Slashdot Mirror
SmoothWall 2.0 Linux-Based Firewall Released
thegraham writes "Despite some earlier server problems, SmoothWall 2.0 has been released this evening - there are also release notes available. SmoothWall is 'a firewall operating system distribution based on Linux, enabling a low-end, possibly otherwise redundant, Intel and compatible PC to become a hardened Internet firewall', and changes from version 1 include: 2.4 kernel, new web interface, improved networking and many bugs corrected through the Beta program."
I've been using the 2.0 Beta at home without any problems. It's makes a great firewall for old boxes and has support for Proxies, DynDNS and everything else you expect in a good firewall. All configured easily from a web based interface. Works great for protecting those Windows boxes too. Think Windows cowering behind a big Tux. Kudos smoothwall team.
I've been using version 1.0 of their firewall for just over a year now, and I have to admit that it is a rather good firewall. I was able to load it on a p100 box with only a 540MB hard drive. Granted with a hard drive that small, my firewall doesn't do alot as far as web cache is concerned, but otherwise it operates great. The patches are easy enough to install, all you have to do is download the gzip from the patches page built into the firewall web client. Upload the gzip's and they're installed.
Managing the firewall is exceptionally easy as well. You can setup port forwarding to internal computers in under 30 seconds. All-in all the firewall takes the major annoyances out of running a firewall. I highly recommend it for anyone who's got an old system lying around, and doesn't have the time to bother with setting up a firewall.
If you're looking here for something insightful or thought provoking, you're probably looking in the wrong place.
ipCop is a fork of the smoothwall source that has more of an open source community behind it. Personally, I found the whole "Buy Smoothwall Now!" experience just a little too annoying to use.
But, let me be the first to say that I love the concept behind this type of distro. A boot-cd and 20 minutes turns any old wintel machine into a damn god firewall appliance (one that has a shell!).
because it's easy to set up on a bit of spare hardware, however old it may be? Because it provides all that the average firewall user needs? Because it is easy to maintain once it's running? Because most hardware firewalls are as unflexible as they are expensive? I can think of a lot of reasons. In my company, a number of offices use Smoothwall and will certainly upgrade to Smoothwall Express soon, simply because it's an affordable way to secure our network boundaries and because the ongoing maintenance work is minimal.
IPCop does have a faster upload speed for USB ADSL on BTOpenworld
(30Kb/s for IPCop, 3Kb/s for Smoothwall GPL). The IPCop team have updated
the driver, whilst the Smoothwall GPL version does not have the driver
update. Of course you can pay for the Smoothwall Home version if you want
the faster upload.
IPCop uses ext3 journaling filesystem, whilst Smoothwall GPL uses ext2.
The next version of IPCop, 0.2, will be more of a radical departure from
Smoothwall. Currently IPCop 0.1.1 is much the same as smoothwall GPL
Oh and IPCop is GPL and being actively developed, were as Smoothwall GPL is
backing a back seat to the Home and Corporate versions, i.e. new features
are being added to the Home/Corporate version and *maybe* back ported to
Smoothwall GPL.
neuro said that...' there are cool things in
the works for GPL, and some of the corporate proprietory stuff may be
backlicensed to GPL in the future.'
Richard is pushing for the money right now, not that I blame him. Though
using Smoothwall GPL means that one was much of a beta tester for the Home
and Server base versions.
That's what a Linux firewall distribution is all about. :)
It's a Linux distribution. It's just all set up and locked down for firewall use, with all the features installed that you might want to use.
Software firewalls are not that great, hardware firewalls are not as easily updated. By using an old box and a firewall distribution, you can set up a firewall and also have a nice local DNS, DHCP, time, file, and so on server for your network.
This looks a little heavy compared to the FreeSCO floppy distribution I use, but when it's no longer Slashdotted I'll see if it has anything worth reconfiguring my firewall for.
...
Because not all software firewalls are equal and not all hardware firewalls are able to do as much. Those that can do as much (or more) have a price tag that reflects that. Because some people don't like to throw away hardware that could be put to a good use. Because for some people it's just fun.
C oyotelinux
A few distros off the top of my head:
Smoothwall
Clarkconnect
IPcop
Freesco
Hardware firewalls (like checkpoint or your linksys router) are often propritary and/or may be limited in what they can do. Checkpoint firewalls aren't cheap either.
Software firewalls (like norton on your win2k desktop) may be running on top of a buggy , unsecure piece of crap like windows. Why break the lock when the door is made out of cheese?
Quite simply, I have things on my wired home network that I don't want anyone on my AP to access. Using a linux box to handle routing and firewalling between the Internet, wired, and wireless networks does something that software firewalls (like ZoneAlarm) can't do and that would cost over $300 for a hardware firewall to do the same.
