Slashdot Mirror
SmoothWall 2.0 Linux-Based Firewall Released
thegraham writes "Despite some earlier server problems, SmoothWall 2.0 has been released this evening - there are also release notes available. SmoothWall is 'a firewall operating system distribution based on Linux, enabling a low-end, possibly otherwise redundant, Intel and compatible PC to become a hardened Internet firewall', and changes from version 1 include: 2.4 kernel, new web interface, improved networking and many bugs corrected through the Beta program."
I've been using the 2.0 Beta at home without any problems. It's makes a great firewall for old boxes and has support for Proxies, DynDNS and everything else you expect in a good firewall. All configured easily from a web based interface. Works great for protecting those Windows boxes too. Think Windows cowering behind a big Tux. Kudos smoothwall team.
IAALS.
Forgive me if this is an obvious question, but why run a dedicated "firewall operating system" when hardware and software firewalls are available?
Crude analogy, but it's the same thing.
I used to use smoothwall, but switched to the forked project IPCop. Some of the original developers forked away from smoothwall because of the founder's desire to mix open source with a business model that conflicted with the project. I was having problems with smoothwall and updates, which prompted me to switch to IPCop. I've been happy ever since.
Anyone else got opinions on Smoothwall vs. IPCop?
Ruby on Rails Screencast
Using an old Pentium with two NICs for this is great, but the $699 licensing fee is a bit steep. Better stick to OpenBSD..
Trolling is a art,
IPCOP is an alternative (fork) of the smoothwall project. they do a nice job as well. thanks to both groups. Ive been relying on IPCOP for years.
I've been using version 1.0 of their firewall for just over a year now, and I have to admit that it is a rather good firewall. I was able to load it on a p100 box with only a 540MB hard drive. Granted with a hard drive that small, my firewall doesn't do alot as far as web cache is concerned, but otherwise it operates great. The patches are easy enough to install, all you have to do is download the gzip from the patches page built into the firewall web client. Upload the gzip's and they're installed.
Managing the firewall is exceptionally easy as well. You can setup port forwarding to internal computers in under 30 seconds. All-in all the firewall takes the major annoyances out of running a firewall. I highly recommend it for anyone who's got an old system lying around, and doesn't have the time to bother with setting up a firewall.
If you're looking here for something insightful or thought provoking, you're probably looking in the wrong place.
ipCop is a fork of the smoothwall source that has more of an open source community behind it. Personally, I found the whole "Buy Smoothwall Now!" experience just a little too annoying to use.
But, let me be the first to say that I love the concept behind this type of distro. A boot-cd and 20 minutes turns any old wintel machine into a damn god firewall appliance (one that has a shell!).
And this is new how? There are dozens of firewall distros out there, does SmoothWall have anything special or innovative?
I couldn't agree more. With XP's firewall, I'm able to completely lose all access to the internet. I never have to worry about getting infected with virii, because they have no chance of being downloaded on my bulletproof machine.
I wonder when the rest of the OSs of the world will realize that XPs new focus on security first is the way to go.
Is there a -2, Obviously Retarded?
Hey freaks: now you're ju
This thing is great. It is preventing my unauthorized slashotting attempt.
That's what a Linux firewall distribution is all about. :)
Great to see another firewall solution maturing. Congrats to the developers!
I've always hoped that someone would write a turnkey network/Internet authentication and user IP accounting app (no way do I have the skill at this time). Something that would create an IP table entry when a user authenticates, and track the Internet usage of their machine. Even better, it would be great if I could create a fake network interface for accounting, one which is associated with just one authenticated user, so I could measure each user's actual usage, rather than all the usage for the one machine. This is useful when you have more than one user logged in to a machine at a time, sharing the same NIC, or if there's other processes using bandwidth. Something that had Linux, Windows, OS X, etc. clients too... Impossible?
I stopped wiping mine back in '92.
It's solved a lot of problems. I used to have difficulties relating to people. Now that they avoid me entirely, I no longer feel inadequate due to my social skills, I know it's because my pants are full of crap.
Higher levels of configurability, maintenance, ability to audit the code, possibilities for adding other server capabilities...
Someone else continue this thread, please, I'm bad at this...
Emacs: for people who just never know when to
/.'ed
:)
:)
:)
SmoothWall Express 2.0
SmoothWall Express 2.0 was released at 21:00 GMT on Monday 8th December 2002.
http://www.smoothwall.org/
** Please see http://smoothwall.org/ for the latest release
** information, downloads and updates!
SmoothWall Express 2.0 Release Notes
** Please note that the https web access port has moved from
** TCP/445 to TCP/441! Use https://x.x.x.x:441/ from now on!
Changes from SmoothWall GPL 1.0:
* SmoothWall GPL is now SmoothWall Express!
http://community.smoothwall.org/topic/1086
* Stateful packet inspection using Linux 2.4 kernel with iptables
and netfilter.
* Improved installer:
- Network card skip.
- Displays MAC address of detected cards.
- Prefilled IP addresses.
- Configure upstream web proxy for fetching update list.
when a direct connection cannot be made or is not allowed.
* Improved web user interface; more user friendly, better error
reporting, more orange
* Improved connectivity device support:
- More USB ADSL modems; ECI chipset, USR SureConnect.
http://smoothwall.org/beta/eci.html
- BeWAN PCI ADSL.
