It protected me from Code Red, Sircam, Nimda and script kiddiez.
It has got some shortcomings, but it has come a long way in 2 years.
Also, I once had trouble configuring it to work with 2 identical network cards and found that the developers were kind enough to solve my problem. I guess it helps if you say the magic words (that's 'please' and 'thank you' to all you windows users) when asking for help on a product you got from free.
The article obviously was pretty poorly researched. What scares me a lot more is that the smoothwall response doesn't address the issues. It doesn't even seem like the person who wrote the reply has understood half of the "review".
Fine - the only shell account is root. That doesn't make it any better to have a non-shadowed password file. What if (as the c't author points out in his article) an attacker gets a shell by exploiting a hole in a server running as non-root. He'd leverage his rights to root easily this way.
About the CGI scripts, the Smoothwall respondent talks about his scripts not doing user authentification. I'm sure they don't, but the c't article talks about not doing proper checks on user submitted _DATA_. And for the clue-impaired, this isn't limited to your username/password pair, but is about what data you feed into the script and how the script would handle for instance extremely long arguments (trying at a buffer overflow), shell escape characters (sloppy calls to system()) etc.
I have no idea who's right when it comes to the issues as I'm not interested in running smoothwall. But that someone working on a firewall don't understand half of the issues in a critical review, that dosen't speak well for the quality of the firewall.
Smoothwall is designed to keep people out, not in. I have no complants at all.
Based on NetBSD, and it has been around for a while..
And there's plenty of others based on BSD freely available... see www.dubbele.com
-John
To the firewall at www.dubbele.com
My major concern is not, that somebody other than the administrator might log into the machine. The major issue of a firewall system is, to tighten security, not to remove existing security mechanisms like tight access rigts to sensitive files, shaddow passwords, etc. But that is exactly what Smoothwall does in direct comparism to any standard linux distribution.
I'm sorry, if the text doesn't make it clear, that I'm not complaining about the format of files but about sensitive files with passwords or secret keys, that are world readable (ie mode 0644). Something like
is a bad thing - period.
I made every effort, to get "printable" response from the developers. I wrote several E-Mails about the issues to Richard Morrel - who was named as contact person- and I went to the IRC channel of the developers. The only printable comment to the subject I got there is "This doesn't matter".
I was very confused for a long time until I realiyed that "c't's review" is NOT a fashionable new abbrevation for CmdrTaco's review...
damn.
First i want to say that reviewing a firewall has not to be done by cracking it with kiddie tools.
:)
This article written in c't is as informative as it needs to be for anyone who wants to install a firewall for his network at home or at a small company. For any other cases professional firewalls should be used.
Revealing those "security leaks" like passwords in plain-text was exactly the thing i expected the author of such an "firewall review" to do. This article was not written for the demanding network administrator who is working with high-tech firewalls for his entire career, it was written for small companies and businesses which can't afford high-tech firewalls for thousands of dollars.
Also i don't think that those plaintext passwords are unimportant because SmoothWall creates a single-user system.
Every vulnerability of a system is a potential security leak until it is fixed.
And i would like to say something about the behaviour of Mr. Morrell, even if this has already been heavily discussed.
I don't understand why he treats his potential customers so aggressively on the IRC chat. It seems to me that he and his group wrote a piece of GPL'ed software and wants to be treated like he wrote some proprietary software.
If someone tells me: "don't ask me things about my gpl software until you donated some money to me" my only reaction will be: "fuck off, there is always FREE software which is better than this, i just have to find it."
I think it is very offending by Mr. Morrell to harass someone for being from another country than he is from. I'm from Germany, i am german and i think there is nothing bad about being german or having a german heritage, name, etc. I know there are still many people in the world who think Hitler is still ruling Germany, but i don't think Mr. Morrell is counting himself to this group.
Germans are not evil *g*.
Please excuse my bad english. I only had five years of english in school, but i promise i will try to improve
I also find it disturbing that the author gave us no room for comment in his article, nor did i see anything to suggest he had even asked us about these so called "problems". We would have been happy to answer any questions he had.
