First looks at SmoothWall Express 3.0 "Polar"

By Niall C. Brady, September 2007.




Feel free to discuss this review in the Security and Firewalls section of the forums.
To read more reviews from this author please click here.



Introduction
What's new ?
Installation
Configuring Smoothwall
***Control
***About
***Services
***Networking
***VPN
***Logs
***Tools
***Maintenance
Conclusion
Screenshots


Introduction

Smoothwall Express 3 has finally been released to the public after a few years in various stages of alpha/beta. I have tried (please read that as 'used/using') both the Grizzly and Panda pre-releases prior to this, so I felt that I had a good idea of what Smoothwall Express 3 final was going to be like but boy was I was wrong.

Smoothwall Express 3 has far exceeded my expectations, the sheer amount of features they've crammed into a 69MB download is unreal, and I hope to cover some of this in the article below. If you'd like to try Smoothwall then please download the iso (both 32bit and 64bit) from here and see for yourself. You won't regret it.

Smoothwall Express (as stated in the install_guide.pdf) is:-

'an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall Express is configured via a web-based GUI and requires absolutely no knowledge of Linux to install or use. SmoothWall Express enables you to easily build a firewall to securely connect a network of computers to the Internet.'


Well, they would say that wouldn't they, and I guess the above is true mostly, but some knowledge of linux and/or networking would definetly help with using and setting up the product.

Back to top ^^

What's New in Smoothwall Express 3.0

The most obvious new features in Smoothwall Express 3, are the updated linux kernel (from 2.4 in Smoothwall Express 2) to 2.6 which gives better support for network cards and todays hardware, and of course the Smoothwall web based interface has a slick, new, expertly designed theme [Screenshot].

In addition to that, there are the the following features

* POP3 Email antivirus proxy - email scanning with market-leading ClamAV
* 'Purple' network interface - keep wireless clients like laptops safely off the main network.
* Inline Proxy support for Instant Messaging (MSN, ICQ, Yahoo!, AOL) & VoIP with logging capabilities - monitor/record conversations & filter objectionable words & phrases.
* Universal Plug n Play Support (UPnP) - essential for getting your Xbox 360 and other games consoles online.
* Bandwidth Management - prioritize important traffic & speed up browsing with a new web-caching proxy.
* Real-time Graphs & per IP Traffic Stats - view & track web usage per user on an hour by hour, day by day or month by month basis. (great for people with download quotas)
* New, easier update system - Easy to use, single click update system for keeping your protection up to date.
* Outbound traffic blocking with time-based controls - restrict Internet access for different users at different times of the day
* Developer edition - tinkering without tears (for those who want it) with a 'home brew' extension system for user-created add-ons.
* Network time server - never set your computer clock again!


For a complete list of what's new and possible features see the release notes. Their online forums are a thriving area and are full of posts and suggestions from users including known issues and faqs, indeed there's already a known issues thread for SmoothWall Express 3 so check it out !

Back to top ^^

Installation

You'll have to decide which version of Smoothwall Express 3 is suited to your needs before downloading the corresponding ISO. There are now 4 separate ISOs, Smoothwall Express 3.0, and Smoothwall Express 3 Developers Edition (both are in 32 and 64bit editions). Once you've downloaded the correct iso (I chose the standard 32bit version) and burned it to a CD, you'll need to select a computer to install it on. I used an older laptop with 128mb of ram, specs below:-

Express Version 3.0-polar-i386-
CPU Vendor GenuineIntel
CPU Model Intel(R) Pentium(R) 4 Mobile CPU 1.80GHz
CPU Speed 1796 Mhz
Memory 124 Mb
Disk 18.6 Gb
Network Config GREEN + RED
Connection Type Ethernet


The info above was generated by my.SmoothWall Profile which we'll go into a little bit later. If you are not sure that your hardware will work with Smoothwall Express 3.0, then check out the online forums where a hardware compatibility list is there for you to peruse/post.

The installation is pretty similar to Smoothwall Express 2.0, namely its text based. The first screen that greets you [Screenshot] when you boot from the CD warns you that if you install Smoothwall Express 3.0, that it will wipe out all the data on your hard disc, but you knew that already didn't you ? If you didn't, and you value the data on your hard disc, then exit from the install and do a backup before proceeding.