- BT Home Highway USB TA.
* Universal Plug-n-Play support for Microsoft Windows XP users.
* Improved network usage graphs with RRDtool.
* Improved proxy performance through diskd and other squid tweaks.
* Static assignments in DHCP server options based on MAC address.
* SmoothWall time sync with internal or external NTP server. Can
sync from a built-in list of servers. (Does not provide ntpd
service to Green or Orange network however)
* Configuration backup to floppy disk for quick install on another
machine, or re-install on same machine (compatible with backup
floppies from Express 2.0 RC1, timesync server list bug when
using backup floppy from Express 2.0 beta7 "pendolino" - see
http://community.smoothwall.org/topic/2180 for more info)
* Simpler port forwarding; no need to open ports with external
access page, the port (or ports - port ranges are allowed now)
is opened and forwarded on one page.
* IP Blocking feature; block any given internal IP address or
subnet from accessing your SmoothWall or any port forwarded
hosts. Additionally, blocking rules can be added from the
firewall log interface.
* Advanced networking features; block ICMP ping, block multicast
traffic and enable SYN cookies.
* Improved VPN; no need for "next hop" setting, optionally enable
compression on the tunnel, still possible to connect to a
SmoothWall GPL 1.0 VPN.
* Perform network diagnostic (ping, traceroute) from web interface.
* New Java SSH client (replaced due to licence conflict).
* Added clear cache option to web proxy.
* Updates list location changed
http://updates.smoothwall.org/express/2.0
Thanks to those on the team and the forums for their hard work on
mods and patches
-----
Rebooting
-----
During the reboot, notice the nice boot screens.
You will notice differences if you use either the ECI or the USR
SureConnect USB ADSL modems.
For all USR ADSL modems, have the unit plugged in prior to booting.
If you are using an ECI-chipset driver (generic of FDX310), you will
see your screen fill with diagnostics as the firmware is uploaded and
the line synced. Occasionally this can appear to hang part way
through, but it should not stall for more then 30 seconds at a time.
The line should be synced when this process is complete.
The USR SureConnect will behave in a similar fashion, but with less
diagnostics.
---
Melius mori in libertate quam vivere in servitute.
That doesn't sound half bad
Congratulations to all those who made Smoothwall's latest release possible.
:)
Based on personal experience, I highly recommend that anyone planning to use, donate to or purchase support for the Smoothwall product first research the company and primary members of the development team, such as founder Richard Morrell, before making a committment. Of course, that's a good idea under any circumstances, with any software product.
Personally, I use the Mitel SME Server distribution (formerly e-smith) for my needs, but the feature set is somewhat different and it may not be a good fit for you. The community of users supporting users, however, is a great assett to the SME server project.
Anyway, I didn't get the job with them, although I did find another *nix job much to my relief. I wouldn't use this myself though - IMO an experienced admin should take a minimal install of his favorite generic Linux/BSD distro, and build from there. Smoothwall is good for the less experienced though, who need an out of the box solution right now, not after 6 months googleing :-)
I believe part of the issue was not with his distribution model, but if anyone has talked with the main developer personally, you would know he has quite an attitude problem. While in the smoothwall IRC room, I would advise not asking any questions unless you donated some money or he will go off on a tangent about how you haven't given anything to him. I believe his name is "Dick" as well. Just a word of advice, I would rather go with Astaro.
It's a really nice product now.
Once upon a time I wouldn't go near it - one of the original founders was a real rude little shite and a huge liability to the project. And when I say rude, I mean rude - he used to tell potential or even existing customers to fuck off on a fairly regular basis, and that was when he was being polite!
Only his small circle of friends stayed on the IRC support channel - anyone else got kick-banned without even saying a word (either party).
Basically he used the wrong license, as in the end he seemed to detest the GPL and the "freeloaders" that were "stealing" copies of "his" work (perhaps he was the inspiration for SCO, huh?)
Thankfully he fucked off. It a nice project now, supported by nice people! Give it a try.
I thought someone was actually using the 2.0 kernel for something
And I highly recommended it for many moons.
Unfortunately, the developers really annoyed me. One time, they released a patch that added a splash screen to the web interface that popped up EVERY time you changed page. And set chattr+i on the file on the server, then deleted the {ls,ch}attr commands on the server.
Which was just offensive. I went into their [community] IRC channel and mentioned how to fix it, and was kickbanned.
They make a big thing about being GPL and community-friendly, but in practice I just find them offensive.
I cannot highly enough recommend that people don't use this, and use ipcop instead.
Gary (-;
A rather newbie sounding question but can anyone explain solid reasons to use this instead of the standard linksys firewall that comes with the router? Note that I'm talking about a home user with less critical requirements than a business.
Anyone know of anything comparable for old Macs? My father-in-law gave me an old PowerPC that I hate to throw away, but don't have any real use for.
Thanks.
The bigotry of the nonbeliever is for me nearly as funny as the bigotry of the believer. - Albert Einstein
I look after a few small businesses, and use SmoothWall a lot. They often have an old box sitting around I can use, they can all afford the 180 for the commercial version, and keeping on top of patching it is a point and click operation which takes seconds.
The higher end products (SmoothTunnel for VPNs, SmoothConnect for traffic shaping) are also great value for money.
I've only had to use their support once, for an odd VPN problem, and they fixed it professionally and quickly.