Well, it's clear from the C't review that the author did try to point him to the problems:
When a group of developers- more than ever one active in the spirit of GPL-want to successfully distribute a good product, they are usually interested in feedback, in order to improve their product. My concrete indications of security problems within SmoothWall found sheer disinterest with Richard Morrell, developer and project initiator. "That doesn't matter" was about the politest of all comments comment. Trust in the developer's competence and integrity is a basic pre-requisite for the usage of security relevant software. Morell has thoroughly destroyed mine.
Apparently, they did not know he was from a magazine. But then, this shows a rather sad attitude towards normal users, no?
Michael
Just downloaded smoothwall 0.9.9se and had a search on google.
/usr/sbin/pppoe
/usr/sbin/pppoe
/usr/sbin/pppoe -D /etc/test
/etc/test
/etc/test
bash$ id
uid=99(nobody) gid=99(nobody) groups=99(nobody),14(smoothwa)
bash$ ls -l
-rwsr-x--- 1 root nobody 23888 Aug 6 12:36
bash$
bash$ ls -l
-rw-rw-r-- 1 root nobody 367 Jan 10 03:11
So much for security!
Dont forget forget the connections limit. The main reason why I went looking for something else about 10 minutes later after installing it.
Curmudgeon
The Thread:h ol d=-1&commentsort=1&mode=thread&pid=0
8 15 448
http://slashdot.org/comments.pl?sid=25942&thres
The singular reply from that Thread for the those without patience:)
http://slashdot.org/comments.pl?sid=25942&cid=2
Tony
[BasharTeg] I keep getting kernel panics, is this going to be fixed pls? .org
.co.uk is seperate
[dickmorrell] its not a bug
[dickmorrell] its Linux kernel
[dickmorrell] ask Linus
[BasharTeg] Will it be fixed in your commercial version?
[dickmorrell] yup
[dickmorrell] it is
[BasharTeg] So you fixed the Linux bug? Did you tell Linus?
[dickmorrell] we bypassed it
[dickmorrell] with a non GPL module
[dickmorrell] and thats perfectly legal
[BasharTeg] I never questioned the legality, I just wondered whether you fixed the kernel.
[dickmorrell] do you need an adult to help you ?
[dickmorrell] moron
[BasharTeg] Excuse me?
[dickmorrell] IF you come into THIS channel
[dickmorrell] and you USE GPL
[dickmorrell] which I FUND
[dickmorrell] be more polite
[dickmorrell] or fuck off
[dickmorrell] its your choice
[BasharTeg] I was polite, I just asked you whether you fixed the kernel or used some other method
[dickmorrell] [BasharTeg] I never questioned the legality, I just wondered whether you fixed the kernel.
[dickmorrell] that wasnt polite
[dickmorrell] that was direct
[dickmorrell] I have 800,000 users
[dickmorrell] most are polite
[BasharTeg] You don't have to prove anything to me, you pointed out that it was legal (something which doesn't interest me)
[dickmorrell] you need to get out more
[dickmorrell] trust me
[BasharTeg] And I think you're the one who needs a lesson in politeness, telling a potential customer to fuck off is not a good start
[dickmorrell] look
[dickmorrell] you cant help yourself
[dickmorrell] moron
[dickmorrell] I dont need the business
[dickmorrell] ok
[dickmorrell] you cant even read a website
[BasharTeg] Why do I need to get out more, I just asked you a simple question about whether a bug had been fixed - you got rather paranoid and started going off on one
[BasharTeg] Surely you do need the business, you always seem to point out how much money you've put on the line.
[dickmorrell] no twat
[dickmorrell] thats
[dickmorrell] I fund it
[dickmorrell]
[dickmorrell] how do you think I fund GPL
[dickmorrell] GPL costs me about 4k a month
[dickmorrell] its about time you freeloaders and geeks donated to support things like
[BasharTeg] Yup, some of which you will get back on the commercial side
[dickmorrell] 1.8terrabytes a month
[dickmorrell] about 1.2%
[dickmorrell] historically
[dickmorrell] of Linux users
[dickmorrell] turn commercial
[dickmorrell] its a shite percentage
[dickmorrell] ask RedHat
[dickmorrell] ask Caldera
[BasharTeg] Well, you don't want to lose out on ANY potential business by calling people twats and morons
[dickmorrell] but you are a twat
[dickmorrell] you came in here
[dickmorrell] asking if I could
[dickmorrell] fix your kernel panics
[dickmorrell] without doing ANY homework
[dickmorrell] its appalling
[dickmorrell] I'd be EMBARRESSED
[dickmorrell] to ask a silly question
[BasharTeg] I didn't ask you to fix them, I asked if they were going to be fixed
[dickmorrell] GOOGLE dude
[dickmorrell] I did fix them
[dickmorrell] I sent my fixes to Alan Cox and Linus
[dickmorrell] but..
