Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Software Linux

SmoothWall 2.0 Linux-Based Firewall Released 351

thegraham writes "Despite some earlier server problems, SmoothWall 2.0 has been released this evening - there are also release notes available. SmoothWall is 'a firewall operating system distribution based on Linux, enabling a low-end, possibly otherwise redundant, Intel and compatible PC to become a hardened Internet firewall', and changes from version 1 include: 2.4 kernel, new web interface, improved networking and many bugs corrected through the Beta program."
This discussion has been archived. No new comments can be posted.

SmoothWall 2.0 Linux-Based Firewall Released

Comments Filter:
  • by rabbit994 ( 686936 ) on Monday December 08, 2003 @05:18PM (#7663054)
    I've been using the 2.0 Beta at home without any problems. It's makes a great firewall for old boxes and has support for Proxies, DynDNS and everything else you expect in a good firewall. All configured easily from a web based interface. Works great for protecting those Windows boxes too. Think Windows cowering behind a big Tux. Kudos smoothwall team.
    • i use it too..
      however, i had one big gist about it. it had an old noisy harddrive, and it was made to log practically everything it seemed(well, info about everything)..

      when the line that it is connected to transfers regularly several (tens of)gigabytes per day(to 100mbit lan) it was kind of annoying as it made constant noise because of logging.

      well it didn't take too long before the 100mbyte it had reserved for logging filled up though..

      .
    • As long as they can avoid some small issues [securitytracker.com], they should be ok. Since they only have two vulnerabilities (although one allowed remote execution of arbitrary code), they seem to be doing well.
    • I have had an old P200 with a 250MB (so not a web cache then) box running the Mallard beta of this for a good while now, and before that I ran a 1.X version... It's been getting a good 100+ days of uptime, and is rock-steady.

      In fact, I think there's only feature I could ask for: automatically erasing the logs after they fill up the entire /var partition.. It only dedicates 100MB or so to /var, and it quickly fills..

      Otherwise, Smoothwall definitely gets my two-thumbs-fresh. I used it share dialup among my
    • I've been using it too, but unfortunately it's been crashing sporadically. Sometimes 5 times within an hour, and sometimes it runs for 2-3 days just fine. But it's a hassle to go and reset it each time. The kernel reports nothing leading up to the total lockup.
  • Mirros please? I want technical specs on this one. Thanks.

    • by EinarH ( 583836 ) on Monday December 08, 2003 @05:29PM (#7663180) Journal
      /.'ed

      SmoothWall Express 2.0

      SmoothWall Express 2.0 was released at 21:00 GMT on Monday 8th December 2002.

      http://www.smoothwall.org/

      ** Please see http://smoothwall.org/ for the latest release
      ** information, downloads and updates!

      SmoothWall Express 2.0 Release Notes

      ** Please note that the https web access port has moved from
      ** TCP/445 to TCP/441! Use https://x.x.x.x:441/ from now on!

      Changes from SmoothWall GPL 1.0:

      * SmoothWall GPL is now SmoothWall Express!
      http://community.smoothwall.org/topic/1086

      * Stateful packet inspection using Linux 2.4 kernel with iptables
      and netfilter.

      * Improved installer:

      - Network card skip.
      - Displays MAC address of detected cards.
      - Prefilled IP addresses.
      - Configure upstream web proxy for fetching update list.
      when a direct connection cannot be made or is not allowed.

      * Improved web user interface; more user friendly, better error
      reporting, more orange :)

      * Improved connectivity device support:

      - More USB ADSL modems; ECI chipset, USR SureConnect.
      http://smoothwall.org/beta/eci.html
      - BeWAN PCI ADSL.
      - BT Home Highway USB TA.

      * Universal Plug-n-Play support for Microsoft Windows XP users.

      * Improved network usage graphs with RRDtool.

      * Improved proxy performance through diskd and other squid tweaks.

      * Static assignments in DHCP server options based on MAC address.

      * SmoothWall time sync with internal or external NTP server. Can
      sync from a built-in list of servers. (Does not provide ntpd
      service to Green or Orange network however)

      * Configuration backup to floppy disk for quick install on another
      machine, or re-install on same machine (compatible with backup
      floppies from Express 2.0 RC1, timesync server list bug when
      using backup floppy from Express 2.0 beta7 "pendolino" - see
      http://community.smoothwall.org/topic/2180 for more info)

      * Simpler port forwarding; no need to open ports with external
      access page, the port (or ports - port ranges are allowed now)
      is opened and forwarded on one page.

      * IP Blocking feature; block any given internal IP address or
      subnet from accessing your SmoothWall or any port forwarded
      hosts. Additionally, blocking rules can be added from the
      firewall log interface.

      * Advanced networking features; block ICMP ping, block multicast
      traffic and enable SYN cookies.

      * Improved VPN; no need for "next hop" setting, optionally enable
      compression on the tunnel, still possible to connect to a
      SmoothWall GPL 1.0 VPN.

      * Perform network diagnostic (ping, traceroute) from web interface.

      * New Java SSH client (replaced due to licence conflict).

      * Added clear cache option to web proxy.

      * Updates list location changed
      http://updates.smoothwall.org/express/2.0

      Thanks to those on the team and the forums for their hard work on
      mods and patches :)

      -----
      Rebooting
      -----

      During the reboot, notice the nice boot screens. :)

      You will notice differences if you use either the ECI or the USR
      SureConnect USB ADSL modems.