Predictive text is shiv!
At least there hasn't been any friction with my boss about this. I just hope in the future, they polish up the documentation, rather than gloss over the important parts.
can you boot it off CD and just use that (without a hard drive)? Devil Linux is a firewall distro that specializes in just being a bootable CD firewall. You store your config on a floppy and set the floppy's no-write tab once you are set.
Long ago I ran OpenBSD with IPfilter and NAT on a 486 box as my firewall.
I now run a LinkSys BEFSR411. Not as secure - it cannot do both SPI and redirect, and it does not do VPN.
Why the switch? I wanted to get away from an old PC with moving parts that could fail, and I wanted the four-port 10/100 switch, which finally gave me the ability to run 100 Mbps between the computers that supported it.
Recent issues with business clients have brought security back to mind, and after looking at the popular canned products (LinkSys/NetGear, etc.) I conclude that the old roll-your-own approach OF TEN YEARS AGO is more secure.
I want a roll-your-own solution (possibly SmoothWall, possibly something else) that runs on the equivalent of LinkSys hardware:
- No moving parts. Preferably not even a fan.
- Flash memory for filesystem.
- Multiple 10/100 ports, preferably independently controllable so you can set up a DMZ, or different rules for different machines.
Does such a beast exist, in a relatively user-friendly form and without being more expensive than the old desktop that would otherwise be used?
Has been doing this for a long time...
There is also MandrakeSoft's Multi Network Firewall which is a very nice firewall + network infrastructure management software that provides many features, including a multi-VPN support. And it's very easy to use.
Does anyone are using smoothwall in mission critical situation. I am thinking of replacing the expensive and complicated Cisco Pix at the office with something more simple (smoothwall or ipcop).
Is this secure and scalable enough for my 3 transactional web site in the dmz and the 30 workstations?
I installed it and not once did it ever pop up a browser informing me how to protect my children from the internet. Needless to say I deinstalled it pronto.
Btw, anyone know of a hardware solution for this problem?
I'm using ClarkConnect (www.clarkconnect.org) at home, it sounds similar to this.
ClarkConnect is easy to install and configure, and seems to work well. Not sure how it compares with smoothwall
Why not use a secure system in the first place, like Windows XP Professional. I hear it is very good.
... the ability to filter connections on port 80 based on the referring url.
Hooray for googlecache...
Freedom isn't free; its price is the well-being of others.
The LEAF distribution of Linux (leaf.sourceforge.net has performed excellently over the years. Various sub-distributions have tackled different things, and I've happily been using Bering at my company for years now. Smoothwall and Bering sound similar: Bering offers a 2.4 kernel, one floppy default running size, easy setup, good documentation, an active and helpful mailing list, and Shorewall for those of who don't want to muck around with iptables scripts. (I'm guilty of using iptables by itself for some time. Shorewall's thorough implementation is sobering to this do-it-yourself-er).
recently i bought a hotbrick hardware router/firewall which is based on linux. Neat little box, with a webinterface, logging, vpn, nat and backup dsl line failover. Maybe one of the first in a whole generation of embedded linux hardware.
As long as they can avoid some small issues, they should be ok. Since they only have two vulnerabilities (although one allowed remote execution of arbitrary code), they seem to be doing well.
Manipulate the moderator system! Mod someone as "overrated" today.
I was looking at Smoothwall a few months back, but found that I was scared off by the various versions etc... It really didn't seem clear if the GPL version would be supported for long. I ended up rolling my own Debian based system, but looked carefully at IPCop too.
(Actually just posting to eliminate some bad modding.)
BalamLike, give me an example?
Checkpoint? That runs on Linux/ Solaris / NT or whatever....
Checkpoint Nokia appliance? Just a rack-mount computer, running one of the above operating systems... they are not a "hardware" firewall.
Every firewall I"ve seen is just a fancy PC dressed up to look like some kind of hardware box.
Not sure what you mean by "your computer still has to do all the blcoking".. a firewall IS a computer that does blocking, by definition.
Smoothwall is not some add-on to your existing box.. it's for buildling hardware firewalls....
Is there any advantage of using something like this over just using iptables?
eMelody Web Directory add your site today!
PlanetMirror's got this now:
HTTP | FTP.
This is an honest question, not a troll, and I have no stake in any firewall vendor. I really want to know if there are any advantages at all to using Linux (or OpenBSD's pf) as a firewall. There certainly used to be, when commodity hardware firewalls were in their infancy, lacked a lot of features or were seriously overpriced. But now they are very mature products and are seeming to give open source firewalls stiff competition, for a very reasonable price.
Personally, I've used Astaro Security Linux for a long time since moving from Smoothwall, and I find it far superior.
It's of course free for home use, runs on anything down to a P100, and all the up2date is handled by Astaro themselves.
Hell, they even have FREE evaluation webinar-live-workshops for people to get acquainted with Astaro if they are new (and presumeably to help with a purchasing decision for business) You can signup for the Eval Workshop for free here.
When they release their version 5, I hope it gets the same kind of publicity, they are hands down the coolest internet firewall and don't seem to get much press.
3-Server OC-3 Linux Counter-Strike Cluster
www.rnp.ca
I've been using Smoothwall 2.0 beta X for over a year now and I've had very few problems.
/., your ads too)..