[dickmorrell] I also wrote a better USB driver
[dickmorrell] and a better Alcatel driver
[dickmorrell] so now I get 57/60k/sec
[dickmorrell] upload
[dickmorrell] but Its not GPL
[dickmorrell] and nor will it be
[dickmorrell] it was 4 weeks work
[BasharTeg] Linux was a lot more, and that's GPL
[dickmorrell] you are a shithead arent you
[dickmorrell] lol
[dickmorrell] total fuckwit
[dickmorrell] now go away
[dickmorrell] DOS
[dickmorrell] thats your level
[dickmorrell] go play
What a pleasant chap!
Smoothwall has issues with DSL uploads. A bug in their driver means uploads won't exceed 3.5Kbps. They state in the topic on their IRC channel that "The bug has been fixed. It won't be applied to the GPL version of SmoothWall, only to the Commercial product". I tried IpCop, the "SmoothWall without Richard Morrell" (http://ipcop.sourceforge.net) and found that ADSL upload worked perfectly. I happened to be in the SmoothWall IRC channel when a user came in asking about this very issue. After being told to "fuck off if you haven't paid", as seems to be the norm, I commented that IpCop seems to have the problem solved. Here's the log from the "conversation" that Mr. Morrell and I had subsequently:
Start of dickmorrell buffer: Wed Jan 09 01:00:27 2002
Session Ident: dickmorrell (~rmorrell@rawhide-44066.in-addr.btopenworld.com)
[00:58] dickmorrell fuck off you cancer
[00:58] dickmorrell you fucking creep
[00:58] dickmorrell ipcop ?
[00:58] Job Getting a little irritated, eh?
[00:58] dickmorrell nope
[00:58] dickmorrell just with a cunt like you
[00:59] dickmorrell fucking cancerous cunt
[00:59] Job pffft, you got NOOOOOOOO chance of making a red cent with your attitude.
[00:59] dickmorrell lol
[00:59] dickmorrell we sold out already
[00:59] dickmorrell didnt you read ?
[00:59] dickmorrell lol
[00:59] dickmorrell muppet
[00:59] Job dickmorrell we sold out already === Yeah, I noticed...
[00:59] dickmorrell $5.6m
[00:59] dickmorrell goodnight
[00:59] dickmorrell twat
End of dickmorrell buffer Wed Jan 09 01:00:27 2002
Then, of course, I was k-lined.
I hope this gives people an insight into the kind of "customer support" they can expect from SmoothWall Inc.
Hi all
Having read the C't article and also some comments here, I would like to say that there ia another free firewall solution. Gibraltar is a CD-ROM based firewall that does not need to be installed on harddisk but runs directly from the bootable CD. You can find more information about it at
http://www.gibraltar.at/
Although I am - as the founder of this project - obviously biased, I think that Gibraltar can offer quite some functionaliy and is rather easy to use. There will be a commercial version with a web interface (which is currently developed) and installation suppoer, but the free version will always have exactly the same functionality as the commercial one (besides the web interface). The fist free version has been released about 1 1/2 years ago and is now used by a lot of people all over the world.
Gibraltar should be listed in a Linux-based firewall survey in the next issue of the German Linux Magazin.
Smoothwall and Gibraltar both have it's strengths and I can only recommend to look at both to decide which one suits your needs best.
Rene Mayrhofer,
Gibraltar project manager
rene.mayrhofer@vianova.at
I use OpenBSD on a 486 to act as a router on my house's cable modem network. So far it seems to have done a fair job (with the odd lockup - there is never anything in the logs so I can't tell whether it's hardware or software).
