Slashdot Mirror

← Back to Stories (view on slashdot.org)

SmoothWall Firewall Review

Posted by michael on from the security-in-a-box dept.

ray-x sent in a pointer to a review by c't of the Smoothwall firewall product. c't's reviewer described several flaws in the firewall. We asked Smoothwall for their comments on the review, which are posted below.

Daniel Goscomb, one of the lead developers of Smoothwall, responds:

In our opinion this article is extremely badly researched and written. Furthermore it shows a lack of knowledge on the author's part.

The main concern he has is that of people being able to log in to the firewall and read configuration files. This point is irrelevant as there is only a single user that can access the shell, root. This also removes the need of shadow password files, if you have access to the machine to get the passwd file, you are already in as root anyhow.

Secondly he complains of plain text passwords for the ppp passwords. This is not our doing. The passwords are stored in this format as pppd requires them to be in plain text in the two files. He also mentions that the permissions of these files are wrong. If he looked a little more closely he would have seen that they are in fact symlinks to the 2 real files, which do have the proper permissions on them.

He also mentions the same "problem" with the shared keys system in FreeSWAN. Again, they are stored like this as FreeSWAN requires them in this format to read them.

As to the part about user authentification of the CGI scripts. This is completely irrelevant. There is no authentication in the CGI scripts. The authentication is done via .htaccess files, and has no interaction with the CGI at all, other than when you change the passwords.

I also find it disturbing that the author gave us no room for comment in his article, nor did i see anything to suggest he had even asked us about these so called "problems". We would have been happy to answer any questions he had.

Sincerely,

Daniel Goscomb.

1 of 495 comments (clear)

  1. sharethenet by graveyhead · · Score: 4, Offtopic

    For an affordable, very easy to configure, and speedy (excellent performance on my 386/33 with 8mb ram) firewall/gateway, you just can't beat sharethenet. I had it up and running in 1/2 hour, and there is almost no performance difference when I have my cable modem hooked up directly to my speedy p3 desktop. It "embeds" linux by loading it from a floppy onto a ram disk. If you get hacked, simply restart your machine, and you are back to factory settings. Downside is you need dedicated hardware, but OTOH, that hardware can be very old and still perform.

    --
    std::disclaimer<std::legalese> sig=new std::disclaimer; sig->dump(); delete sig;