If i've already got an old machine laying around from my last upgrade, why waste money on the hardware firewall?
kc8apf
/.'ed
:)
:)
:)
SmoothWall Express 2.0
SmoothWall Express 2.0 was released at 21:00 GMT on Monday 8th December 2002.
http://www.smoothwall.org/
** Please see http://smoothwall.org/ for the latest release
** information, downloads and updates!
SmoothWall Express 2.0 Release Notes
** Please note that the https web access port has moved from
** TCP/445 to TCP/441! Use https://x.x.x.x:441/ from now on!
Changes from SmoothWall GPL 1.0:
* SmoothWall GPL is now SmoothWall Express!
http://community.smoothwall.org/topic/1086
* Stateful packet inspection using Linux 2.4 kernel with iptables
and netfilter.
* Improved installer:
- Network card skip.
- Displays MAC address of detected cards.
- Prefilled IP addresses.
- Configure upstream web proxy for fetching update list.
when a direct connection cannot be made or is not allowed.
* Improved web user interface; more user friendly, better error
reporting, more orange
* Improved connectivity device support:
- More USB ADSL modems; ECI chipset, USR SureConnect.
http://smoothwall.org/beta/eci.html
- BeWAN PCI ADSL.
- BT Home Highway USB TA.
* Universal Plug-n-Play support for Microsoft Windows XP users.
* Improved network usage graphs with RRDtool.
* Improved proxy performance through diskd and other squid tweaks.
* Static assignments in DHCP server options based on MAC address.
* SmoothWall time sync with internal or external NTP server. Can
sync from a built-in list of servers. (Does not provide ntpd
service to Green or Orange network however)
* Configuration backup to floppy disk for quick install on another
machine, or re-install on same machine (compatible with backup
floppies from Express 2.0 RC1, timesync server list bug when
using backup floppy from Express 2.0 beta7 "pendolino" - see
http://community.smoothwall.org/topic/2180 for more info)
* Simpler port forwarding; no need to open ports with external
access page, the port (or ports - port ranges are allowed now)
is opened and forwarded on one page.
* IP Blocking feature; block any given internal IP address or
subnet from accessing your SmoothWall or any port forwarded
hosts. Additionally, blocking rules can be added from the
firewall log interface.
* Advanced networking features; block ICMP ping, block multicast
traffic and enable SYN cookies.
* Improved VPN; no need for "next hop" setting, optionally enable
compression on the tunnel, still possible to connect to a
SmoothWall GPL 1.0 VPN.
* Perform network diagnostic (ping, traceroute) from web interface.
* New Java SSH client (replaced due to licence conflict).
* Added clear cache option to web proxy.
* Updates list location changed
http://updates.smoothwall.org/express/2.0
Thanks to those on the team and the forums for their hard work on
mods and patches
-----
Rebooting
-----
During the reboot, notice the nice boot screens.
You will notice differences if you use either the ECI or the USR
SureConnect USB ADSL modems.
For all USR ADSL modems, have the unit plugged in prior to booting.
If you are using an ECI-chipset driver (generic of FDX310), you will
see your screen fill with diagnostics as the firmware is uploaded and
the line synced. Occasionally this can appear to hang part way
through, but it should not stall for more then 30 seconds at a time.
The line should be synced when this process is complete.
The USR SureConnect will behave in a similar fashion, but with less
diagnostics.
---
Melius mori in libertate quam vivere in servitute.
I believe part of the issue was not with his distribution model, but if anyone has talked with the main developer personally, you would know he has quite an attitude problem. While in the smoothwall IRC room, I would advise not asking any questions unless you donated some money or he will go off on a tangent about how you haven't given anything to him. I believe his name is "Dick" as well. Just a word of advice, I would rather go with Astaro.
It's a really nice product now.
Once upon a time I wouldn't go near it - one of the original founders was a real rude little shite and a huge liability to the project. And when I say rude, I mean rude - he used to tell potential or even existing customers to fuck off on a fairly regular basis, and that was when he was being polite!
Only his small circle of friends stayed on the IRC support channel - anyone else got kick-banned without even saying a word (either party).
Basically he used the wrong license, as in the end he seemed to detest the GPL and the "freeloaders" that were "stealing" copies of "his" work (perhaps he was the inspiration for SCO, huh?)
Thankfully he fucked off. It a nice project now, supported by nice people! Give it a try.
First of all, because not everyone is talking about home or one workstation application. If you have 100 computers on the network, with smoothwall you will need to configure/reconfigure/update only one dedicated box, instead of all 100 individually.
Second of all, software firewalls that run on your computer take up resources, and are generally limited by your operating system.
Finally, smoothwall will be a lot more secure, because it will not be running any of the services that can be compromised by hackers. It adds an additional layer to your security. Remember, security is about layers.
neuro at well dot com (when I post, it's my opinions, no-one elses)
I know you can run YellowDogLinux on the PPC
o ns/yd l_general/ethernet_connections.shtml
http://www.yellowdoglinux.com/
And do routing with it:
http://www.yellowdoglinux.com/support/soluti
Not sure if there is a stripped down firewall distro for it yet. If you're up for it you might see what you could put together.
There is also MandrakeSoft's Multi Network Firewall which is a very nice firewall + network infrastructure management software that provides many features, including a multi-VPN support. And it's very easy to use.
neuro at well dot com (when I post, it's my opinions, no-one elses)
http://www.soekris.com/?