However my beef is that the 486 only has a 200Mb hard drive and 24Mb of ram. Since all of OpenBSD's security patches are distributed as source code patches this requires me to be able to rebuild the binaries to fix the wholes. There are no binary updates or patches so keeping such a system up to date after a major releases is actually quite a lot of work (I rebuild the kernel but I stop at that).
If (reliable) updated binaries for i386 architectures were provided then I would be happier to recommened this to peole using low end hardware.
i just had a one-to-one chat with a HIGHLY annoyed dickmorrell on their irc server.
/. has turned away not only a whole project - but a team of developers from the GPL.
i was offering some assistance with the UI and got this reaction:
I've not been to bed for 47 hrs
not needed thanks
I'm not doing any more GPL stuff
fuck the community
they blew it
I've gone proprietary
no more GPL
i understand that there are two sides to todays' little argument. but these guys are doing some pretty great stuff here and are TOTALLY justified in trying to make some sort of money out of their efforts (odd how you have to hand over cash to get food these days!).
and now a poorly put together review and the comments of all the autocratic purists here at
well done.
I had a similar dilema when I ran into smoothwall (management, etc). I restored an old pentium 133 with a 64 meg hard drive (yes, meg) and it hasn't failed yet.
My mother's getting one as soon as I can spare another hard drive to restore another old box.
Nice work Smoothwall. And nice response! LOL!
Ctimes2
My cube. My friend. My solace. My prison.
After having had trouble with all those dumb journalists ( the smoothwall developers team has two statements on their web site, one against an article in the UK Linux Magazine and now another one against the article in C'T ) in the last weeks who would wonder if Mr. Morrel and his team decide to print their own magazine:
- who-does-not-pay-me
I suppose the name of the new magazine to be:
how-to-become-a-prick-in-order-to-flame-everybody
Headline suggestions welcome!
"Share the Net" is the first PC firewall/Inet sharing product I ever used. I have to give it a lot of credit for being there before almost all of the others. Back when it came out, it was worth the $70. I got several sales for its author because friends of mine were sharing their apartments/homes with roommates, and this product saved them from having to add extra phone lines so both them and their roommates could get online at the same time.
(Sure, sharing a 33.6K or 56K modem with 2 people sucked - but it was enough for IRC chat and checking email.)
In today's marketplace though, I think its age is showing. For starters, there's no reason to pay $70 for it, when better products are out there that are *free*! Second, SharetheNet hasn't been updated in quite a while, last I checked. It uses a pretty old Linux kernel version - and doesn't support a lot of features that have become standard in other firewall software products.
The article or the response?
Boot times should not be a great concern with a firewall; you should only be booting it once a year or so anyway.
Once a year? Well, for those people who run firewalls on m$ products, once a week is more like it!
I work for a managed service provider and we run a bunch of firewalls for customers. Everything runs under Solaris on suitable Sun hardware, and even then I would like to see them re-booted 3 or 4 times a year.
Let's face it, UNIX rocks, but it does buffer lots of things in memory. One of my colleagues told me about a system he ran for two years without re-booting it, and when it finally was re-booted, it did not come up again. The occasional re-boot can't hurt it any. Besides, E250's and E450s boot in about a minute.
*** Where are we going? And what's with this handbasket?
If you get hacked, simply restart your machine, and you are back to factory settings.
Why would you allow your firewall to accept any connections? My firewall drops any attemp to access it remotely. The only way it can be accessed is from the system console.
*** Where are we going? And what's with this handbasket?
Personally, and this comment comes after seeing a lot of people "suck up" to Richard. I think people with bad experiences SHOULD complain.
While I do not wish to post the entire string of correspondence with this man (I don't want the web traffic/nor his threat of "hanging me out to dry"- whatever that means? to come to fruition), I would say that I found my one and only interaction with him both humiliating and un-professional.
That said, I would encourage anyone who has had an interaction with Richard that has led to an unsatisfactory or mean spirited response to be very vocal.
That's the market at work. And firewalls are not religion, and Morrell is not God. Let the malcontents speak, and let the market be the judge.
If Mr. Morrell wants to treat people in the fashion in which I feel he treated me, then he deserves what he gets in criticism.
