March 10, 2005
This article was first published on :www.newsforge.com
In these days of always-on Internet connections, a firewall that protects your network from unauthorized access is indispensable. Though most home routers have some sort of basic firewall capabilities, their rules for incoming and outgoing traffic are often basic and arbitrary. An alternative is to run a Linux-based firewall on old hardware, but configuring this sort of setup is generally not easy. An exception is SmoothWall, a free application you can install on any old machine to convert it to a dedicated hardware firewall. SmoothWall has a friendly interface and more configuration options than standard hardware firewalls.
The download for SmoothWall Express 2.0 is a mere 45MB, 12MB of which is documentation in PDF format. I installed it on an 800MHz Pentium III box with 128 MB SDRAM, a 20GB hard drive, and three network cards (one onboard, two PCI). This hardware is more powerful than the software’s minimum requirements — you can run it on anything upwards of a Pentium with 32MB of RAM and a 540MB hard drive.
The installation is easy, thanks to the excellent documentation provided. During the installation, SmoothWall formats the hard drive, with no options to save any data or make custom partitions. You must choose what kind of network interfaces — Ethernet, ISDN, or USB ADSL — you will be using. I chose the Ethernet option. Next, you choose the type of the firewall. There are two options: green-red, where one interface is connected to the Internet (red) and the other is connected to your network (green), and green-orange-red, where you can put any servers that require external access, such as Web or mail servers, in the orange zone. Servers in the orange zone are fully accessible from both the red (Internet) and green (local network) zones, but no machines in the orange zone can access resources in the green zone. The orange zone is also known as the demilitarized zone or DMZ.
I chose the green-orange-red option. I set up the IP addresses of the network cards, following the instructions in the manual. The next step was configuring the DHCP server, but since we already had a DHCP server running, I disabled this. I then set up three passwords, for admin, root, and a setup user.The most important user here is the admin user, because that is what you will use for the web-based administration. The setup user is used when you want to change some settings, such as changing the green-red option to green-orange-red.The final step in the installation process was an option to load a previous Smoothwall configuration from a diskette. The entire installation process took 10 minutes.
By default the firewall is configured to disallow all requests that originate from the red interface. This means that any request which comes from the internet will be blocked by default unless a machine in the green zone has requested it. You can configure SmoothWall using a Web-based interface at http://:81 or https://:441. For a home user or small business, the only configuration that you will have to do is update SmoothWall, from the updates option in the web-interface. Savvy users can configure SmoothWall to their liking.
The Web-based interface is organized into broad areas which then contain the specific features. You can run SmoothWall as a proxy server, DHCP server, forward ports to machines in the green zone, and more. As a proxy server, you cannot set up advanced features like per-user authentication or delay pools. This function is useful for smaller organizations and homes, but a large office may want to use a dedicated proxy server. You can configure the address range, WINS server, and static hosts for the DHCP server. You can specify dynamic DNS, offer remote access for SHH, and synchronize with a Network Time Protocol server. SmoothWall also lets you enable SNORT, a popular open source intrusion detection system.
Among the network settings you can control:
- Port forwarding: This allows you to forward a port from the firewall to a machine inside the green or orange zones. You can use this feature to hide your Web servers behind a single IP address. If you use software like BitTorrent, which requires that other computers connect to yours through a firewall, you must use port forwarding.
- External service access: You can access any services running on the SmoothWall machine by opening the ports you need.
- DMZ pinholes: As the name implies, this allows you to open a pinhole from the DMZ to the green zone. This is useful if your externally servers need to communicate with servers inside the green zone. For example, your Web server may need to communicate with a database server inside the green zone.
- PPP settings: You can set up various profiles, configure up to 4 modems, and use dial on demand.
- IP block: You can ban specific IP addresses or ranges here.
Smoothwall performs Stateful Packet Inspection using the Linux 2.4 kernel and netfilter.
Smoothwall also has a built in VPN. This makes it possible to connect to your home network from an external location.
Researchers keep discovering new security risks, so it is essential that you keep your SmoothWall machine updated. The updates section in the Web-based interface handles this. It informs you of available updates and provides links to download the files. Once you’ve downloaded the files, you must upload them using the Web-based form. The updates are in tar.gz format, but the upload process handles the unpacking, and also verifies the package signature.
There were six updates available on the 24th of February, 2005, with the newest dated less than a month before I installed the software. This is a good sign, because it means that the developers release regular updates. Installing the updates was easy, though a couple of them did need a reboot. All the administration can be done over the network, including rebooting.
The documentation for SmoothWall deserves a special mention. The three manuals, Quickstart, Installation, and Administration, are very clear, well-written, and comprehensive. In fact, even if you do not run SmoothWall, you can read the manuals to get up to speed on firewalls.
Our college network comprises around 400 users, a Web server, and a mail server. To test SmoothWall, I enabled SNORT intrusion detection and ran a few attacks against the firewall over the red interface. I used nmap, the Metasploit framework, and some other port scanning and attacking tools. In all cases, the firewall was able to deal with them, and the Snort and firewall logs showed most types of attack, the IP address of the attacker, and the time and date. SmoothWall’s IP lookup feature can determine and report the origin of an attacker. The tests that I did were simple, but were the most common kinds of random scans that go on over the Internet.
SmoothWall is designed to run without interruption once configured. On my fairly large network, SmoothWall never showed any signs of slowing down. You can log in and check the log files or the bandwidth usage, which is presented in a graphical format, and tracked over a day, week, month, and year.
SmoothWall does not have many quirks. In fact, the only flaw that I could find was in the updates page. As of this version, it is a two-step process. You have to manually download the files to your machine, and then upload them to the SmoothWall machine. Maybe the developers could implement some sort of automatic update that could be configured to check once a week or so, and download and install the updates. But besides this minor design quirk, SmoothWall is extremely well-designed.
While SmoothWall has many of the features required for a home or small office, it is not a fully featured firewall. You cannot implement your own custom Iptables rules without dropping to the CLI, or perform bandwidth management. The inbuilt proxy server is also a simplified version, and the more advanced features which a larger business may need are not available. But if you are looking for a firewall with more features than the bundled firewall on your router, and you have an old PC lying around, download SmoothWall and try it.