Pressing ENTER will start the linux kernel and begin the installation. You will be presented with screen after screen of questions and choices and any of this can be changed at a later stage by logging in to the box locally and typing 'setup' at the console, or via a web based java shell, or via ssh. The installation screens are in essence split into two sections, the first section is the actual installation of the OS and the second part is how you want it configured.:-

Welcome screen
Insert Smoothwall Express 3.0 Cd in the CDrom drive
why ? we've just booted from it..
Preparation of the hard disc (partitioning/formatting)
Warning message about above !!
Partitioning disk
Making log filesystem
Making root filesystem
Installing files
Congratulations
All done yet ? nope, now we have to configure it.

Restore backup configuration ?
Choose Keyboard mapping
Configure hostname
(note: You cannot use numbers, spaces, underscores '_' or any other wildcard or punctuation characters except '.'.)
Default Security Policy
Configure Networking
Configure GREEN/RED/ORANGE/PURPLE
Web proxy update list address
ISDN configuration
ADSL configuration
DHCP server configuration
Password config for admin and root accounts
Setup complete, reboot


So that's it, Smoothwall is now installed. If you want an online guide to help you to install it then here it is (pdf). Interestingly, that guide doesn't explain the part of the installation that new Smoothwall user's will most likely have difficulty understanding, namely the GREEN/RED/ORANGE and now PURPLE networks. If you'd like a more advanced guide, then you'll need to sign up to create your own my.SmoothWall Profile. Once you have done that, you can access the "SmoothWall_Express_3_Administrator_Guide_V1" pdf in the Docs link in your 'my.smoothwall' profile.

To make it as simple as possible, remember this much, the GREEN network is your local computers talking to each other, the RED network is the Internet, so one network card on your smoothwall handles the local network (GREEN) and the other network card handles the internet (RED).

In addition, we have the ORANGE and PURPLE networks, they are also local networks similar to GREEN but are different as follows:- The ORANGE network is a DMZ for servers with private IP addresses that are not routable over the internet and the PURPLE network is for your wireless devices (laptop etc).

Ok, by now you should have installed Smoothwall Express 3.0, congratulations !.

Back to top ^^

Configuring Smoothwall

The easiest way to manage smoothwall is by using its Web based GUI by connecting to it from another local computer on your network. Simply fire up a web browser and type in the following https address (assuming that you went with the default settings)

https://192.168.0.1:441

Once you have entered your username and password, you'll be presented with the brand new theme [Screenshot] which contains a variety of tabs. I'll go through each tab here.

Control:-
This is the front page of smoothwall and allows you to quickly see the status of your smoothwall in terms of uptime, bits transferred and a little scrolling map of traffic rate. You can also shutdown/reboot the firewall from here or get detailed help. In addition, you can register your Smoothwall by clicking on the large 'My Smoothwall' logo in the centre of the page. (Registration is free).

Back to top ^^

About:-
This 'about' tab brings up details of whats running on your server (useful for troubleshooting or just if you want to view the network usage and it's history) via six additional tabs, 'status', 'advanced', 'traffic graphs', 'bandwidth bars', 'traffic monitor' and 'my smoothwall'. The 'status' tab shows what services are currently running, and whether or not there is a problem with them [Screenshot]

The 'advanced' tab [Screenshot] brings up nice graphs of memory usage, inode usage, disk usage, uptime and users and more. You can't actually do anything here, just see what is going on usage wise on your smoothwall server.

The 'traffic graphs' tab [Screenshot] shows how much traffic is being used up on your GREEN and RED interfaces (and ORANGE/PURPLE if configued), and also (new with smoothwall 3.0) shows statistics of current/hour/day/week/month usage. A very nice addition !

New to 3 since the Panda release (I didn't try any of the other beta/alphas after that release) are the next three tabs, 'bandwidth bars' [Screenshot] which shows a realtime dizzying screen which shows the bandwidth usage in scrolling bars and the 'traffic monitor' [Screenshot] which shows realtime network bandwidth usage graphs (much easier to look at).