The LEAF distribution of Linux (leaf.sourceforge.net has performed excellently over the years. Various sub-distributions have tackled different things, and I've happily been using Bering at my company for years now. Smoothwall and Bering sound similar: Bering offers a 2.4 kernel, one floppy default running size, easy setup, good documentation, an active and helpful mailing list, and Shorewall for those of who don't want to muck around with iptables scripts. (I'm guilty of using iptables by itself for some time. Shorewall's thorough implementation is sobering to this do-it-yourself-er).
www.rocksteady.com
Our software does most of what you've described here. We dynamically authenticate users and construct/destroy firewall rules as they enter/exit the system.
</shameless>
I could go on, but I dislike spamming people with information they haven't asked for. If you'd like to know more, you're very welcome to visit the site.
Like, give me an example?
Checkpoint? That runs on Linux/ Solaris / NT or whatever....
Checkpoint Nokia appliance? Just a rack-mount computer, running one of the above operating systems... they are not a "hardware" firewall.
Every firewall I"ve seen is just a fancy PC dressed up to look like some kind of hardware box.
Not sure what you mean by "your computer still has to do all the blcoking".. a firewall IS a computer that does blocking, by definition.
Smoothwall is not some add-on to your existing box.. it's for buildling hardware firewalls....
PlanetMirror's got this now:
HTTP | FTP.
Personally, I've used Astaro Security Linux for a long time since moving from Smoothwall, and I find it far superior.
It's of course free for home use, runs on anything down to a P100, and all the up2date is handled by Astaro themselves.
Hell, they even have FREE evaluation webinar-live-workshops for people to get acquainted with Astaro if they are new (and presumeably to help with a purchasing decision for business) You can signup for the Eval Workshop for free here.
When they release their version 5, I hope it gets the same kind of publicity, they are hands down the coolest internet firewall and don't seem to get much press.
3-Server OC-3 Linux Counter-Strike Cluster
www.rnp.ca
I've been using Smoothwall 2.0 beta X for over a year now and I've had very few problems.
/., your ads too)..
/home/httpd/zaps and edited the wrapzap file to tell adzapper to look on smoothwall ofr it's images rather than using the resources of sourceforge. I found that the black and yellow gif was more annoying than the ads it was blocking.
;-/
The most recent I'm using is Pendolino and it's great.
I have installed several customer sites with Beta5 (after extensive testing at my site) and they are all very pleased with it.
I highly recomend it. You can take an old PC and load it up and really be covered.
It's very easy to use, very reliable, very flexible.
What's even better is that you can use the built in,
transparent proxy (squid) to block ads. (sorry
I made a dull gray "this ad zapped" gif and put it in
Man, it's great. EVERY machine that I plug into my lan automatically gets it's ads zapped. Friends and customers are freaked out and impressed with that. Then after seeing how cool it is they want a smoothwall too. Problem is I end up setting them all up for free..
Smoothwall is very cool, get it....
He seems to be working on "new projects" (solo by the sound of it) going by his slightly ranty website at dickmorrell.com
I'll be sure to avoid them!
Note he makes a point on the site of pointing out his remaining ownership of the Smoothwall copyright despite the fact that he resigned. What that means I don't know, but it smells very SCO-ish. He's an asshole of similar caliber to those guys.
Have a look at the Via Epia boards. The slower processors don't need a fan. Also, some boards don't need a power supply, but use a small plug to get their power - laptop like.
You could use a usb stick as your hard drive.
I think these are Awesome for small businesses and technically advanced home users but really not too great for the average home user. I think they will be better served with something like a low end SMC router. It's cheaper,smaller, costs less to run, and even compared to the easiest of these distros tends to be easier to setup. Usually you just plug it in and go. No need to open up a PC to install extra NICS and no need to worry about a powersupply going. I used to run a PC for a firewall, but really with the features you get on these cheap routers I'm more than happy. Hell the low end SMC7004VBR has an SPI firewall, VPN, Virtual Servers, and Access Control. All for under $40! You may have more fine grained control on something like Smoothwall, but for who don't need it it's really no contest on which product is a better fit.
I guess most of what I said is common sense, and I'm sure those in the market for a PC based firewall have thought about it as well. I just thought I'd post in case you needed to be pushed one way or another.
If you wanna get rich, you know that payback is a bitch
Does it have SBus or PCI expansion slots?
If SBus, you won't run any modern Linux kernel on it. Maybe NetBSD would be better in that situation.
But, if it's got 2 Ethernet ports (or can be expanded easily (and CHEAPLY)). It can be done.
Nobody mentioned the Floppy Firewall yet? It can be found at http://www.zelow.no/floppyfw/
One single floppy. It can be write protected to prevent rooting. No hard drive needed, so a quiet junk PC can be easily used.
I had to laugh when I read this:
The reason there aren't click-thrus from the SmoothWall project page on sourceforge is because we don't use those links or that page to generate downloads. The bulk of our downloads come from our download page (at the moment suitably lightened in weight to combat theAs for the final comment, if this were the case, how could any commercial security vendor survive? There will always be a market for boxed product, while the degrees of openness within such product will invariably differ from product to product, market to market, and over time.
neuro at well dot com (when I post, it's my opinions, no-one elses)