      For all USR ADSL modems, have the unit plugged in prior to booting.
      If you are using an ECI-chipset driver (generic of FDX310), you will
      see your screen fill with diagnostics as the firmware is uploaded and
      the line synced. Occasionally this can appear to hang part way
      through, but it should not stall for more then 30 seconds at a time.
      The line should be synced when this process is complete.

      The USR SureConnect will behave in a similar fashion, but with less
      diagnostics.

      ---
  • OS? (Score:4, Interesting)

    by orangenormal ( 728999 ) on Monday December 08, 2003 @05:19PM (#7663070)
    Forgive me if this is an obvious question, but why run a dedicated "firewall operating system" when hardware and software firewalls are available?
    • Re:OS? (Score:5, Insightful)

      by pe1chl ( 90186 ) on Monday December 08, 2003 @05:22PM (#7663098)
      Hardware firewall?
      You probably mean a box with a microcontroller running a dedicated firewall operating system.
    • Re:OS? (Score:5, Informative)

      by theonlyholle ( 720311 ) on Monday December 08, 2003 @05:23PM (#7663117) Homepage
      because it's easy to set up on a bit of spare hardware, however old it may be? Because it provides all that the average firewall user needs? Because it is easy to maintain once it's running? Because most hardware firewalls are as unflexible as they are expensive? I can think of a lot of reasons. In my company, a number of offices use Smoothwall and will certainly upgrade to Smoothwall Express soon, simply because it's an affordable way to secure our network boundaries and because the ongoing maintenance work is minimal.
    • Seems as though it's a good use for computers too dated to do much else. Lord knows there are enough of them.
    • Re:OS? (Score:4, Informative)

      by cybermace5 ( 446439 ) <g.ryan@macetech.com> on Monday December 08, 2003 @05:25PM (#7663143) Homepage Journal
      It's a Linux distribution. It's just all set up and locked down for firewall use, with all the features installed that you might want to use.

      Software firewalls are not that great, hardware firewalls are not as easily updated. By using an old box and a firewall distribution, you can set up a firewall and also have a nice local DNS, DHCP, time, file, and so on server for your network.

      This looks a little heavy compared to the FreeSCO floppy distribution I use, but when it's no longer Slashdotted I'll see if it has anything worth reconfiguring my firewall for.
    • Re:OS? (Score:5, Informative)

      by Malk-a-mite ( 134774 ) on Monday December 08, 2003 @05:26PM (#7663155) Journal
      Because not all software firewalls are equal and not all hardware firewalls are able to do as much. Those that can do as much (or more) have a price tag that reflects that. Because some people don't like to throw away hardware that could be put to a good use. Because for some people it's just fun.

      A few distros off the top of my head:
      Smoothwall
      Clarkconnect
      IPcop
      Freesco
      C oyotelinux
      • Anyone know of anything comparable for old Macs? My father-in-law gave me an old PowerPC that I hate to throw away, but don't have any real use for.
        Thanks.
        • OpenBSD [openbsd.org] or NetBSD [netbsd.org] could probably run on it.

          OpenBSD is a better firewall (pf is very nice), but NetBSD is a bit more portable (in the unlikely event that OpenBSD won't run on it). I think the platform you are looking for is called mac68k or m68k.

        • Re:Non-intel (Score:4, Informative)

          by Malk-a-mite ( 134774 ) on Monday December 08, 2003 @05:45PM (#7663320) Journal
          I know you can run YellowDogLinux on the PPC
          http://www.yellowdoglinux.com/

          And do routing with it:
          http://www.yellowdoglinux.com/support/solutio ns/yd l_general/ethernet_connections.shtml

          Not sure if there is a stripped down firewall distro for it yet. If you're up for it you might see what you could put together.
    • Higher levels of configurability, maintenance, ability to audit the code, possibilities for adding other server capabilities...

      Someone else continue this thread, please, I'm bad at this...
    • Re:OS? (Score:2, Informative)

      by muckdog ( 607284 )
      Hardware firewalls (like checkpoint or your linksys router) are often propritary and/or may be limited in what they can do. Checkpoint firewalls aren't cheap either.

      Software firewalls (like norton on your win2k desktop) may be running on top of a buggy , unsecure piece of crap like windows. Why break the lock when the door is made out of cheese?
    • Re:OS? (Score:3, Informative)

      by kc8apf ( 89233 )
      Quite simply, I have things on my wired home network that I don't want anyone on my AP to access. Using a linux box to handle routing and firewalling between the Internet, wired, and wireless networks does something that software firewalls (like ZoneAlarm) can't do and that would cost over $300 for a hardware firewall to do the same.

      If i've already got an old machine laying around from my last upgrade, why waste money on the hardware firewall?
    • cheap 'hardware firewalls' can only push only up to 2mbyte/s(the 100mbit 'out'-net models), where any old computer with decent cheapo nics can push 6-7mbyte/s easily. also there's various issues why cheaper hw firewall/nat boxes tend to suck.

      -
    • I would suggest there are two immediate benefits:

      1) Presumably the OS has been hardened, even without the firewall. You can have the greatest firewall on the face of the earth, but if the underlying OS is compromised....

      2) Presumably the kernel is optimized for the task. Lean, as modular as possible to maintain the low overhead which would be mandated to perform decently on older hardware.

      But, given that Linux is the OS (and Smoothwall is GPL'ed) it opens up the possibility of tightly integratin

    • Re:OS? (Score:3, Informative)

      by tekspot ( 531917 )
      First of all, because not everyone is talking about home or one workstation application. If you have 100 computers on the network, with smoothwall you will need to configure/reconfigure/update only one dedicated box, instead of all 100 individually.