Finally we have a tab called 'my smoothwall' and that allows you (if you wish) to register your interest in the product with the smoothwall team to receive email notifications (updates and patches), get the Administrative guide, newsletters and more.

Back to top ^^

Services:-
This is where you do most the the 'real configuring' within Smoothwall, and it opens up a new page with 10 important tabs.

The first tab 'web proxy' [Screenshot] allows you to configure smoothwalls integrated caching web proxy. If you want your clients to have no changes to their proxy settings in their internet browser, then set the web proxy to 'transparent'.

The next tab is im proxy [Screenshot] (IMSpector) and here you can configure the Instant message proxy to monitor Msn, Yahoo, ICQ, IRC and AIM and even swear-word filtering. I find it strange though that gmail (google talk) isn't listed here, but then again, they've most bases covered. Using this (and the web proxy above) in conjunction with the Logs section, will let you know a wealth of information about what is going on on your network.

Next up is the important pop3 proxy. It will remove viruses from emails that are retrieved using the POP3 protocol.

SIP users will be pleased to see the addition of sip proxy which allows you to configure logging level, call logging and number of clients that can use the proxy. (VoIP technology).

The dhcp service has many options, incluing network boot, static assignments, DNS, NTP, WINS, NIS and more, so drop by here if you want to configure your DHCP server built into the Smoothwall.

For the dynamic DNS users amongst you (hey, i'm one too !) you can configure smoothwall to auto login to those domains so that they get the correct IP reported. Cool, useful and handy. Next in line is the static DNS service, and in here you can add static DNS entries to smoothwall's inbuilt DNS server.

The next tab ids (Intrusion detection system) [Screenshot] is a must-have if you want to see potential security breach attempts (it uses snort). However, the Smoothwall team has removed the snort rules and you must now sign up on http://www.snort.org to receive an Oink code. Once you have an Oink code you can paste it into the 'rule retrieval' section and start up snort. There have been some issues with some users complaining that it wasn't working for them, but it worked for me.

If like me, you use linux and like to ssh in to a box, well you can do the same with smoothwall (on the local network). On the 'remote access' tab, simply enable it and ssh in from another box. You can even ssh in from a windows machine using putty.

The last tab in the services category is 'time' and it allows you to change timezone or enable the built in time server.

Back to top ^^

Networking:-
This category allows you even more options (seemingly endless :-)) and is very important if you want to block ips, do port forwarding or more. It is broken down into yet more tabs and all are fairly self explanatory.

The first tab in networking is incoming and it's here that you instruct smoothwall how to forward specific TCP or UDP ports and to which machines on your local network. Cool stuff, very nicely done, and it accepts ranges of ports as well (eg:- 1000:2000)

If you require your end users (pc's) to have specific external access (for example some multiplayer game needing TCP and UDP ports opened), then this tab is for you.) Do read and understand the security implications of doing this however by clicking on the very useful help button.

Next up is outgoing which allows you to do things such as limit users on the GREEN interface to specific internet based services (like web access on port 80 and sending email on port 25). In addition you can use the pre-defined rules to allow or block those services (ftp, IRC, directX games, sftp, ICQ, MSN Messenger, the list goes on an on). Very cool stuff indeed.

If you want your ORANGE or PURPLE (wireless) networks to access a port on your GREEN network then you'll need to configure that in the internal tab.

The next section of Networking is external and is used to let specific traffic in (for example 222) to SmoothWall services (ssh on the smoothwall).

Imagine for a moment that you are on IRC and some dork decides to DOS you, what do you do ? cry ? nah, you click on the ip block tab in networking and add his ip (or ips) to the list of blocking rules. Great stuff really, keep out the bad guys and don't let them know about it at the same time ! (drop packet). Oh and you can log it too, so you know when the lam3r gives up, and then email the logs to his ISP ! (or he keeps DOSing you :().

Timed access is the next tab, and it does just that, it allows you to configure individual rules for IP's on your network, and you can define whether to allow or reject the requests, and the rules can be based on days of the week or times of the day. So now you can disable a computers internet access by a automated rule, very nice.

