SmoothWall Firewall Review

ray-x sent in a pointer to a review by c't of the Smoothwall firewall product. c't's reviewer described several flaws in the firewall. We asked Smoothwall for their comments on the review, which are posted below.

Daniel Goscomb, one of the lead developers of Smoothwall, responds:

In our opinion this article is extremely badly researched and written. Furthermore it shows a lack of knowledge on the author's part.

The main concern he has is that of people being able to log in to the firewall and read configuration files. This point is irrelevant as there is only a single user that can access the shell, root. This also removes the need of shadow password files, if you have access to the machine to get the passwd file, you are already in as root anyhow.

Secondly he complains of plain text passwords for the ppp passwords. This is not our doing. The passwords are stored in this format as pppd requires them to be in plain text in the two files. He also mentions that the permissions of these files are wrong. If he looked a little more closely he would have seen that they are in fact symlinks to the 2 real files, which do have the proper permissions on them.

He also mentions the same "problem" with the shared keys system in FreeSWAN. Again, they are stored like this as FreeSWAN requires them in this format to read them.

As to the part about user authentification of the CGI scripts. This is completely irrelevant. There is no authentication in the CGI scripts. The authentication is done via .htaccess files, and has no interaction with the CGI at all, other than when you change the passwords.

I also find it disturbing that the author gave us no room for comment in his article, nor did i see anything to suggest he had even asked us about these so called "problems". We would have been happy to answer any questions he had.

Sincerely,

Daniel Goscomb.

Daniel Goscomb seems far too complaintent

[byolinux]

That doesn't seem to be little more than excuse talk to me.

Typical Developer Reaction

[tthomas48]

Do they teach this response when pursuing a Computer Science degree? "Obivously you can't do it, because I can't think of how to do it." Sheesh.

Re:The review is full of crap..

What, chicken to post in anything but anonymous mode? Loser.

Re:Reveiwers have to listen...

[HiltonT]

Hi, I was in #smoothwall at that time too. I agree with Hellcore's comments - the "reviewer" came on and refused to admit he was writing an article, had an obvious agenda, and failed to listen to anything that anyone said. The fact that SmoothWall is designed to protect your LAN **from** the Internet was ignored. SmoothWall was not designed to protect your LAN **from** internal users. Regardless of this, there is only a single account that has a shell - "root" - and shadowing passwords and hiding passwords from this user is next to useless. If someone manages to gain shell access to the SmoothWall machine, they already have root access. Your box is gone. Just remember that this has not happened. There have been no known successful hacks on an un-modified SmoothWall. Secure? Yes, it is. Regards, HiltonT

Re:No more comments on Morrell, please! Try IPCop!

[wpanderson]

Once again, another ipcop troll/spam. ipcop is a project whose manager is spamming unrelated mailing lists about their SmoothWall fork. Yes, that's all it is, a fork. Plus it's a project that's having to be reminded by SourceForge of their obligation as a GPL-derived project by giving proper and full due credit to the project they are derived from.

Re:My Experience with Smoothwall's Richard

[wpanderson]

> It was the eve of the 0.9.8 release

It was actually the eve of the 0.9.9 release, 4 days after September 11th. As your email archive shows, I kept telling you to let things go - there were, and still are, worse things in the world to worry about than people giving you perceived attitude.

Go hug a loved one or something.
</peacenik>