Slashdot Mirror
SmoothWall Firewall Review
Daniel Goscomb, one of the lead developers of Smoothwall, responds:
In our opinion this article is extremely badly researched and written. Furthermore it shows a lack of knowledge on the author's part.
The main concern he has is that of people being able to log in to the firewall and read configuration files. This point is irrelevant as there is only a single user that can access the shell, root. This also removes the need of shadow password files, if you have access to the machine to get the passwd file, you are already in as root anyhow.
Secondly he complains of plain text passwords for the ppp passwords. This is not our doing. The passwords are stored in this format as pppd requires them to be in plain text in the two files. He also mentions that the permissions of these files are wrong. If he looked a little more closely he would have seen that they are in fact symlinks to the 2 real files, which do have the proper permissions on them.
He also mentions the same "problem" with the shared keys system in FreeSWAN. Again, they are stored like this as FreeSWAN requires them in this format to read them.
As to the part about user authentification of the CGI scripts. This is completely irrelevant. There is no authentication in the CGI scripts. The authentication is done via .htaccess files, and has no interaction with the CGI at all, other than when you change the passwords.
I also find it disturbing that the author gave us no room for comment in his article, nor did i see anything to suggest he had even asked us about these so called "problems". We would have been happy to answer any questions he had.
Sincerely,
Daniel Goscomb.
Chalk it up to lack of testing. A firewall developer should let a team of hackers attack, poke, and prod the firewalls before releasing them to either eliminate or minimize vulnerabilities.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
we have an article taking what dang has said along with our comments on the way the article author behaved when collecting his "evidence" ...
our response
neuro at well dot com (when I post, it's my opinions, no-one elses)
After trying several different Firewall products, I found smoothwall to be the easiest to setup and maintain. As far as the reviewers points, most are irrelavant, since the only access to the web interface and to SSH is from INSIDE your network. Unless you go out of your way to activate these things exterally, they're simply not seen to attackers. But then again, if you changed the way the product is shipped, then it's really working like it was intended anyway.
This debate seems to be over whether Smoothwall was designed to secure against attack from outside your DSL dialup or against attack from the inside. Shadow passwords are meant to provide a safeguard against dictionary attacks from logged-in users on a multiuser system. c't's complaint that there is no shadow password on a single-user system is valid; if you're worried about people in your own house trying to hack into your firewall.
From what I understand, even a user in your own house wouldn't be able to get at the password file, since only the root account (which one would assume is password protected) has access to a shell. This isn't a multiuser system that people log into.
(This is my understanding from what I've read - I've never used SmoothWall - please correct me if I'm mistaken).
As your momma always said: 'If you don't have anything good to say about someone, don't say it' or 'if you someone keeps "bothering" you, just stay away from them.' It's as simple as that.
So if you don't like Richard Morrell, head of the SmoothWall project, consider:
Personally, I'm sick of the "one-sided" reporting on Mr. Morrell. I've seen way too many people "complain" about him, but never comment on various personal details that are partially the cause of this -- let alone the daily on-slaught of Windows users who've barely heard of Linux, who don't bother reading the FAQ, let alone demand that SmoothWall automagically support every little, crappy-designed Windows application and their proprietary protocols that don't work well with firewalls anyway. After a week of being on the SmoothWall lists, I'd kill some very rude and ungrateful users well before Morrell. If you feel Morrell is "really bad for the project," then that's his problem, not yours!
Now if you still want something like SmoothWall without the SmoothWall(TM), take notice that others have forked the project into a new one called IPCop. Version 0.1.0 features SmoothWall 0.9.9, all the major post-0.9.9 patches and various enhancements. A final 0.1.1 release is to follow shortly before the team starts to work on version 0.2.0, an Linux 2.4/Netfilter implementation.
For all I care, you can think of IPCop as "SmoothWall without Morrell." Just don't say it outloud since many of us are all sick of hearing it!
-- Bryan "TheBS" Smith
Independent Author, Consultant and Trainer
There's also a support community.
Some companies such as Pyramid are reselling Astaro with hardware and support.
-------
Warning: Slashdot may contain traces of nuts.
I can vouch for that logged in as linzeal or koat. I have moved on to Astaro linux firewall though. Smoothwall had a teensy problem with one of my ethernet cards that caused it to operate at half duplex besides that I wish some of the logging features were put into astaro on the web config side. Astaro however "requires" an i586/300mhz and a 10 gig hard drive but actually runs on much less.
An Education is the Font of All Liberty
Been there done that..I urge all who plan on downloading Smoothwall to first hang around for a minute in their IRC channel. Dick Morrell has the worst attitude I have ever seen. Their clame to fame is that it will run on older machines, so I tried it. The 540mb hard drive was filled with logs and took the box down after a couple weeks. I asked Mr. Morrell if it cleaned itself every once in a while and his reply was "get a bigger hard drive". He then started going off on how I shouldn't criticize his product because I'm not paying for it.. All I asked is if the logs would clear eventually! That's just my incident that happend within 5 minutes of meeting him online. I've heard much worse about him. Because of that, I will never tell my friends about Smoothwall again. If you would like an excellent firewall, with more options, better security, and an excellent support team, I recommend you check out www.astaro.com ( which is also a linux firewall ).