/home/httpd/zaps and edited the wrapzap file to tell adzapper to look on smoothwall ofr it's images rather than using the resources of sourceforge. I found that the black and yellow gif was more annoying than the ads it was blocking.
;-/
The most recent I'm using is Pendolino and it's great.
I have installed several customer sites with Beta5 (after extensive testing at my site) and they are all very pleased with it.
I highly recomend it. You can take an old PC and load it up and really be covered.
It's very easy to use, very reliable, very flexible.
What's even better is that you can use the built in,
transparent proxy (squid) to block ads. (sorry
I made a dull gray "this ad zapped" gif and put it in
Man, it's great. EVERY machine that I plug into my lan automatically gets it's ads zapped. Friends and customers are freaked out and impressed with that. Then after seeing how cool it is they want a smoothwall too. Problem is I end up setting them all up for free..
Smoothwall is very cool, get it....
I see these larrakins are still out trying to stand on toes wherever possible, this time by making a comparison between the security of two distributions based on the setup of their administrative systems. This courtesy the front page of their web site under 'SecurityNews'.
Monday 8th December 2003
A Linux vulnerability allowed attackers to elevate user privileges in a recent attack upon the servers of the Debian Linux distribution. The vulnerability can only be exploited by people who have already have access to a user account on the Linux system.
Unlike a standard Linux distribution, SmoothWall is a hardened system that does not create standard user accounts. Furthermore, all access for management or maintenance purposes is normally restricted to specific IP addresses.
For general purpose Linux systems using a kernel prior to 2.4.23 we recommend that the system be updated to remove this significant vulnerability. Check the website of your Linux distribution for applicable patches or see Network World Fusion for further information.
Suspect a bad connection inside the computer. Pull out all connectors and adapters and memory modules one millimeter and push them back. That refreshes the connections by wiping off oxides and other corrosion.
I like the new SmoothWall.
I used diskette based 'freesco' for years but finally moved to a new firewall version.
When I first looked at 'smoothie' I saw they really discouraged customization. I moved on to IPcop for awhile and then switched back to smoothie GPL v2 beta.
I now see some customization on the smoothwall.org site and it seems to be more supported then in the past.
I'll stay here for awhile, try it.. you might like it...
Similar products to SmoothWall (eg, IP Cop,
e-Smith, Clark Connect, et al.) get mentioned
from time to time, and - as a user of only
one of them, I sometimes wonder if it's the
best for our situation.
It would really help to have some point-by-
point comparitive review of all of them, so
people could try to fit their situation(s)
to each of the sets of parameters & pick a
likely-best-fit from the review.
Eg, minimum & recommended system requirements,
ISO size, security tests that each has survived,
logging features, services provided (eg, file-
server, mail server, web mail, MySQL/PostgreSQL)
above & beyond firewalling, etc.
Someone care to add to the parameter list, eg
so some of us could each fill-in the blanks
for our current choice of system & publish the
set of resulting reports in a repository, eg
a bit like benchmark tests for various config-
urations get stored together, even though they
come from lots of invidual home test-labs.
If we start with a fairly complete list of
parameters we'd likely come up with reviews
that make sense to compare, especially if
folks give the numbe of workstation they
serve, on the network.
What'cha think?
I think these are Awesome for small businesses and technically advanced home users but really not too great for the average home user. I think they will be better served with something like a low end SMC router. It's cheaper,smaller, costs less to run, and even compared to the easiest of these distros tends to be easier to setup. Usually you just plug it in and go. No need to open up a PC to install extra NICS and no need to worry about a powersupply going. I used to run a PC for a firewall, but really with the features you get on these cheap routers I'm more than happy. Hell the low end SMC7004VBR has an SPI firewall, VPN, Virtual Servers, and Access Control. All for under $40! You may have more fine grained control on something like Smoothwall, but for who don't need it it's really no contest on which product is a better fit.
I guess most of what I said is common sense, and I'm sure those in the market for a PC based firewall have thought about it as well. I just thought I'd post in case you needed to be pushed one way or another.
If you wanna get rich, you know that payback is a bitch
At work we have a Sonicwall SOHO 2 on a Windows network. It was in place before I got there. We "need" to keep it because we have a client that theoretically wants to come in and look at data on one server. They have yet to ever do this, and it isn't clear if it would even work (the VPN should work since it was tested when it was made, but the server's data is supposedly questionable from something one of the accountants told me).
The Sonicwall SOHO 2 serves its purpose in that it keeps out the worms and I can block/open ports.
But where it is truly awful is the detail of its logs. It will tell me the top IPs that got the most traffic - but it includes IPs that are outside of our network, and inside of our network. It will tell me the web URLs that get the most hits. And it tells me which protocols transmit the most data and how much that is.
But while that is nice in theory, it is largely useless.
I want to know what pages and what protocols specific inside IPs are doing. I want to know which inside computer is connecting to what outside computers over what protocols.
Also, if I block a protocol/port, it will still log all of the attempts towards it exactly the same as if it were being allowed in. It doesn't say that 1000 hits were attempted on it but didn't get in - it just says that there were N megs of data against it (apparently not through it).
I don't care about logging what they do - I'm pretty laid back about all of that. If they are doing naughty things, that is their deal (my superiors have yet to tell me otherwise).
But I do very much care if people have spyware or viruses on their systems - and a firewall is a great way to track down who has those issues. I can do it with what we have now, but it could be far easier.