      Second of all, software firewalls that run on your computer take up resources, and are generally limited by your operating system.

      Finally, smoothwall will be a lot more secure, because it will not be running any of the services that can be compromised by
    • Re:OS? (Score:5, Insightful)

      by tacocat ( 527354 ) <`tallison1' `at' `twmi.rr.com'> on Monday December 08, 2003 @05:43PM (#7663299)

      Because software solutions are too late. The culprit is already at your machine

      And hardware solutions have two problems that I've personally seen happen.

      1. If they are found to have a security flaw in them, the company will not make the effort to reveal to the community the need for a security upgrade in every case.
      2. I can install smoothwall/ip-cop for free on a machine I can pick up for free. It comes with the capability of supporting a DMZ/LAN configuration (3 NICs). This costs big $$$ in hardware

      There are very distinct advantages to this approach. BTW they also have squid, which hardware devices can't provide.

    • For me, its price and simplicity.

      I have an IPCop firewall box at home and an IPCop firewall box at the office.

      IPCop (and I assume Smoothwall), lets you set up a VPN connection between two IPCop boxes REALLY quickly.

      The price for the entire set up was: My time; an hour or so, including cabling and adding second NICs to the boxes. The two old PCs I used, were just that: OLD. They would have been given away if I hadn't grabbed them for the VPN.
    • Hardware firewalls cost money, and software firewalls have to rely on the operating system beneath them to be uncorrupted.

      This is a solution that can be made out of spare PC parts, and is lightweight enough to work just fine on last generation's equipment. Any true geek likely has enough spare parts lying around in their basement from retired machines to build this.

      Why does SmoothWall insist on being alone on the machine? Because the firewall is supposed to be absolutely stable, so there's no business for
  • by Ridgelift ( 228977 ) on Monday December 08, 2003 @05:22PM (#7663100)
    I used to use smoothwall, but switched to the forked project IPCop [ipcop.org]. Some of the original developers forked away from smoothwall because of the founder's desire to mix open source with a business model that conflicted with the project. I was having problems with smoothwall and updates, which prompted me to switch to IPCop. I've been happy ever since.

    Anyone else got opinions on Smoothwall vs. IPCop?
    • by Anonymous Coward on Monday December 08, 2003 @05:24PM (#7663131)
      IPCop does have a faster upload speed for USB ADSL on BTOpenworld
      (30Kb/s for IPCop, 3Kb/s for Smoothwall GPL). The IPCop team have updated
      the driver, whilst the Smoothwall GPL version does not have the driver
      update. Of course you can pay for the Smoothwall Home version if you want
      the faster upload.

      IPCop uses ext3 journaling filesystem, whilst Smoothwall GPL uses ext2.

      The next version of IPCop, 0.2, will be more of a radical departure from
      Smoothwall. Currently IPCop 0.1.1 is much the same as smoothwall GPL

      Oh and IPCop is GPL and being actively developed, were as Smoothwall GPL is
      backing a back seat to the Home and Corporate versions, i.e. new features
      are being added to the Home/Corporate version and *maybe* back ported to
      Smoothwall GPL.

      neuro said that...' there are cool things in
      the works for GPL, and some of the corporate proprietory stuff may be
      backlicensed to GPL in the future.'

      Richard is pushing for the money right now, not that I blame him. Though
      using Smoothwall GPL means that one was much of a beta tester for the Home
      and Server base versions.
      • by wpanderson ( 67273 ) on Monday December 08, 2003 @05:38PM (#7663269)
        I'll try and answer this as best I can ...
        IPCop does have a faster upload speed for USB ADSL on BTOpenworld (30Kb/s for IPCop, 3Kb/s for Smoothwall GPL). The IPCop team have updated the driver, whilst the Smoothwall GPL version does not have the driver update. Of course you can pay for the Smoothwall Home version if you want the faster upload.
        This refers to a long-old version of SmoothWall GPL and the Speedtouch driver - both SmoothWall GPL 1.0 and SmoothWall Express 2.0 have no problems with USB ASDL upstream.
        IPCop uses ext3 journaling filesystem, whilst Smoothwall GPL uses ext2.
        SmoothWall Express 2.0 uses ext3.
        The next version of IPCop, 0.2, will be more of a radical departure from Smoothwall. Currently IPCop 0.1.1 is much the same as smoothwall GPL
        This shows how old the parent post is, information wise. IPcop 1.4 alpha/beta still bears a lot of resemblance to SmoothWall GPL 1.0 / Express 2.0.
        Oh and IPCop is GPL and being actively developed, were as Smoothwall GPL is backing a back seat to the Home and Corporate versions, i.e. new features are being added to the Home/Corporate version and *maybe* back ported to Smoothwall GPL.
        Untrue - our commitment to the GPL is a firm as always, and new features are constantly being backported from the commercial products into the open source project.
        neuro said that...' there are cool things in the works for GPL, and some of the corporate proprietory stuff may be backlicensed to GPL in the future.'
        Yes, this has happened.
        Richard is pushing for the money right now, not that I blame him. Though using Smoothwall GPL means that one was much of a beta tester for the Home and Server base versions.
        Possibly true. We do occasionally deploy features into the open source project to see how they pan out - if they work well, we roll them into the commercial products with proper source attribution where required.
    • by theonlyholle ( 720311 ) on Monday December 08, 2003 @05:25PM (#7663145) Homepage
      well, since Richard Morell has left Smoothwall now, things have become much nicer again. Originally, they didn't even want to do another version of their GPLed Smoothwall... I'm quite happy they changed their mind. Although I miss the rude way that Richard used to treat his customers and fellow developers on the mailing lists... ;)
  • I dunno.. (Score:5, Funny)

    by grub ( 11606 ) <slashdot@grub.net> on Monday December 08, 2003 @05:22PM (#7663105) Homepage Journal

