Slashdot Mirror
SmoothWall 2.0 Linux-Based Firewall Released
thegraham writes "Despite some earlier server problems, SmoothWall 2.0 has been released this evening - there are also release notes available. SmoothWall is 'a firewall operating system distribution based on Linux, enabling a low-end, possibly otherwise redundant, Intel and compatible PC to become a hardened Internet firewall', and changes from version 1 include: 2.4 kernel, new web interface, improved networking and many bugs corrected through the Beta program."
Forgive me if this is an obvious question, but why run a dedicated "firewall operating system" when hardware and software firewalls are available?
I used to use smoothwall, but switched to the forked project IPCop. Some of the original developers forked away from smoothwall because of the founder's desire to mix open source with a business model that conflicted with the project. I was having problems with smoothwall and updates, which prompted me to switch to IPCop. I've been happy ever since.
Anyone else got opinions on Smoothwall vs. IPCop?
Ruby on Rails Screencast
Great to see another firewall solution maturing. Congrats to the developers!
I've always hoped that someone would write a turnkey network/Internet authentication and user IP accounting app (no way do I have the skill at this time). Something that would create an IP table entry when a user authenticates, and track the Internet usage of their machine. Even better, it would be great if I could create a fake network interface for accounting, one which is associated with just one authenticated user, so I could measure each user's actual usage, rather than all the usage for the one machine. This is useful when you have more than one user logged in to a machine at a time, sharing the same NIC, or if there's other processes using bandwidth. Something that had Linux, Windows, OS X, etc. clients too... Impossible?
i use it too..
however, i had one big gist about it. it had an old noisy harddrive, and it was made to log practically everything it seemed(well, info about everything)..
when the line that it is connected to transfers regularly several (tens of)gigabytes per day(to 100mbit lan) it was kind of annoying as it made constant noise because of logging.
well it didn't take too long before the 100mbyte it had reserved for logging filled up though..
.
world was created 5 seconds before this post as it is.
Congratulations to all those who made Smoothwall's latest release possible.
:)
Based on personal experience, I highly recommend that anyone planning to use, donate to or purchase support for the Smoothwall product first research the company and primary members of the development team, such as founder Richard Morrell, before making a committment. Of course, that's a good idea under any circumstances, with any software product.
Personally, I use the Mitel SME Server distribution (formerly e-smith) for my needs, but the feature set is somewhat different and it may not be a good fit for you. The community of users supporting users, however, is a great assett to the SME server project.
Anyway, I didn't get the job with them, although I did find another *nix job much to my relief. I wouldn't use this myself though - IMO an experienced admin should take a minimal install of his favorite generic Linux/BSD distro, and build from there. Smoothwall is good for the less experienced though, who need an out of the box solution right now, not after 6 months googleing :-)
And I highly recommended it for many moons.
Unfortunately, the developers really annoyed me. One time, they released a patch that added a splash screen to the web interface that popped up EVERY time you changed page. And set chattr+i on the file on the server, then deleted the {ls,ch}attr commands on the server.
Which was just offensive. I went into their [community] IRC channel and mentioned how to fix it, and was kickbanned.
They make a big thing about being GPL and community-friendly, but in practice I just find them offensive.
I cannot highly enough recommend that people don't use this, and use ipcop instead.
Gary (-;
However, looking at the cache for the about page, there's one thing that isn't clear. How does this compare to floppy-based distros like Coyote? In particular, it says absolutely nothing about whether it does or does not require a hard drive. Noise and heat are big considerations for me, and a HD is one of the biggest sources of both....So can I run Smoothwall without a HD or CD?
7 November 2006: The day Americans realized corruption and incompetence weren't addressing 11 September 2001
Long ago I ran OpenBSD with IPfilter and NAT on a 486 box as my firewall.
I now run a LinkSys BEFSR411. Not as secure - it cannot do both SPI and redirect, and it does not do VPN.