I looked into Smoothwall and thought that it looked good - and it is free. Even then, I don't know if I can get money even to get a lowly machine to run as the firewall.
It isn't clear on their site how detailed the logs go.
And it isn't clear if I can mimic the same VPN processes that are in place now, with the Smoothwall system.
I would love to hear feedback about the software. That way I can make a more informed decision as to what to do about the overpriced SOHO (in order to use features on it, you continually have to pay to have them turned on, such as VPN or virus checking).
There are some odd things afoot now, in the Villa Straylight.
Geek. I use smoothwall on a 133mhz Pentium at home not because it is the easiest firewall in the world. I use it because I can. Linux firewall=fun. Sure plugging in a Linksys router would be easier but there is no fun and adventure in that.
I worked on a small pc system to do just this a few years ago. I used a pc-104 form factor. We picked up a cpu/power supply module for 200 USD, a monitor module for 75USD. I installed a linux system at the time and used it as a firewall/router between a 10Mb network and a celular modem. There was already on NIC on the motherboard i got but you can buy a module with another on it. they're realy small and have a CF card they boot from. Sorry I cant remember the vendor we used.
Ride recklessly only when safe to do so.
http://www.ausgamers.com/files/details/html/9733
While i may just have bad luck, but the 2 604's ive had have been dismal performers..
1 - after extended heavy load, it will slow down. needing a reset to get it back to life..
2 - it resets its self every so often.. REALLY annoying...
---- Booth was a patriot ----
I'm one of many that were turned off of smoothwall for different reasons (rudeness by one of the developers mainly) and chose to go with ipcop. I've never looked back since then nor had a problem with ipcop.
:-)
I hope smoothwall has straightened out some of there earlier problems and is successful but I'll continue using ipcop for the forseeable future.
Both of these projects are absolutely awesome though. They allow you take an old machine and easily turn it into a good firewall/router. I've set up a few now as they have made some computers I picked up from a school useful again. All my ipcop installs go on p2's with 64mg of ram and 3 cheap nics. I can have a firewall/router set up and running in 20 minutes which includes DMZ, NAT, Snort, DHCP, VPN, and a proxy...all easily configured via a web browser over SSL.
These projects are real gems in the OSS world IMHO and I doubt I'll be looking at hardware firewalls in the near future again.
Hat's off to all the developers (except 1) that have been working on these
-Pat
I've been running a Soekris net4801 for a few weeks as a firewall. I'm very happy with it. It's not intended specifically as a firewall, you just buy the basic computer from Soekris and then install what you want. Getting it going can be quite involved, as it has no VGA circuitry; you have to administer everything over a serial cable. This is almost exactly the opposite target market from Smoothwall; the Soekris products are meant for people who know that the heck they're doing.
The 4801 I bought is a Pentium/266 with 128 megs of RAM, 3 network ports, a mini-IDE port (used for 2.5" hard drives [notebook style]), a compact flash port, a mini-PCI slot, and a 3.3v (only) regular PCI slot. This chipset has several known bugs, including a bad data-corruption bug with DMA mode hard drives that has not yet been worked around in Linux, to my knowledge. It's better to use it with a CF card (which can't do DMA) because of this, at least until they get that bug fixed. You can find some patches for the kernel via links off the main Soekris page, but I don't think there are any patches yet for the HD bug.
After about a week of futzing around with it, I finally got it running. Much of the pain was learning how PXE booting works. At this point, I have a Debian firewall with one external and two internal ports, and a 256MB internal "hard drive" (compact flash card). Everything is set up to log to RAM (instead of writing to the CF card, which is bad). The neatest part is that the machine is about the size of a trade paperback (it would be even smaller if they hadn't left room for a PCI card in the case), is absolutely silent, takes about ten watts of power, and has NO moving parts, so flinging it about isn't a problem. The chip is passively cooled, and doesn't even need a heat sink; the case gets mildly warm but never really gets hot. One of the neater gadgets I've played with recently.
Total net cost, including the CF card, was about $375, so it's not for the poor, and it's definitely not for the Smoothwall crowd. But if you're looking for a very sweet solution to the space-and-noise problem with a good, Linux-based firewall, this is a great solution.
As an aside, OpenBSD has patches to run with the net4801. I was having trouble getting OpenBSD's boot program to read the CF properly, and then suddenly ran short on time because my old P133 firewall started losing its hard drive. Pressed for time, I gave up on OpenBSD and installed Linux.... but, at least in theory, it should run well. OpenBSD also has support for hardware crypto accelerators, which you'll need if you want to do VPN with a box this slow. (that's one good use for the expansion slots.) I only saw one Linux hardware crypto driver, and it looked unfinished and primitive. Definitely a spot where OpenBSD looks to be ahead.
Nice little box. I'm very fond of mine.
Am I missing something? /--PC1
--ADSL--- eth0 - FWALL - eth1 ---HUB---PC2
\--PC3
So you don't need a NIC for each PC -- you just set it up as shown.
Total requirements: 1 old 486 PC, 2 old 10Mbit ISA cards (all from the dump) and Freesco. Add a HDD for IPCop or Smoothwall, and pref a pentium. You only need 10Mbit since your net connection is probably not more than that. Or just drop eth0 and the ADSL modem and replace with a regular 56k modem, the principle is the same.
