pavement

SmoothWall

From FreeBSDwiki
Jump to: navigation, search

SmoothWall is an out-of-the-box firewall solution from SmoothWall Ltd., a UK based company. While not strictly FreeBSD related, it being based on GNU/Linux, it is an open source and freely available alternative for those not confident enough to use FreeBSD's in-built firewall solutions. It requires an IBM compatible i386 (or better) computer in which to install - it will wipe the entire drive - ensure the computer in question is no longer required and can be dedicated to running SmoothWall.

Contents

Overview

SmoothWall is a firewall that works well for a small home LAN, through to small offices right up to corporate-scale environments. The company behind the product offer professional versions of the free offering that provide advanced features. This allows for the free version, known as SmoothWall Express, to continue to be available at no cost. This is similar to dual-licensing schemes used by the companies behind PostgreSQL and MySQL and other open source solutions.

Despite being free the product boasts features found in high-end firewall routers from Netgear or D-Link and has regular security fixes available.

Features

SmoothWall has a great list of features that makes it a serious contender for even the most advanced firewall router devices on the market. It can be thought of as a poor-mans equivalent of the commercially available CheckPoint Firewall system in that it is an operating system based firewall that runs on dedicated physical hardware.

Key Features

Key features (as of current release version 3.0) running through the menu options in order:

  • About
    • About Your SmoothWall - Active service status of your Smoothie;
    • Advanced Status - Pertinent information about your Smoothie, current configuration and resource usage;
    • Traffic Graphs - Statistical graphs based upon traffic usage across your SmoothWall's network interfaces;
  • Services
    • Web Proxy - Configure and enable your SmoothWall's integrated caching web proxy service;
    • DHCP - Configure and enable your SmoothWall's DHCP service, to automatically allocate LAN IP addresses to your network clients;
    • Dynamic DNS - Especially suited when your ISP assigned you a different IP address every time you connect, you can configure your SmoothWall to manage and update your dynamic DNS names from several popular services;
    • Intrusion Detection System (IDS) - Enable the Snort IDS service to detect potential security breach attempts from outside your network. Note that Snort does not prevent these attempts — your port forwarding and access rules are used to allow and deny inbound access from the outside;
    • Remote Access - Enable Secure Shell access to your SmoothWall, and restrict access based upon referral URL to ignore external links to your SmoothWall;
    • Time settings - Change timezone, manually set the time and date, and configure time syncronisation;
  • Networking
    • Port Forwarding - Forward ports from your external IP address to ports on machines inside your LAN or DMZ;
    • External Service Access - Allow access to admin services running on the SmoothWall to external hosts;
    • DMZ Pinholes - Enable access from a host on your DMZ to a port on a host on your LAN;
    • PPP Settings - Configure username, password and other details for up to five PPP, PPPoA or PPPoE connections;
    • IP block configuration - Add blocking rules to prevent access from specified IP addresses or networks;
    • Advanced networking features - Configure ICMP settings, and other advanced features;
  • VPN
    • VPN Control - Control and manage your VPN connections;
    • VPN Connections - Create connections to other SmoothWalls or IPSec-compliant hosts which have static IP addresses;
  • Logs
    • Log Viewer - Check activity logs for services operating on your SmoothWall, such as DHCP, IPSec, updates and core kernel activity;
    • Web Proxy Log Viewer - Check logs for the web proxy service;
    • Firewall Log Viewer - Check logs for attempted access to your network from outside hosts. Connections listed here have been blocked;
    • IDS Log Viewer - Check logs for potentially malicious attempted access to your network from outside hosts. Connections listed here have not necessarily been blocked — use the Firewall Log Viewer to confirm blocked access;
  • Tools
    • IP Information - Perform a 'whois' lookup on an ip address or domain name;
    • IP Tools - Perform 'ping' and 'traceroute' network diagnostics;
    • Secure Shell - Connect to your SmoothWall using a Java SSH applet (requires SSH to be enabled);
  • Maintenance
    • Updates - See the latest updates and fixes available for your SmoothWall, and an installation history of updates previously applied;
    • Modem Configuration - Apply specific AT string settings for your PSTN modem or ISDN TA;
    • USB ADSL Firmware Upload - Upload firmware to enable use of an Alcatel/Thomson Speedtouch Home USB ADSL modem, nicknamed the 'frog' or 'stingray'. Download the 'Speedtouch USB Firmware' tarball, unpack it, and upload the mgmt.o file using this form;
    • Change Passwords - Change passwords for the 'admin' and 'dial' management interface users. This does not affect access by SSH;
    • Backup - Use this page to create a backup floppy disk or floppy disk image file;

Network Ports

SmoothWall utilises a scheme of colours to refer to the network interfaces as follows:

  • Red - The internet facing connection, often referred to as the 'dirty side';
  • Green - The internal facing connection, often referred to as the 'clean side';
  • Orange - An in-between connection, commonly referred to as the 'demilitarized zone' (DMZ);
  • Purple - A dedicated port for wireless connectivity;

The red interface on SmoothWall can be an ethernet connection to a leased line, an ISDN connection, a USB ADSL (broadband) modem or even a humble dial-up modem!

The green interface is an ethernet network connection that serves the local LAN and typically connects to a hub or switch to distribute the internet connection to other LAN systems.

The orange interface is an ethernet network connection that is neither on the red or the green networks This is typically where internet facing servers connect, such as a web server and/or email server. The green network can access the orange network servers freely but not the other way around (unless explicitly configured by DMZ pinholes). In much the same way the orange network servers can freely access the red internet but not the other way around (unless explicitly configured by port forwarding).

The purple interface is an ethernet network connection that is intended to link to a wireless access point. While an access point can be encrypted with WEP, WPA or equivalents the use of the purple network allows added security at the firewall level. This feature was introduced with the 3.0 release'.

Links

The freely available SmoothWall Express (currently release version 3.0) is available from the www.smoowall.org website.

The commercial entity SmoothWall Limited is available from www.smoothwall.net.

See Also (Alternatives)

There are a few alternatives worth mentioning:

ClarkConnect - this is a GNU/Linux system based on Red Hat and similar to SmoothWall has a freely available version alongside corporate licensed versions.

IPCop - this was a forked-version of SmoothWall and as such is similar in operation though the authors took the system in a different direction. It had a 'blue' network connection for wireless long before SmoothWall introduced the 'purple' network connection for wireless. www.ipcop.org

m0n0wall - this is a stripped-down FreeBSD based firewall that uses PHP for the back-end control and configuration. m0n0.ch/wall

Shorewall - this is a GNU/Linux system that uses the in-built iptable/ipchains rule set found on this operating system. shorewall.net

Of course, there are always the in-built firewalls available on FreeBSD itself Firewall!

Personal tools