PPP sends the username/password in plain text. If the password is encrypted, how are you supposed to send it plaintext? I suppose you could use a symmetric cipher, but then you'd have to have the key hardcoded someplace. That doesn't seem secure either, does it?
The other option is to require the remote end to authenticate to you. Unfortunately, I doubt there's an ISP out there that would do that.
In other words, the developers are entirely correct.
I've used Coyote Linux (http://www.coyotelinux.com) for about a year now, and it works great. It's a single floppy distro that runs on a dedicated 486 with 8 or meg of memory. It supports PPPoE and dial-on-demand (among other things), and is remotely manageable with ssh, if so desired. Just my $.02.
Geek used to be a four letter word. Now it's a six-figure one.
The first time he visited #smoothwall, he fully announced his intention, and the publication he was writing for ... however there was hardly anyone there. He was pointed to Richard's email address by me, as a public IRC channel is hardly the place to conduct a press interview.
The second time he visited #smoothwall, he did not introduce himself as a journalist, nor did he say he was writing an article, and he proceeded to try and grill the channel members on the points he wrote about in the article. This is where some misunderstandings are appearing, as not everyone posting here about their IRC experience was online the first time Jürgen appeared.
neuro at well dot com (when I post, it's my opinions, no-one elses)
What company? SmoothWall GPL, which is the version reviewed, is released under the GPL by a volunteer team of developers, testers and helpers.
neuro at well dot com (when I post, it's my opinions, no-one elses)
Are you speaking of me? Must be.
Anyway, I do not know the gentleman that posted that little piece. However, I do have a tendency to agree with him.
As for the spam. OK, if you see it that way.
Also, I never claimed that it was anything other than a fork. As a matter of fact it's plastered in every piece I write on my site. http://slydder.homelinux.com
I hate not being clear on matters.
As for having problems from SourceForge, I don't think so. But then again if we did it could only be because a certain person keeps on us to remove all mention of SmoothWall. hehe. What a character.
chuck
IT Admins Group: Where you decide the content
Smoothwall GPL requires seperate hardware interfaces (modem/nic) per ip. The internal NIC can only view the splash page of smoothwall, and the external can't see it at all. By merely spoofing packets you cannot get to the internal ip.
But then you don't actually have an example of this spoofed packet that will fool smoothwall, do you?
Yes, smoothwall doesn't filter email. It's a conventional firewall. It's not a virus-checker. Compromised machines on the internal network can view the splash page of smoothwall. The splash page reveals the smoothwall version number and " 1:19pm up [REMOVED] days, [REMOVED], 0 users, load average: 0.38, 0.54, 0.57".
Anything more and you need http authentication. Show a theoretical exploit or calm down, please.
Even though the Smoothwall developers argue that shadow passwords are not required, I think they are. I have a box running right here with it. Apache runs as the user "nobody", and therefore can read /etc/passwd. If shadow passwords were enabled, reading /etc/passwd would not matter.
.htaccess files.
By default, smoothwall does not allow access to the web interface from the outside, but, very frequently, people open that up to the world so they can get at it from anywhere (which is very easy to do through their menuing system). The box does not ask for a password until you actually get into the configuration screens, but cgi's that give you information are not protected by
I wanted to install it on a box that only had SCSI on it awhile back, but they ripped support out of the free version for SCSI. So I joined the irc channel and asked about it. They told me to wait until the commercial version was out and to buy that if I wanted scsi support. So I grabbed their *SDK* as they call it, and it had nothing useful in it at all. I joined back up to the irc channel to ask how to compile everything, they asked why, so I told them I was building in SCSI support so I could run it on the extra box that I had laying around. No one would talk to me after that.
I found a different machine to run it on, but the only reason I'm still running it is because I haven't had time to get something else. I used to recommend smoothwall to people, but not anymore. The developers I talked to were conceited jackass's. If they had helped me out, I probably would have even donated a few dollars to them.
Need Free Juniper/NetScreen Support? JuniperForum
70 Dollars?! Coyote Linux does this too, and is free.
for this reason, (and others) there has been a fork from smoothwall gpl to create a new project called ip cop. you can download a beta .iso from the website. ipcop.org
for me it was a straightforward switch from smoothwall to ipcop. easiest install of any operating system i've ever seen. ipcop supports ext3 (for no extra cost!) which is great for unplanned reboots.
Works very nice for me.
Idempotent operation: Like MS software, wether you run it once or often, that doesn't make it any better.
To the firewall at www.dubbele.com
Hi all
Having read the C't article and also some comments here, I would like to say that there ia another free firewall solution. Gibraltar is a CD-ROM based firewall that does not need to be installed on harddisk but runs directly from the bootable CD. You can find more information about it at
http://www.gibraltar.at/
Although I am - as the founder of this project - obviously biased, I think that Gibraltar can offer quite some functionaliy and is rather easy to use. There will be a commercial version with a web interface (which is currently developed) and installation suppoer, but the free version will always have exactly the same functionality as the commercial one (besides the web interface). The fist free version has been released about 1 1/2 years ago and is now used by a lot of people all over the world.
Gibraltar should be listed in a Linux-based firewall survey in the next issue of the German Linux Magazin.
Smoothwall and Gibraltar both have it's strengths and I can only recommend to look at both to decide which one suits your needs best.
Rene Mayrhofer,
Gibraltar project manager
rene.mayrhofer@vianova.at