    Using an old Pentium with two NICs for this is great, but the $699 licensing fee is a bit steep. Better stick to OpenBSD..
  • alternatives (Score:2, Redundant)

    by kayen_telva ( 676872 )
    IPCOP [ipcop.org] is an alternative (fork) of the smoothwall project. they do a nice job as well. thanks to both groups. Ive been relying on IPCOP for years.
  • by Tha_Big_Guy23 ( 603419 ) on Monday December 08, 2003 @05:22PM (#7663108)
    I've been using version 1.0 of their firewall for just over a year now, and I have to admit that it is a rather good firewall. I was able to load it on a p100 box with only a 540MB hard drive. Granted with a hard drive that small, my firewall doesn't do alot as far as web cache is concerned, but otherwise it operates great. The patches are easy enough to install, all you have to do is download the gzip from the patches page built into the firewall web client. Upload the gzip's and they're installed.

    Managing the firewall is exceptionally easy as well. You can setup port forwarding to internal computers in under 30 seconds. All-in all the firewall takes the major annoyances out of running a firewall. I highly recommend it for anyone who's got an old system lying around, and doesn't have the time to bother with setting up a firewall.
  • by lww ( 323019 ) on Monday December 08, 2003 @05:22PM (#7663111)
    ipCop [ipcop.org] is a fork of the smoothwall source that has more of an open source community behind it. Personally, I found the whole "Buy Smoothwall Now!" experience just a little too annoying to use.

    But, let me be the first to say that I love the concept behind this type of distro. A boot-cd and 20 minutes turns any old wintel machine into a damn god firewall appliance (one that has a shell!).

    • > Personally, I found the whole "Buy Smoothwall
      > Now!" experience just a little too annoying to use. ... something we try hard not to do these days so as not to alienate folk. Yes, we'd love it if everyone who used the open source version bought the commercial version, but the real world doesn't work that way. That's why a lot of the banners and stuff from 0.9.9 aren't in 1.0 (when fully patched) or 2.0 (out the box).
      • That's fair, my perception is definitely dated to the time I was looking at the distro v0.9 I think. At this point I'm not in the mood to muck with picking another firewall distro ("If It Aint Broke..."), but if ipCop breaks or doesn't keep up or otherwise forces me to start looking again, I'll definitely give Smoothwall another chance.
  • new? (Score:2, Insightful)

    by oohp ( 657224 )
    And this is new how? There are dozens of firewall distros out there, does SmoothWall have anything special or innovative?
  • by Spackler ( 223562 ) on Monday December 08, 2003 @05:24PM (#7663133) Journal

    This thing is great. It is preventing my unauthorized slashotting attempt.
  • IP Accounting (Score:2, Interesting)

    by Anonymous Coward
    Great to see another firewall solution maturing. Congrats to the developers!

    I've always hoped that someone would write a turnkey network/Internet authentication and user IP accounting app (no way do I have the skill at this time). Something that would create an IP table entry when a user authenticates, and track the Internet usage of their machine. Even better, it would be great if I could create a fake network interface for accounting, one which is associated with just one authenticated user, so I could m
    • Re:IP Accounting (Score:2, Informative)

      by pturley ( 412183 )
      <shameless>
      www.rocksteady.com
      Our software does most of what you've described here. We dynamically authenticate users and construct/destroy firewall rules as they enter/exit the system.
      </shameless>
      I could go on, but I dislike spamming people with information they haven't asked for. If you'd like to know more, you're very welcome to visit the site.
    • I've always hoped that someone would write a turnkey network/Internet authentication and user IP accounting app (no way do I have the skill at this time). Something that would create an IP table entry when a user authenticates, and track the Internet usage of their machine.

      OpenBSD has this via authpf, or if you prefer, here is an authentication done via web browser : phpauthpf [piout.net]

  • Google to the rescue (Score:5, Informative)

    by Hal The Computer ( 674045 ) on Monday December 08, 2003 @05:28PM (#7663167)
    Cached:
    • by elmegil ( 12001 )
      Thank you, someone should mod you up further.

      However, looking at the cache for the about page, there's one thing that isn't clear. How does this compare to floppy-based distros like Coyote? In particular, it says absolutely nothing about whether it does or does not require a hard drive. Noise and heat are big considerations for me, and a HD is one of the biggest sources of both....So can I run Smoothwall without a HD or CD?

      • Noise and heat are big considerations for me, and a HD is one of the biggest sources of both....

        Its a FIREwall; it takes care of the heat for you.
      • It's really hard to run Snort from a floppy distro.

        Also, think about it, if the distro is a 33mb ISO chances are damn good that it won't install to a floppy.
      • It installs to about 250MB.

        Noise shouldn't be a problem with old hardware, they only need one fan usually, and someone posted earlier about using a laptop drive for it.
        This is a great firewall, the ease of use factor is out there with anything you can find. I've played harder Commander Keen levels.
  • Smoothwall support (Score:5, Interesting)

    by DaveJay ( 133437 ) on Monday December 08, 2003 @05:30PM (#7663185)
    Congratulations to all those who made Smoothwall's latest release possible.