In my opinion, he is nothing more than a bully. And I think the people who hold on tight to the "Morrell Bandwagon" should take a closer look at what they are supporting... Even if it's NOT their problem.
Whether or not the review in question was accurate, I think this is an entirely appropriate forum to bring up issues of support and the attitude of the Smoothwall team. Aside from the product's (project?) suitability of use for a particular application, there are also concerns of customer support that figure into suitability of use. For those of us who have been on the receiving end of Mr. Morrell's "treatment", there can be no recommendation of Smoothwall to our customers. It would, in my opinion, be too much like throwing one's child into a shark tank.
However, since Mr. Morrell had his interaction with me before I donated to the project, perhaps he makes up for his treatment of non-donators with a champaigne breakfast and trip to the Bahamas for those that donate.
After my experience with him, the breakfast and trip would almost make up for the sheer humiliation of my communication with him.
And with this rant concluding- I openly discourage the use of Smoothwall, and will continue to do so.
Even though I like the product (or um errrr project), I would have to recieve a personal apology from Mr. Morrell before I even considered burning his ISO.
I know you are sick of hearing it.... I'm just wondering when Richard will be sick of hearing it, and start being a nice guy.
Sorry, it had to be said. Judging from some of the experiences of others here, why in this world would you want to use this product? Seriously, even if it were best of breed I'm pretty sure I wouldn't touch it or reccomend it to anyone based upon the way this guy treats others. This thread has mentioned MANY other alternatives, surely one of those groups could be more helpful to you?
Build it, Drive it, Improve it! Hybridz.org
Almost all of the complaints I've ever seen lodged against Smoothwall were either accusations of the author being rude, a jerk, etc. - or accusations of GPL violations.
I think it's pretty clear that they haven't openly violated GPL. (They had a previous version where some wording needed a couple small changes to fully comply with GPL, but those changes were made before the latest release.)
As for the author, so what? The guy invested a lot of his time to give you a product that you can use for free. *That* is the bottom line. Is there a requirement anyplace that says you have to regularly report to Richard Morrell or interact with him directly in any way while you use Smoothwall? Not that I know of!
I joined the Smoothwall mailing list for quite a while, and what I saw was a flood of beginner questions that could have been answered by the user reading the instructions (or by actually installing the product before asking if it did or didn't have certain features!). If I was the author, I'd get angry with these people after a while too.
Have you ever had a truly good experience getting support on *any* IRC channel?
I can't begin to count all the rude and insulting people I've run into on plain old channels like #linux when I ask a question about something.
If I judged the quality of a product by that, I'd be 100% pro Microsoft by now!
"we have nnn,000 users and we know cause we get every smoothie to phone home" but what does that mean for the classic installed for two hours and rejected machines! do they actually have 1000 live systems even"
Very interesting. Anyone run a sniffer to see what tales its telling when it allegely "phones home" ? If the above comment is true. I would suggest that anyone who has this product in production find a replacement immediately.
Curmudgeon
Whois
Cue frantic whois entry changes of course.
Streetmap
Curmudgeon
Oh that is just so professionnal, DoSing someone you don't like. Just like some fucking unhappy teenager. Not necessarily the best advice for a business, you moron.
From the review:
From Daniel Goscomb's reply:To rephrase your question, I haven't gone looking for support on an IRC channel. I have, however, gotten plenty of good information from helpful people that has helped me to resolve my own problems.
If I want support, I buy commercial software. I went to irc.smoothwall.org to inquire about features that were neither explicitly mentioned nor explicitly denied in any of the product documentation.
The responses that I got from the support/dev team at #smoothwall has nothing to do with any judgements I have made about the quality of the product, only the attitudes construed by the people whose hands I place my network's security in, and whom I would have to depend on for support should I choose to buy the product.
Bad atitudes and poor security practices are unrelated issues. However, they are unrelated issues that the SmoothWall folks seem to have brought together with their "GPL'd" firewall solution.
Smoothwall remains one of the best ideas i've ever seen in home firewall solutions, under the GPL. It's the first one i tried, and i remain very pleased with the idea.