It's really really easy -- trust me, I've done six freescos and I know stuff all about Linux....
I tried Smoothwall and IPCop. Couldn't get either one running behind due to my lack of experience and dealing w/ my landlord's Linksys router. Tried OpenBSD and the OpenBSD community at Screamingelectron.org helped me through the OpenBSD learning process and configuring my box. Now I have a secure, stable firewall for free. Before I get flamed, I've bought a T-shirt and CDs from OpenBSD to support the project.
This guy is way out there
Its bad naming aside, ( but who could have predcited the SCO mess several years ago ) its a rather powerful Firewall/router solution that fits ( and runs if you like ) on a SINGLE floppy.
its worth checking out.. www.freesco.org
---- Booth was a patriot ----
After struggling at work with these issues the last thing I want at home is to do more of the same.
A solution out of the box, that you can troubleshoot if needed, is the sensible way forward, even for time starved professionals like yours truly.
IANAL but write like a drunk one.
because I've been using Smoothwall v1 now for quite a while and have had absolutely no problems whatsoever. It currently has an uptime of something like 60 days and the only time I've had to reboot it in over a year has been when security updates have been installed (and it tells you when they are available and installs them from the web interface).
Si hoc legere scis nimium eruditionis habes.
Nobody mentioned the Floppy Firewall yet? It can be found at http://www.zelow.no/floppyfw/
One single floppy. It can be write protected to prevent rooting. No hard drive needed, so a quiet junk PC can be easily used.
dont forget about picobsd.
it comes with every fbsd install
when u install full source.
it makes a fine 1.4mMB firewall.
has sshd, and all that jazz.
anywho
We wrote up some instructions on what old NICs are supported and how to configure them (not needed if you have Pentium/PCI of course), plus very, very explicit OpenBSD install instructions based on the floppy-boot, over-the-net install.
Then we wrote a little Perl script to make the few changes to vanilla OpenBSD into a home/SOHO firewall, and called it "BSDwall".
See www.bsdwall.org
based out of the Calgary Unix Users Group site. It's been recently checked to work OK with OpenBSD 3.4. I can't imagine why anybody would use Linux for a firewall with OpenBSD also free; I use Linux on the desktop, but....if both BMW's and M-1 Tanks were free, and you had to drive through Iraq tonight, which free vehicle would you use?
Enjoy
...back when it was free, and they were still in pre 1.0 testing, I used to run it. Even then it ran well on a 486 box that I left in a spare room to NAT the internet to my network. I don't know whats changed, but anyone can do exactly what that does with a iptables script. Anything else seems bloated and thats why I dropped it. Not to mention, its coders were pricks. They have(had) an irc network that would gline anyone that came on asking for help. The IRC network I used to oper had one of the security coders as an oper, he pointed out how insecure it was and they told him to bugger off :) So he left the project.
-dl
so, this is all in any linux dist. why not set it up yourself. it is VERY easy to setup iptables, dhcp, dns, (with ddns) stun, squid, or whatever service you need on a linux install. all you need is a 500mb hd, and a couple of cd's of a boot disk and an internet connection. i would also suggest openbsd and pf, but iptables is faster, and linux has ecmp. which to my knowlage obsd does not have. but obsd has better traffic shaping, and handels fragmantation better. and is a lot more secure out of the box. who care about smoothwall.
So why waste your time?
One of the Smoothwall guys just apologized to you (even though he has no way of verifying your "I was mistreated" story) in a public forum, admitted they were wrong, and did it in front of several hundred thousand slashdotters (something he didn't have to do, BTW)... and you won't even consider the software? Ever?
Projects evolve, abrasive people are often forced out over time. Seems to me you are missing out on a potentially useful tool, based on a past beef with some guys who are no longer there...
I'm not saying you don't have the right to feel they way you do... it just doesn't seem very pragmatic.
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
Eg:
Internet OpenBSD lotsa firewalls LAN
'any obvious vulnerabilities here?
Could connection order affect
the effective security level?
Buying a "hardware firewall" (cheaper ones are just an NAT box) is easy, but teaches you nothing.
Honestly... there is no substitute for building your own stuff, particularly if you want to increase your understanding of networking and security. If you don't have time for that kind of thing, or just don't want the hassle (you say hassle, I say "learning experience") of rolling your own, then buy the Linksys/Dlink/Netgear box and be done with it.
You will get far more options and much better control with the one you build yourself... but it doesn't come for free; it takes effort on your part. Seriously... build your own, then set up an ethernet tap with Snort to see what's coming and going on your network. The latter step with Snort personally taught me more about networking, protocols, and packets than any Man-page or article.
Build it... you'll be amazed at what it does for your networking/security skills.
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
I had one of these, tried to set it up for a neighbor (a surgeon who's a non-geek)... it worked for about two days before it died.
Cheap is right. It wasn't even worth the trouble of RMAing it.
Filed in the round file.
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
If you don't have an office nearby that's throwing away old Compaq Deskpros, Computer Surplus Outlet is a good place for older machines that are perfect for smoothwall & IP Cop. The slowest & cheapest thing I can see there are 233 PIIs for $29. Actually, that's *all* they have--they used to have a lot more, but if they're selling PIIs for $30 (I remember when the first PII/400 came out , the CPU itself was over $1,000) I guess they can't go much lower on that. Who wants to pay $0.50 for a 486 & $22 shipping?