    Based on personal experience, I highly recommend that anyone planning to use, donate to or purchase support for the Smoothwall product first research the company and primary members of the development team, such as founder Richard Morrell, before making a committment. Of course, that's a good idea under any circumstances, with any software product. :)

    Personally, I use the Mitel SME Server [e-smith.org] distribution (formerly e-smith) for my needs, but the feature set is somewhat different and it may not be a good fit for you. The community of users supporting users, however, is a great assett to the SME server project.
  • by palfreman ( 164768 ) on Monday December 08, 2003 @05:30PM (#7663186) Homepage
    I had a job interview with these people earlier this year. Actually they are all fine and very friendly - contrary to their public perception (in the opinion of the guy who interviewed me). And I thought so business stratergy was basically sound - to have a less featureful open source product, and to have a licenced extra-feature product aimed at the commercial and managed-system customer.

    Anyway, I didn't get the job with them, although I did find another *nix job much to my relief. I wouldn't use this myself though - IMO an experienced admin should take a minimal install of his favorite generic Linux/BSD distro, and build from there. Smoothwall is good for the less experienced though, who need an out of the box solution right now, not after 6 months googleing :-)

    • by Daemonik ( 171801 ) on Monday December 08, 2003 @07:05PM (#7664108) Homepage
      IMO an experienced admin should take a minimal install of his favorite generic Linux/BSD distro, and build from there. Smoothwall is good for the less experienced though, who need an out of the box solution right now, not after 6 months googleing :-)
      No, a junior admin should take the time to build a firewall from scratch.

      An experienced admin is much too busy playing Nethack and downloading pr0n from his bosses logins while running a couple of Quake servers off the company T1 to devote that kind of time to a project.

  • Worth a try. (Score:5, Informative)

    by Anonymous Coward on Monday December 08, 2003 @05:30PM (#7663190)
    It's a really nice product now.

    Once upon a time I wouldn't go near it - one of the original founders was a real rude little shite and a huge liability to the project. And when I say rude, I mean rude - he used to tell potential or even existing customers to fuck off on a fairly regular basis, and that was when he was being polite!

    Only his small circle of friends stayed on the IRC support channel - anyone else got kick-banned without even saying a word (either party).

    Basically he used the wrong license, as in the end he seemed to detest the GPL and the "freeloaders" that were "stealing" copies of "his" work (perhaps he was the inspiration for SCO, huh?)

    Thankfully he fucked off. It a nice project now, supported by nice people! Give it a try.
  • by Chunky Kibbles ( 530549 ) <chunky@icculus.org> on Monday December 08, 2003 @05:34PM (#7663222) Homepage
    And I highly recommended it for many moons.

    Unfortunately, the developers really annoyed me. One time, they released a patch that added a splash screen to the web interface that popped up EVERY time you changed page. And set chattr+i on the file on the server, then deleted the {ls,ch}attr commands on the server.

    Which was just offensive. I went into their [community] IRC channel and mentioned how to fix it, and was kickbanned.

    They make a big thing about being GPL and community-friendly, but in practice I just find them offensive.

    I cannot highly enough recommend that people don't use this, and use ipcop [ipcop.org] instead.

    Gary (-;
    • by wpanderson ( 67273 ) on Monday December 08, 2003 @05:54PM (#7663390)
      And I highly recommended it for many moons.
      Thanks! :)
      Unfortunately, the developers really annoyed me. One time, they released a patch that added a splash screen to the web interface that popped up EVERY time you changed page. And set chattr+i on the file on the server, then deleted the {ls,ch}attr commands on the server.
      That patch was pulled very quickly after the backlash, and nothing of the sort would ever be contemplated again. Ever.
      Which was just offensive. I went into their [community] IRC channel and mentioned how to fix it, and was kickbanned.
      This sort of offensive behaviour does not happen anymore.
      They make a big thing about being GPL and community-friendly, but in practice I just find them offensive.
      I'm sorry to hear you were mistreated.
      • See, here's the thing; there's enough choices out there that nowadays I tend to have a "one strike and you're out" policy for a lot of software.

        Don't like distro XX? Use a different one.
        Don't like firewall softare YY? There's more available
        Don't like mail server ZZ? No-one else likes Qmail, either.

        I used to be a huge RedHat proponent, then they released 7.0, and I quit using RedHat.

        The behaviour of Smoothwall once was so spectacularly bad [and I mean SPECTACULARLY], that I simply can't trust Smoothwall
        • I agree with you. In fact, I go even further. I never use any commercial distributions any more (Smoothwall is not a 'firewall operating system', it's a specialized distro). The software is free and so should be the distribution. If there is anything I want to spend money on, it's not more features, it's support. But then again, I can solve my own problems most of the time.

          IMHO, the problem with commercial distributions is that at some point in time they will need more cash and will try to squeeze it of of
        • by The Tyro ( 247333 ) on Monday December 08, 2003 @09:08PM (#7665012)
          One of the Smoothwall guys just apologized to you (even though he has no way of verifying your "I was mistreated" story) in a public forum, admitted they were wrong, and did it in front of several hundred thousand slashdotters (something he didn't have to do, BTW)... and you won't even consider the software? Ever?

          Projects evolve, abrasive people are often forced out over time. Seems to me you are missing out on a potentially useful tool, based on a past beef with some guys who are no longer there...

          I'm not saying you don't have the right to feel they way you do... it just doesn't seem very pragmatic.
    • Now that Richard Morrell (the projects founder and by far the worst troublemaker) has left the project, things might not be as ugly as they once were.

      Does anyone know whatever came of Mr Morrell? Perhaps Microsoft hired him.