That being said, the execution needs work - i ran into all kinds of technical issues with the setup (had to do with my cheap network cards) that i, as a novice linux user, couldn't handle on my own. However, when i attempted to get assistance on the IRC channel that is suggested as a method of 'free' support, i was basically told flatly to "Suck it up, b**ch, or donate"
Kinda hard to justify donating. Given that i couldn't get the damn thing to run at all, isn't it?
...but maybe i'm just weird.
C
--
Democracy would work just fine if people weren't so goddamned stupid.
... when the guy looks like this.
It's just ooooozing football hooligan!
(c)Copyright 2001: This work is copyrighted by Smoothwall: You macy copy in whole or in part as long as the copies retain this copyright statement.
Tough to steal documentation you are allowed to use....
This is IMHO a bad answer, real bad. If anything, it clearly demonstrates
Smoothwalls' disregard for very basic security rules, laid out way way
back, and agreed upon by most, if not all, experts.
First, security isn't something you can buy in a black box, it is a
fine-grained process with different levels. One cannot disregard it on one
level "just because it is dealt with on another level". Case in point, the
lack of shadow-passwords. On one hand, every little exploit in ANY running
service (and history has proven there always comes along an exploit,
whether sooner or later) will immediately escalate to a full root exploit
because of the readable passwords-file. Nowadays computers can bruteforce
crack a Crypt-password in very little time...
But, it get even more dubious; why in the world has Smoothwall chosen to
disable a mechanism that is SO standard nowadays that (probably) all
linux distributions on earth have implemented it ?
That must one hell of a good reason to be worth it...
Saying "But only root has access so what's the problem anyways?" is
symptomatic of general bad security-desicions, ones like "I don't secure
the machines on my LAN because I have a firewall, don't I ?", "I click
blindly on any and all attachments because I use a virusscanner." and "I
don't need a burglary-insurance because I have perfect locks."
Sorry, but I in my opinion you missed the boat big time, Smoothwall.
Your mileage may vary of course, but this is my personal opinion.
IF this is kosher then it should be visible to all.
Build it, Drive it, Improve it! Hybridz.org
Well, yeah, LIDS is difficult to defeat.
But ask yourself this question, would you trust a guy that goes to great lengths (LIDS) to ensure security yet omits even the simplest basic things (shadow, filepermissions) while doing it ?
Would you trust him to implement LIDS in a safe manner ? Maybe he "forgets" some important settings somewhere "because that's irrelevant".
To me this sounds like hiring 3 well-armed bodyguards for some personal protection, while walking around with sticks of dynamite strapped to your chest. If you permit my analogy.
Security starts at the basics, or not at all.
Okay, having the only user be root is pretty stupid, but assuming root is the only user shadow is useless. I don't have one, so I can't check to be sure if it is a softlink as the programmer claims. However, if it is a softlink, well all softlinks have rwxrwxrwx permissions and the permissions behind it are what counts. Beyond all that, as root is the only user, it doesn't matter what your permissions are on any file anywhere on the system. Your correct, they sound like they have sound reasoning, but they did make a fundamental mistake just not the ones the reviewer listed.
Stop this spamming ridicule...Do you have a problem that evrytime you see the word IPCOP you type the word spam...
H&Ks Garf
Sure, when taken very literally I fully agree with you: IF root is guaranteed the only user, any filepermission settings are moot.
However, the point I'd like to make is this: Who DOES guarantee that there is no way whatsoever that a non-root user gets in ? I'm not intimately familiar with smoothwall, but there are numerous services that run as different users than root and may (in future?) prove exploitable. Think MTA's, bind, apache et al, ntpd, whatever. I'm not saying Smoothwall uses these services, I'm just saying they might be.
Things get even more complicated when two different exploits can be combined; for instance the recent kernel bug (related to IPfiltering) combined with an exploitable local service "that only runs on the inside interface".
This is not academic, stuff like this is really possible, maybe even happening as we speak.
