Slashdot Mirror

← Back to Stories (view on slashdot.org)

SmoothWall Firewall Review

Posted by michael on from the security-in-a-box dept.

ray-x sent in a pointer to a review by c't of the Smoothwall firewall product. c't's reviewer described several flaws in the firewall. We asked Smoothwall for their comments on the review, which are posted below.

Daniel Goscomb, one of the lead developers of Smoothwall, responds:

In our opinion this article is extremely badly researched and written. Furthermore it shows a lack of knowledge on the author's part.

The main concern he has is that of people being able to log in to the firewall and read configuration files. This point is irrelevant as there is only a single user that can access the shell, root. This also removes the need of shadow password files, if you have access to the machine to get the passwd file, you are already in as root anyhow.

Secondly he complains of plain text passwords for the ppp passwords. This is not our doing. The passwords are stored in this format as pppd requires them to be in plain text in the two files. He also mentions that the permissions of these files are wrong. If he looked a little more closely he would have seen that they are in fact symlinks to the 2 real files, which do have the proper permissions on them.

He also mentions the same "problem" with the shared keys system in FreeSWAN. Again, they are stored like this as FreeSWAN requires them in this format to read them.

As to the part about user authentification of the CGI scripts. This is completely irrelevant. There is no authentication in the CGI scripts. The authentication is done via .htaccess files, and has no interaction with the CGI at all, other than when you change the passwords.

I also find it disturbing that the author gave us no room for comment in his article, nor did i see anything to suggest he had even asked us about these so called "problems". We would have been happy to answer any questions he had.

Sincerely,

Daniel Goscomb.

5 of 495 comments (clear)

  1. Response by wpanderson · · Score: 4, Informative

    we have an article taking what dang has said along with our comments on the way the article author behaved when collecting his "evidence" ...

    our response

    --
    neuro at well dot com (when I post, it's my opinions, no-one elses)
  2. Re:Old debate...? by strags · · Score: 4, Informative

    This debate seems to be over whether Smoothwall was designed to secure against attack from outside your DSL dialup or against attack from the inside. Shadow passwords are meant to provide a safeguard against dictionary attacks from logged-in users on a multiuser system. c't's complaint that there is no shadow password on a single-user system is valid; if you're worried about people in your own house trying to hack into your firewall.

    From what I understand, even a user in your own house wouldn't be able to get at the password file, since only the root account (which one would assume is password protected) has access to a shell. This isn't a multiuser system that people log into.

    (This is my understanding from what I've read - I've never used SmoothWall - please correct me if I'm mistaken).

  3. No more comments on Morrell, please! Try IPCop! by BitMan · · Score: 5, Informative

    As your momma always said: 'If you don't have anything good to say about someone, don't say it' or 'if you someone keeps "bothering" you, just stay away from them.' It's as simple as that.

    So if you don't like Richard Morrell, head of the SmoothWall project, consider:

    • ignoring him
    • the fact that SmoothWall is free software and freely supported (regardless of the "requests" for monetary support made)
    • disregarding SmoothWall altogether, if it really "bothers" you that much (see below)

    Personally, I'm sick of the "one-sided" reporting on Mr. Morrell. I've seen way too many people "complain" about him, but never comment on various personal details that are partially the cause of this -- let alone the daily on-slaught of Windows users who've barely heard of Linux, who don't bother reading the FAQ, let alone demand that SmoothWall automagically support every little, crappy-designed Windows application and their proprietary protocols that don't work well with firewalls anyway. After a week of being on the SmoothWall lists, I'd kill some very rude and ungrateful users well before Morrell. If you feel Morrell is "really bad for the project," then that's his problem, not yours!

    Now if you still want something like SmoothWall without the SmoothWall(TM), take notice that others have forked the project into a new one called IPCop. Version 0.1.0 features SmoothWall 0.9.9, all the major post-0.9.9 patches and various enhancements. A final 0.1.1 release is to follow shortly before the team starts to work on version 0.2.0, an Linux 2.4/Netfilter implementation.

    For all I care, you can think of IPCop as "SmoothWall without Morrell." Just don't say it outloud since many of us are all sick of hearing it!

    --
    -- Bryan "TheBS" Smith
    Independent Author, Consultant and Trainer
  4. actually, shadow passwords should be used by austad · · Score: 4, Informative

    Even though the Smoothwall developers argue that shadow passwords are not required, I think they are. I have a box running right here with it. Apache runs as the user "nobody", and therefore can read /etc/passwd. If shadow passwords were enabled, reading /etc/passwd would not matter.

    By default, smoothwall does not allow access to the web interface from the outside, but, very frequently, people open that up to the world so they can get at it from anywhere (which is very easy to do through their menuing system). The box does not ask for a password until you actually get into the configuration screens, but cgi's that give you information are not protected by .htaccess files.

    I wanted to install it on a box that only had SCSI on it awhile back, but they ripped support out of the free version for SCSI. So I joined the irc channel and asked about it. They told me to wait until the commercial version was out and to buy that if I wanted scsi support. So I grabbed their *SDK* as they call it, and it had nothing useful in it at all. I joined back up to the irc channel to ask how to compile everything, they asked why, so I told them I was building in SCSI support so I could run it on the extra box that I had laying around. No one would talk to me after that.

    I found a different machine to run it on, but the only reason I'm still running it is because I haven't had time to get something else. I used to recommend smoothwall to people, but not anymore. The developers I talked to were conceited jackass's. If they had helped me out, I probably would have even donated a few dollars to them.

    --
    Need Free Juniper/NetScreen Support? JuniperForum
  5. Re: Attitude Problems with Smoothwall Developers by onya · · Score: 5, Informative

    for this reason, (and others) there has been a fork from smoothwall gpl to create a new project called ip cop. you can download a beta .iso from the website. ipcop.org

    for me it was a straightforward switch from smoothwall to ipcop. easiest install of any operating system i've ever seen. ipcop supports ext3 (for no extra cost!) which is great for unplanned reboots.