      • by Cloud K ( 125581 ) on Monday December 08, 2003 @06:40PM (#7663895)
        He seems to be working on "new projects" (solo by the sound of it) going by his slightly ranty website at dickmorrell.com

        I'll be sure to avoid them!

        Note he makes a point on the site of pointing out his remaining ownership of the Smoothwall copyright despite the fact that he resigned. What that means I don't know, but it smells very SCO-ish. He's an asshole of similar caliber to those guys.
  • linksys box? (Score:3, Insightful)

    by Anonymous Coward on Monday December 08, 2003 @05:34PM (#7663224)
    A rather newbie sounding question but can anyone explain solid reasons to use this instead of the standard linksys firewall that comes with the router? Note that I'm talking about a home user with less critical requirements than a business.
    • If you have an old PC with two NICs and don't want to buy a Linksys box. Or, if you want more control of your system and need SSH. The Linksys boxes do a pretty good job and work for most people. Some people want more control and power. That and some people just like building their own.
    • Re:linksys box? (Score:3, Insightful)

      by Hayzeus ( 596826 )
      A rather newbie sounding question but can anyone explain solid reasons to use this instead of the standard linksys firewall that comes with the router? Note that I'm talking about a home user with less critical requirements than a business.

      I used to use a Linux box for firewalling/masquerading and had to switch to a LinkSys because of DHCP issues with my broadband provider. One big advantage of the Linux setup was the additional functionality offered by the IP masquerading helper modules; stuff that could

    • by The Tyro ( 247333 ) on Monday December 08, 2003 @09:17PM (#7665077)
      Buying a "hardware firewall" (cheaper ones are just an NAT box) is easy, but teaches you nothing.

      Honestly... there is no substitute for building your own stuff, particularly if you want to increase your understanding of networking and security. If you don't have time for that kind of thing, or just don't want the hassle (you say hassle, I say "learning experience") of rolling your own, then buy the Linksys/Dlink/Netgear box and be done with it.

      You will get far more options and much better control with the one you build yourself... but it doesn't come for free; it takes effort on your part. Seriously... build your own, then set up an ethernet tap with Snort to see what's coming and going on your network. The latter step with Snort personally taught me more about networking, protocols, and packets than any Man-page or article.

      Build it... you'll be amazed at what it does for your networking/security skills.

  • I just can't grasp it. Sure, I RTFM, posted in the forums, etc, but I haven't been able to get a handle on it. The install goes smoothly, but configuring it seems to be anything but slick. It's like the answers just slip through my fingers and I'm left featureless software. I thought the forums would help, but they've been a blank slate with no feedback.

    At least there hasn't been any friction with my boss about this. I just hope in the future, they polish up the documentation, rather than gloss over t

  • by Inode Jones ( 1598 ) on Monday December 08, 2003 @05:46PM (#7663325) Homepage
    Long ago I ran OpenBSD with IPfilter and NAT on a 486 box as my firewall.

    I now run a LinkSys BEFSR411. Not as secure - it cannot do both SPI and redirect, and it does not do VPN.

    Why the switch? I wanted to get away from an old PC with moving parts that could fail, and I wanted the four-port 10/100 switch, which finally gave me the ability to run 100 Mbps between the computers that supported it.

    Recent issues with business clients have brought security back to mind, and after looking at the popular canned products (LinkSys/NetGear, etc.) I conclude that the old roll-your-own approach OF TEN YEARS AGO is more secure.

    I want a roll-your-own solution (possibly SmoothWall, possibly something else) that runs on the equivalent of LinkSys hardware:

    - No moving parts. Preferably not even a fan.
    - Flash memory for filesystem.
    - Multiple 10/100 ports, preferably independently controllable so you can set up a DMZ, or different rules for different machines.

    Does such a beast exist, in a relatively user-friendly form and without being more expensive than the old desktop that would otherwise be used?
    • by JonMartin ( 123209 ) on Monday December 08, 2003 @05:59PM (#7663426) Homepage
      I want a roll-your-own solution (possibly SmoothWall, possibly something else) that runs on the equivalent of LinkSys hardware:
      - No moving parts. Preferably not even a fan.
      - Flash memory for filesystem.
      - Multiple 10/100 ports, preferably independently controllable so you can set up a DMZ, or different rules for different machines.
      Does such a beast exist, in a relatively user-friendly form and without being more expensive than the old desktop that would otherwise be used?

      Soekris [soekris.com]. Check out their net4801 [soekris.com]. Whack OpenBSD on that and you are pretty much done.

    • by Leebert ( 1694 ) on Monday December 08, 2003 @06:04PM (#7663470)
    • While you could always roll your own solution, what you want is essentially all put together here: Mikrotik OS [mikrotik.com].

      You can download the free version, or buy the whole thing installed on an IDE flash disk. You can also buy the flash disk/OS preinstalled on a SBC. Not quite free, but not badly priced either.

    • The GCT Allwell [allwell.tv] is a set-top-box type PC that has no moving parts. There are articles on how to use it with linux as a firewall. You can get a box for as little as $300 USD

    • For hardware I would recommend a VIA C3 mini-atx system (no fan necessary for the slower processors), use aliases on your network adapter, and connect it to a cheap switch; or an underclocked Pentium with a monster passive heatsink and filled with cheap NIC's.