Why the switch? I wanted to get away from an old PC with moving parts that could fail, and I wanted the four-port 10/100 switch, which finally gave me the ability to run 100 Mbps between the computers that supported it.
Recent issues with business clients have brought security back to mind, and after looking at the popular canned products (LinkSys/NetGear, etc.) I conclude that the old roll-your-own approach OF TEN YEARS AGO is more secure.
I want a roll-your-own solution (possibly SmoothWall, possibly something else) that runs on the equivalent of LinkSys hardware:
- No moving parts. Preferably not even a fan.
- Flash memory for filesystem.
- Multiple 10/100 ports, preferably independently controllable so you can set up a DMZ, or different rules for different machines.
Does such a beast exist, in a relatively user-friendly form and without being more expensive than the old desktop that would otherwise be used?
Has been doing this for a long time...
I have had an old P200 with a 250MB (so not a web cache then) box running the Mallard beta of this for a good while now, and before that I ran a 1.X version... It's been getting a good 100+ days of uptime, and is rock-steady.
/var partition.. It only dedicates 100MB or so to /var, and it quickly fills..
In fact, I think there's only feature I could ask for: automatically erasing the logs after they fill up the entire
Otherwise, Smoothwall definitely gets my two-thumbs-fresh. I used it share dialup among my home LAN, and now cable. This story has given me a good interest to donate to this fantastic company.. (Oh, and no, I don't work for them)
I was looking at Smoothwall a few months back, but found that I was scared off by the various versions etc... It really didn't seem clear if the GPL version would be supported for long. I ended up rolling my own Debian based system, but looked carefully at IPCop too.
(Actually just posting to eliminate some bad modding.)
BalamAt work we have a Sonicwall SOHO 2 on a Windows network. It was in place before I got there. We "need" to keep it because we have a client that theoretically wants to come in and look at data on one server. They have yet to ever do this, and it isn't clear if it would even work (the VPN should work since it was tested when it was made, but the server's data is supposedly questionable from something one of the accountants told me).
The Sonicwall SOHO 2 serves its purpose in that it keeps out the worms and I can block/open ports.
But where it is truly awful is the detail of its logs. It will tell me the top IPs that got the most traffic - but it includes IPs that are outside of our network, and inside of our network. It will tell me the web URLs that get the most hits. And it tells me which protocols transmit the most data and how much that is.
But while that is nice in theory, it is largely useless.
I want to know what pages and what protocols specific inside IPs are doing. I want to know which inside computer is connecting to what outside computers over what protocols.
Also, if I block a protocol/port, it will still log all of the attempts towards it exactly the same as if it were being allowed in. It doesn't say that 1000 hits were attempted on it but didn't get in - it just says that there were N megs of data against it (apparently not through it).
I don't care about logging what they do - I'm pretty laid back about all of that. If they are doing naughty things, that is their deal (my superiors have yet to tell me otherwise).
But I do very much care if people have spyware or viruses on their systems - and a firewall is a great way to track down who has those issues. I can do it with what we have now, but it could be far easier.
I looked into Smoothwall and thought that it looked good - and it is free. Even then, I don't know if I can get money even to get a lowly machine to run as the firewall.
It isn't clear on their site how detailed the logs go.
And it isn't clear if I can mimic the same VPN processes that are in place now, with the Smoothwall system.
I would love to hear feedback about the software. That way I can make a more informed decision as to what to do about the overpriced SOHO (in order to use features on it, you continually have to pay to have them turned on, such as VPN or virus checking).
There are some odd things afoot now, in the Villa Straylight.
Heck, even a M$ lozer could download the iso and have a firewall up and running with 2 hours (so long as they have Mozilla installed).
Experienced Astaro admins can have a firewall up in 15 minutes, tops.
No more Micro$oft bashing from me. Its like bashing at the special olympics.
I'm one of many that were turned off of smoothwall for different reasons (rudeness by one of the developers mainly) and chose to go with ipcop. I've never looked back since then nor had a problem with ipcop.