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Hey, this might be a dumb question but is it necessary for a static IP to be used with smoothwall? Will DynDNS suffice?
I came into this thread expecting to see even more echoes of my own interaction with RM than I have, and was pleasantly surprised to see some positive developments as well. I wasn't exactly the most blameless person who ever had a fight with RM get to the seemingly common "Dick Morrell Barratry Special" stage, but I did wind up getting an apology from him.
I'm glad to see both IPCop and Smoothwall continuing to progress, and hope that some competition between the two projects can make the experience of a firewall system better for everyone who uses either package. I'd try and work on either now that I've graduated with a totally unused programming degree, but with a 10 hour work schedule I'm a bit out of the loop.
Glad to see things still moving along, and glad that Dick isn't dragging you all through any more mud. The notes from folks that I see RM still claiming copyright on Smoothwall are a little bit curious, but I'll take it on good faith that I'd never encounter him if I dealt with Smoothwall again. Maybe when it comes time to get my home LAN configured a little more flexibly, I'll give Smoothwall GPL a shot.
And a side note, one thing that would make any firewall project -highly- desirable for the more anal-retentive (and blinkenlighten fetishistic) users would be a status display screen. I've got a hacked iOpener box that would be incredibly well suited to firewall usage if the display were used to show network traffic details in realtime or semi-realtime.
My own pointless vanity vintage computing page
wpanderson, if your reading this.. I would love some insight on future of Smoothwall, and features.
Is there any plans of adding features such as a very easy interface for Packet shaping.
Is there an easy way to track and monitor the trafic, based on source of the request , type of traffic and the destination.
Is there an easy way to access the network with an out of the box VPN service.
Is there support for multiple external IP's.
Is there support for mixed STANDARD MODE and NAT MODE for external interfaces. And rules that let you push back and forth between the different zones.
Does smoothwall support 3 physical devices, or more, for DMZ/Lan/WAN configuration.
Does SW support 1-1 NAT and filters/services based on that nat configuration?
External logging, eventlog, traffic, etc?
Support for various devices above mentioned and a 802.11b sharing device with authentication.
I am assuming that SW uses SNORT for it's IDS. Is there plans for automated updates of rules on that or an easy way to manage those rules.
I am very interested in Smoothwall, I would love to dig into it when I have time. How friendly is the SW community with rolling features back into the project if one so chooses? (I definately am not interested in adding features to a system which will only be sold at a commercial level... if so I would probably go help the people at IPCop...).
Looks like you guys have worked on this project and congradulations on your 2.0 release. I might fire up a machine in my closet to give it a kick. and see how it runs at home, maybe even start hacking on it. We have a couple medium / small offices where I work, and we could use such a toy to help secure the networks. (netgear cablemodem routers are so boring).
You aren't talking about software firewalls, youa re talking about running a firewalling layer on a host, -vs- a dedicated firewall box for a network.
This whole article is about a linux distribution used to build what you are referring to as "hardware firewalls".. not some software you load up onto an existing system.
Because Windows has too much underlying weakness, regardless of the firewall software you may be running or what Bill Gates has to say. I was seriously surprised at the kinds of junk my Smoothwall stopped that I never knew about. I will never go "barefoot" into the internet again, and as an added bonus, I also got a real cheap proxy server made from a 133 MHz Pentium and a 4 gig hard drive.
I'm not saying anything like that at all....
I'm trying to figure out what the guy means by "hardware firewall".
It turns out what he means by "hardware" firewall is "dedicated" firewall... as opposed to host-level firewalling (like, say, using iptables on your webserver, or blackice defender on your windows box)
Unless the filtering logic is actually on the silicon, it's a software firewall...... I don't care how big it is.
It still runs an OS, and still does it's filtering in software, with a microprocessor.
A "hardware" firewall would be something that blew it's filtering logic into FPGAs or something, and filtered in silicon.
Sure a linux box is bloated compared to your little dlink box.. but then, your little dlink box has nowhere near the firewalling capabilities as the typical linux box, nor can it handle anywhere near the same load. It might be fine for your home office, but no way on earth would I use it in production.
I tried smoothwall but couldn't get it to work because my firewall box has only one network card which connects to the switch. I have my pppoe adsl modem connected directly to the switch.
will the new smoothwall work with my setup?
Back in the old days of Windows 3.1 we didn't need a firewall at all.
Not having a modem or ethernet made the box as secure as any computer you ever used.
I think that this is the way forward, we could go round to a friend's house with the internet and bring portions of it back on floppy disks like we used to in the old days.
Mind, CDs would probably be more efficient these days., I dunno. Maybe without the dataloss and downtime that businesses could miss out on we could get to a place where DVDs and DVD burners dropped in price to make them cheap as chips for you me and everyone.
*sigh* In an ideal world, right?
Do not meddle in the affairs of geeks for they are subtle and quick to anger
The best thing for me to say in reply to this is go check out the SmoothWall Community forums, as I'm about 15 seconds away from disappearing to bed :)
neuro at well dot com (when I post, it's my opinions, no-one elses)
lol why don't you just by a commercial firewall you cheap bastard? It's amazing how cheap some dumbasses are. If you want all that functionallity for nothing you are a piece of work.
Please:
Check out the product before asking so many damn questions. You haven't even been to the website or you wouldn't be asking some of these.