      For software run Debian Stable, and use WebMin to administer your firewall (and system). Set up a cron job to "apt-get update; apt-get upgrade" every day. The system will run like an appliance. Stable, reliable, secure. You might have to reboot th
    • such beasts are out there, but it's pretty hard for them to be cheaper than 0$ that the old desktop usually costs. one other reason for using old desktop i've found is sheer speed(the cheap fw/nat+switch boxes aren't that hot when it comes to transfer speeds, even the ones that are advertised as 100mbit for the outside connection as well).

      as for rolling your own, there's flash hd thingys and some very small pc's with multiple lans. www.gadgetcomputer.com has one such a thing, then there's the via's and oth
  • OpenBSD (Score:3, Interesting)

    by Zebra_X ( 13249 ) on Monday December 08, 2003 @05:47PM (#7663328)
    Has been doing this for a long time...
  • by joestar ( 225875 ) on Monday December 08, 2003 @05:48PM (#7663334) Homepage
    There is also MandrakeSoft's Multi Network Firewall [mandrakesoft.com] which is a very nice firewall + network infrastructure management software that provides many features, including a multi-VPN support. And it's very easy to use.
  • LEAF is very solid (Score:3, Informative)

    by Arkahn ( 14759 ) on Monday December 08, 2003 @06:04PM (#7663473)
    The LEAF distribution of Linux (leaf.sourceforge.net [sourceforge.net] has performed excellently over the years. Various sub-distributions [sourceforge.net] have tackled different things, and I've happily been using Bering [sourceforge.net] at my company for years now. Smoothwall and Bering sound similar: Bering offers a 2.4 kernel, one floppy default running size, easy setup, good documentation [sourceforge.net], an active and helpful mailing list [sourceforge.net], and Shorewall [shorewall.net] for those of who don't want to muck around with iptables scripts. (I'm guilty of using iptables by itself for some time. Shorewall's thorough implementation is sobering to this do-it-yourself-er).
  • IPCop (Score:2, Interesting)

    by balamw ( 552275 )

    I was looking at Smoothwall a few months back, but found that I was scared off by the various versions etc... It really didn't seem clear if the GPL version would be supported for long. I ended up rolling my own Debian based system, but looked carefully at IPCop too.

    (Actually just posting to eliminate some bad modding.)

    Balam
  • Mirror of ISO image (Score:3, Informative)

    by baximus ( 552800 ) on Monday December 08, 2003 @06:17PM (#7663615)
    PlanetMirror's got this now:
    HTTP [planetmirror.com] | FTP [planetmirror.com].
  • I see the release notes talk about being able to do VPN through this to one of their own products. However I want to be able to masquerade through to a Cisco VPN server. The VPN-Masquerade-HOWTO [ibiblio.org] (as of Oct 2003) says:

    I don't have the resources to follow the development kernels, so at this time no work on VPN Masquerade for 2.3.x or 2.4.x has taken place. If you know someone who is working on this, please let me know.

    So, will this allow me to run multiple clients from home through the firewall? I have

  • Astaro Much Better (Score:5, Informative)

    by All Dat ( 180680 ) on Monday December 08, 2003 @06:23PM (#7663695) Homepage
    Personally, I've used Astaro Security Linux [astaro.com] for a long time since moving from Smoothwall, and I find it far superior.

    It's of course free for home use, runs on anything down to a P100, and all the up2date is handled by Astaro themselves.

    Hell, they even have FREE evaluation webinar-live-workshops for people to get acquainted with Astaro if they are new (and presumeably to help with a purchasing decision for business) You can signup for the Eval Workshop for free here [astaro.com].

    When they release their version 5, I hope it gets the same kind of publicity, they are hands down the coolest internet firewall and don't seem to get much press.
  • by pair-a-noyd ( 594371 ) on Monday December 08, 2003 @06:30PM (#7663771)
    I've been using Smoothwall 2.0 beta X for over a year now and I've had very few problems.

    The most recent I'm using is Pendolino and it's great.

    I have installed several customer sites with Beta5 (after extensive testing at my site) and they are all very pleased with it.

    I highly recomend it. You can take an old PC and load it up and really be covered.
    It's very easy to use, very reliable, very flexible.

    What's even better is that you can use the built in,
    transparent proxy (squid) to block ads. [martybugs.net] (sorry /., your ads too)..

    I made a dull gray "this ad zapped" gif and put it in /home/httpd/zaps and edited the wrapzap file to tell adzapper to look on smoothwall ofr it's images rather than using the resources of sourceforge. I found that the black and yellow gif was more annoying than the ads it was blocking.

    Man, it's great. EVERY machine that I plug into my lan automatically gets it's ads zapped. Friends and customers are freaked out and impressed with that. Then after seeing how cool it is they want a smoothwall too. Problem is I end up setting them all up for free.. ;-/

    Smoothwall is very cool, get it....
  • by bogie ( 31020 ) on Monday December 08, 2003 @06:50PM (#7663994) Journal
    I think these are Awesome for small businesses and technically advanced home users but really not too great for the average home user. I think they will be better served with something like a low end SMC router. It's cheaper,smaller, costs less to run, and even compared to the easiest of these distros tends to be easier to setup. Usually you just plug it in and go. No need to open up a PC to install extra NICS and no need to worry about a powersupply going. I used to run a PC for a firewall, but really with the features you get on these cheap routers I'm more than happy. Hell the low end SMC7004VBR has an SPI firewall, VPN, Virtual Servers, and Access Control. All for under $40! You may have more fine grained control on something like Smoothwall, but for who don't need it it's really no contest on which product is a better fit.