:-)
I hope smoothwall has straightened out some of there earlier problems and is successful but I'll continue using ipcop for the forseeable future.
Both of these projects are absolutely awesome though. They allow you take an old machine and easily turn it into a good firewall/router. I've set up a few now as they have made some computers I picked up from a school useful again. All my ipcop installs go on p2's with 64mg of ram and 3 cheap nics. I can have a firewall/router set up and running in 20 minutes which includes DMZ, NAT, Snort, DHCP, VPN, and a proxy...all easily configured via a web browser over SSL.
These projects are real gems in the OSS world IMHO and I doubt I'll be looking at hardware firewalls in the near future again.
Hat's off to all the developers (except 1) that have been working on these
-Pat
I've been running a Soekris net4801 for a few weeks as a firewall. I'm very happy with it. It's not intended specifically as a firewall, you just buy the basic computer from Soekris and then install what you want. Getting it going can be quite involved, as it has no VGA circuitry; you have to administer everything over a serial cable. This is almost exactly the opposite target market from Smoothwall; the Soekris products are meant for people who know that the heck they're doing.
The 4801 I bought is a Pentium/266 with 128 megs of RAM, 3 network ports, a mini-IDE port (used for 2.5" hard drives [notebook style]), a compact flash port, a mini-PCI slot, and a 3.3v (only) regular PCI slot. This chipset has several known bugs, including a bad data-corruption bug with DMA mode hard drives that has not yet been worked around in Linux, to my knowledge. It's better to use it with a CF card (which can't do DMA) because of this, at least until they get that bug fixed. You can find some patches for the kernel via links off the main Soekris page, but I don't think there are any patches yet for the HD bug.
After about a week of futzing around with it, I finally got it running. Much of the pain was learning how PXE booting works. At this point, I have a Debian firewall with one external and two internal ports, and a 256MB internal "hard drive" (compact flash card). Everything is set up to log to RAM (instead of writing to the CF card, which is bad). The neatest part is that the machine is about the size of a trade paperback (it would be even smaller if they hadn't left room for a PCI card in the case), is absolutely silent, takes about ten watts of power, and has NO moving parts, so flinging it about isn't a problem. The chip is passively cooled, and doesn't even need a heat sink; the case gets mildly warm but never really gets hot. One of the neater gadgets I've played with recently.
Total net cost, including the CF card, was about $375, so it's not for the poor, and it's definitely not for the Smoothwall crowd. But if you're looking for a very sweet solution to the space-and-noise problem with a good, Linux-based firewall, this is a great solution.
As an aside, OpenBSD has patches to run with the net4801. I was having trouble getting OpenBSD's boot program to read the CF properly, and then suddenly ran short on time because my old P133 firewall started losing its hard drive. Pressed for time, I gave up on OpenBSD and installed Linux.... but, at least in theory, it should run well. OpenBSD also has support for hardware crypto accelerators, which you'll need if you want to do VPN with a box this slow. (that's one good use for the expansion slots.) I only saw one Linux hardware crypto driver, and it looked unfinished and primitive. Definitely a spot where OpenBSD looks to be ahead.
Nice little box. I'm very fond of mine.
I tried Smoothwall and IPCop. Couldn't get either one running behind due to my lack of experience and dealing w/ my landlord's Linksys router. Tried OpenBSD and the OpenBSD community at Screamingelectron.org helped me through the OpenBSD learning process and configuring my box. Now I have a secure, stable firewall for free. Before I get flamed, I've bought a T-shirt and CDs from OpenBSD to support the project.
This guy is way out there
Its bad naming aside, ( but who could have predcited the SCO mess several years ago ) its a rather powerful Firewall/router solution that fits ( and runs if you like ) on a SINGLE floppy.
its worth checking out.. www.freesco.org
---- Booth was a patriot ----
I find it rather cool that you can download it over emule/edonkey. Why can't more software vendors provide their demos / free releases over ed2k / bitT ?