I'm against picketing, but I don't know how to show it.
"If you want all that functionallity for nothing you are a piece of work."
Sorta like someone wanting the functionality of a commercial database, operating system and desktop, web servers and development environments?
Hypocrite
Hmm... actually I have. Those appear to be the missing features I would be interested in.
Looks like I stick with openbsd.
Get OpenBSD,
1. Configure your BPF (Ultimate in Granularity!)
Features here include, native ssl support, native IPv6 support, shapeing....in fact more crap than cisco could shake a stick at.
2. If you need it get zebra (advanced BGP/OSPF/RIP routeing system).
3. Install Snort
4. Install NMap
5. Install Nessus
6. Install one of the following (Demarc/Bigbrother/Bigsister/MTRG/Nmon...)
Eh voila
Need a DMZ? Install a third nic.
For all it's woes OpenBSD still kicks the crap out of linux which usually re-tools the BSD stack anyway (just like everyone else).
Remember the following rules, Firewalls do NOT need compliers, Routers are designed to do one thing and one thing only, and Ettercap is your friend.
If you're going to do logging, CD-ROM just doesn't cut it :-) You either need to use a hard disk, or else do your logging across a network. Alternatively, don't do logging, or only keep some summary logs in RAM.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I find it rather cool that you can download it over emule/edonkey. Why can't more software vendors provide their demos / free releases over ed2k / bitT ?
You're missing a DMZ port. If you're hosting any externally available services, and/or running wireless, you need a separate untrusted segment.
Free the West Memphis Three!
I like smoothwall but the lie to you. Ive got it running on a 486 with 8M of RAM, not anywhere near the recommended 32M+. It works but i dont think im going to try VPN and caching with it. This is with both V1 and the V2 beta.
As far as your need for enhanced activity reporting goes, have you considered using an IDS like Snort?
*sigh* useless, that`s some tough ice comrado.
Doolittle :
Bomb no.20 : To explode of course.
The problem I encountered with small configuration like yours is that Smoothwall installation sets swap space to a rigid amount equal to twice the RAM amount. This is really too small.
I've tried all the available versions from their web page..
None seemed to make any difference, either better or worse..
---- Booth was a patriot ----
I run smoothwall corp on my network. With the hosting add-on its a real time-save. Feels more like an F5 then a linux'y firewall thing.
Sure, I can configure IpChains and all that crap, but why bother. I just need a simple webUI to move some rules around and allocate IP space between the public and private networks.
We're loving it. Well worth the few hundred bucks.
at the risk of getting mod'd for doing a me too. I would just like to say that I started using smoothwall at home about 3 months ago. The install was simple and painless and took less than 10 minutes. and every time I have upgraded since then has only been better... I have not found any of the negativity that others are speaking of nor have i never NOT had a question answered to the fullest of their ablilities.
"I don't code the things you use, I make the code your things use better."®
OOB install, within just a few days my network was owned yet again.
After googling for a more objective balance of info on smoothwall I found the numerous (negative) comments about the guy behind it, as well as many positive discussions leading me to ipcop. Took me about an hour to wipeout smoothwall and install ipcop, and it has performed fantastically ever since.
Sorry, but I see absolutely no value in smoothwall. Why agree to a more restrictive license for the "opportunity" to use a less secure product?
Has anyone experienced problems using IPCop or SmoothWall with such services as Vonage and devices such as TiVo or Xbox Live?
I currently use a Linksys router/firewall and Norton Firewall2003 on my XP machine, but I also have Xbox Live and my TiVo connected to my network and I want to sign on to Vonage so I'd like to know ahead of time if anyone has experienced problems with these services using these great firewall "solutions."
And yes, I know Vonage has "issues" with Linksys firewalls. Funny how a wholly-owned subsidiary of Cisco has P***-poor support (or lack thereof) for Mac OSX and Linux...
"Right now, somewhere in this world, Scott Baio is plowing a woman he doesn't love," - Peter Griffin, *Family Guy*
go to it, my boy!
Ditto... I know I stubled onto something like this comparing linux distros, and it did have a section for these ones too, but danged if I can find it now. Can anyone help ?
Installation Statistics
/var/smoothwall/notregistered && exit
We anonymously collect when you install SmoothWall GPL or Express. This information is as follows: CPU type, speed, RAM, HD size, network card, connection type (modem/ISDN/ASDL/etc) and what version of SmoothWall GPL or Express you're running. We also try and figure out where you're from based on the first two octets of your RED IP address (i.e. the 12.23 part of 12.23.34.45). This allows us to gauge the penetration of usage by CPU and connection type, and plan ahead for future developments.
If you do not wish to have this information collected, then do the following before you first put your SmoothWall GPL or Express installation online:
* enable the SSH service under Services -> Remote Access
* login as root via SSH on port 222 to your SmoothWall GPL or Express installation using an SSH client
* enter the following command:
rm
and press RETURN
* this should remove the flag that tells your install to send the information anonymously to us, and disconnect from the login session
* you may now disable the SSH service under Services -> Remote Access if you wish
We will soon be publishing aggregate statistics based on the information collected to help users see both the scope and usage of SmoothWall software.
Um nope not here. If I want high end features I don't mind paying people for the work. They should be paid. People don't pay rent and feed their kids by pats on the back genius.