In any event, not using shadow passwords takes away one barrier. Just one maybe, but it still theoretically weakens the setup.
what, I've said it in two places? Whoop-ee.
neuro at well dot com (when I post, it's my opinions, no-one elses)
Here is a response to the initial article.s e. shtml
http://www.heise.de/ct/english/02/01/162/respon
I'm completly with Mr. Schmidt on this one... as I have been subject to the Morell arrogance multiple times. A good response to this (and mine) would be to be inspired and build a better mousetrap (firewall).
c't now claims they have discored a concrete exploit for Smoothwall (http://www.heise.de/newsticker/data/ju-14.01.02-0 00/) using the design flaws they critized.
http://www.heise.de/english/newsticker/data/ray-14 .01.02-002/
With this URL you find a newsarticel about an currently existing securityhole in the SmoothWall.
The free smoothwall is good if you have one IP and a small LAN.
I've got 32 IP addresses and the need for a DMZ. I contacted the Smoothwall folks about this, and received a prompt and detailed response. I got another response a few days later with an organized product map and descriptions of the products. The prices aren't bad, and aside from the odd crabby person on the IRC channel, the experience has been pretty good so far.
I don't know one way or the other about the GPL violations... I just want a firewall product that's easy to deal with and *works* - ipchains/etc is too difficult for some clients to manage, but smoothwall isn't.
Another option is to log to a tape drive and cut the wires to the rewind motor ..... at least this way you can still electronically monitor your data post disaster.
I can honestly say I was considering buying their new Smoothwall release. It's a great product, and *some* of the people behind it seem fairly pleasant. I decided to hang around the IRC channel first, maybe ask any questions if I think of them, and see what the support is like.
:(
;)
It didn't go too bad at first. I chatted with another user and some of the team, no problem at all. Then I minded my own business for a while, wandered off for a coffee, came back and saw that I was banned.
So I checked through my logs - dickmorrel had basically arrived, insulted the Germans a bit, banned a few people for no reason (myself included), and had disappeared by the time I came back and tried to message him.
Between my own experience and other articles I've read here, he seems the most unpleasant person I've ever met online for his status, with some very serious attitude problems. I wonder how many other potential sales they've lost out on through this man's rudeness. They don't deserve business when they insult people like that, and hopefully I'm not the only one who'll be keeping people informed on as many feedback sites as possible.
IRC logs - judge for yourself:
unless you have any ewireless gear you are willing to donate
then you get a free copy of Corp Server
ok.
Joins: Hellcore [~Hellcore@rawhide-261.blueyonder.co.uk]
ChanServ sets #smoothwall mode: +o Hellcore
wb Hellcore
lo
Joins: dickmorrell [~rmorrell@rawhide-44066.in-addr.btopenworld.com]
ChanServ sets #smoothwall mode: +o dickmorrell
lo
lo
lo dickmorrell
hello hairy bloke
can we unban rto
he apologised
not a bad bloke
Quits: gordon [Quit: Its good to talk... But I have run out of time... Be Back Later]
Joins: gordon [~gordon@rawhide-17386.btinternet.com]
talked for a while
hes ok
neuro sets #smoothwall mode: -b *!*rto@rawhide-11637.in-addr.btopenworld.com
Joins: sundance [~D@rawhide-37446.dip.t-dialin.net]
dickmorrell sets #smoothwall mode: +b *!*D@rawhide-37446.dip.t-dialin.net
Ban: dickmorrell bans sundance [*!*D@rawhide-37446.dip.t-dialin.net]
sundance was kicked by dickmorrell [dickmorrell]
ugh - i still not gone home yet
lo dick
lo
can we set a ban
for t-dialin
please
i took it off dude
can we put it back
was wanting to give the germans a chance
hehe
nope
fuck em
sorry
neuro sets #smoothwall mode: -b *!*D@rawhide-37446.dip.t-dialin.net
sorry
not being racist
neuro sets #smoothwall mode: +b *!*@*.t-dialin.net
but the amount of spam
I'm getting
and my firewall logs
sorry dude
three strikes..
they're outta here
my logs are HUGE
hehehe - mine too
but only after a hearty meal
lol
goit
i try my best.
dickmorrell sets #smoothwall mode: +b *!*myob@rawhide-32909.access.clara.net
dickmorrell banned you in #smoothwall [*!*myob@rawhide-32909.access.clara.net]
Ban: dickmorrell bans Golsec`Away [*!*myob@rawhide-32909.access.clara.net]
You were kicked by dickmorrell [dickmorrell]