    I guess most of what I said is common sense, and I'm sure those in the market for a PC based firewall have thought about it as well. I just thought I'd post in case you needed to be pushed one way or another.
  • How is the logging? (Score:4, Interesting)

    by AssFace ( 118098 ) <`stenz77' `at' `gmail.com'> on Monday December 08, 2003 @06:58PM (#7664057) Homepage Journal
    At work we have a Sonicwall SOHO 2 on a Windows network. It was in place before I got there. We "need" to keep it because we have a client that theoretically wants to come in and look at data on one server. They have yet to ever do this, and it isn't clear if it would even work (the VPN should work since it was tested when it was made, but the server's data is supposedly questionable from something one of the accountants told me).

    The Sonicwall SOHO 2 serves its purpose in that it keeps out the worms and I can block/open ports.

    But where it is truly awful is the detail of its logs. It will tell me the top IPs that got the most traffic - but it includes IPs that are outside of our network, and inside of our network. It will tell me the web URLs that get the most hits. And it tells me which protocols transmit the most data and how much that is.
    But while that is nice in theory, it is largely useless.
    I want to know what pages and what protocols specific inside IPs are doing. I want to know which inside computer is connecting to what outside computers over what protocols.
    Also, if I block a protocol/port, it will still log all of the attempts towards it exactly the same as if it were being allowed in. It doesn't say that 1000 hits were attempted on it but didn't get in - it just says that there were N megs of data against it (apparently not through it).

    I don't care about logging what they do - I'm pretty laid back about all of that. If they are doing naughty things, that is their deal (my superiors have yet to tell me otherwise).

    But I do very much care if people have spyware or viruses on their systems - and a firewall is a great way to track down who has those issues. I can do it with what we have now, but it could be far easier.

    I looked into Smoothwall and thought that it looked good - and it is free. Even then, I don't know if I can get money even to get a lowly machine to run as the firewall.
    It isn't clear on their site how detailed the logs go.
    And it isn't clear if I can mimic the same VPN processes that are in place now, with the Smoothwall system.

    I would love to hear feedback about the software. That way I can make a more informed decision as to what to do about the overpriced SOHO (in order to use features on it, you continually have to pay to have them turned on, such as VPN or virus checking).

  • by Malor ( 3658 ) on Monday December 08, 2003 @07:23PM (#7664279) Journal
    I've been running a Soekris net4801 for a few weeks as a firewall. I'm very happy with it. It's not intended specifically as a firewall, you just buy the basic computer from Soekris and then install what you want. Getting it going can be quite involved, as it has no VGA circuitry; you have to administer everything over a serial cable. This is almost exactly the opposite target market from Smoothwall; the Soekris products are meant for people who know that the heck they're doing.

    The 4801 I bought is a Pentium/266 with 128 megs of RAM, 3 network ports, a mini-IDE port (used for 2.5" hard drives [notebook style]), a compact flash port, a mini-PCI slot, and a 3.3v (only) regular PCI slot. This chipset has several known bugs, including a bad data-corruption bug with DMA mode hard drives that has not yet been worked around in Linux, to my knowledge. It's better to use it with a CF card (which can't do DMA) because of this, at least until they get that bug fixed. You can find some patches for the kernel via links off the main Soekris page, but I don't think there are any patches yet for the HD bug.

    After about a week of futzing around with it, I finally got it running. Much of the pain was learning how PXE booting works. At this point, I have a Debian firewall with one external and two internal ports, and a 256MB internal "hard drive" (compact flash card). Everything is set up to log to RAM (instead of writing to the CF card, which is bad). The neatest part is that the machine is about the size of a trade paperback (it would be even smaller if they hadn't left room for a PCI card in the case), is absolutely silent, takes about ten watts of power, and has NO moving parts, so flinging it about isn't a problem. The chip is passively cooled, and doesn't even need a heat sink; the case gets mildly warm but never really gets hot. One of the neater gadgets I've played with recently.

    Total net cost, including the CF card, was about $375, so it's not for the poor, and it's definitely not for the Smoothwall crowd. But if you're looking for a very sweet solution to the space-and-noise problem with a good, Linux-based firewall, this is a great solution.

    As an aside, OpenBSD has patches to run with the net4801. I was having trouble getting OpenBSD's boot program to read the CF properly, and then suddenly ran short on time because my old P133 firewall started losing its hard drive. Pressed for time, I gave up on OpenBSD and installed Linux.... but, at least in theory, it should run well. OpenBSD also has support for hardware crypto accelerators, which you'll need if you want to do VPN with a box this slow. (that's one good use for the expansion slots.) I only saw one Linux hardware crypto driver, and it looked unfinished and primitive. Definitely a spot where OpenBSD looks to be ahead.

    Nice little box. I'm very fond of mine.
  • OpenBSD (Score:3, Interesting)

    by LittleLebowskiUrbanA ( 619114 ) on Monday December 08, 2003 @08:07PM (#7664595) Homepage Journal
    I tried Smoothwall and IPCop. Couldn't get either one running behind due to my lack of experience and dealing w/ my landlord's Linksys router. Tried OpenBSD and the OpenBSD community at Screamingelectron.org [screamingelectron.org] helped me through the OpenBSD learning process and configuring my box. Now I have a secure, stable firewall for free. Before I get flamed, I've bought a T-shirt and CDs from OpenBSD to support the project.
  • by nurb432 ( 527695 ) on Monday December 08, 2003 @08:10PM (#7664631) Homepage Journal
    Its bad naming aside, ( but who could have predcited the SCO mess several years ago ) its a rather powerful Firewall/router solution that fits ( and runs if you like ) on a SINGLE floppy.

    its worth checking out.. www.freesco.org

Single tasking: Just Say No.

Working...