The next option in 'networking' is 'qos' or quality of service. Enabling QOS is a way to enforce certain speeds for certain appliactions/services, so you could in theory give 20% of your bandwidth to VoIP or any other application on the network, there are lots of options within this section and you'll most likely need to experiment with it to achieve best results.

The last three tabs are advanced, ppp and interfaces, the 'advanced' tab can configure ICMP settings (ping to you and me) and some other nice features such as blocking IGMP packets or multicast traffic, the ppp section allows you to configure your ppp devices and the interfaces section lists your network cards (RED/GREEN and more) and dns/gateway settings which you can change at will.

Back to top ^^

VPN:-
The VPN (virtual private networking) section is primarily intended to VPN multiple smoothwalls, however it is also possible to inter-operate with any VPN product that supports IPSEC or standard encryption techniques such as 3DES.

Back to top ^^

Logs:-
The 'Logs' category is simply fantastic, and is one of the most useful features of a properly configured Smoothwall. Once you've configured your services (web proxy, im, ids, sip, pop3) you can browse your logs and see details sorted by date/time, and if appropriate IP address or website URL. System logs gives detailed info about your smoothwall, so if you have a DHCP server problem, then you can check in that section of the system logs for any errors. The web proxy log shows urls and ips of websites visited, and the firewall log shows all the blocked attacks on your smoothwall (which is defending your network). You can even mark an ip in the firewall log and add it to the 'block list' or if you wish, do a 'lookup' on it to find out where it's coming from.

The ids logs show you real text descriptions of attacks on your network, for example Date: 09/05 09:30:24 Name: (portscan) TCP Portscan. If you feel something bad is happening, refer back to the Firewall log for more info. The Instant messages section of the log shows real-time 'chats' as they happen, [ScreenShot] and then once they've taken place you'll get little msn (or other) icons on the left of the log showing who was talking, and when. You can then click on those logs to get the gorey details.

Finally, the email section of the logs shows a log of all emails passing though the POP3 proxy and Anti Virus engine. You can navigate the log using the standard log-viewing controls. Viruses are shown in highlighted text and you can even export the logs to a text file for further analysis.

Back to top ^^

Tools:-
The tools category is broken down into three further tabs, 'ip information' to perform a 'whois' lookup on an ip address or domain name, 'ip tools' to ping or traceroute an ip and lastly a java based linux shell so that you can have a shell even if no putty is installed on your windows box and you want to get down to the CLI.

Back to top ^^

Maintenance:-
Last but not least we have the Maintenance category which is further broken down into 'updates', 'modem', 'speedtouch usb firmware', 'passwords', 'backup', 'preferences' and 'shutdown'. The most interesting one to most smoothwall users will be the 'updates' tab, as it now allows updates to be applied without having to 'upload' them from the desktop as we had to do with Smoothwall Express 2.0. Now you can just 'check for updates' and if it find's one, click on the 'update' button. Very nice !

Back to top ^^

Conclusion

I've been using Smoothwall for years now (I started with Smoothwall 1, moved to 2 and after 3 or so years with that moved to the Smoothwall Express 3 alpha's (Grizzly and Panda) in 2005), and I can safely say that SmoothWall Express 3.0 was worth the wait. SmoothWall Express 2.0 shipped in December 2003, and after 4 years of programming (and delays) SmoothWall got right back on track and produced a superb product.

For those of you who haven't tried SmoothWall yet, I hope that you will do so now, it is such a powerful product and full of features, speaking of features, the web-proxy and instant message logging alone are sure to be of interest to home-networks (keeping an eye on the kids). In addition, the email virus scanning and advanced networking features put shame to many so called 'all in one firewall' solutions that you see on the shelves of your local IT shop. Smoothwalls ease of use hides sheer power behind a beautiful, professionally constructed interface. It's up to you to realise it's true potential.

Well done to the SmoothWall developers and contributors, this is an excellent product, 10/10 from me.

Back to top ^^

Screenshots

Here are an assortment of screenshots of Smoothwall Express 3.0 during installation, and post install.


Back to top ^^

If you enjoyed this article, then please Digg it ! Slashdot   Slashdot It!

(c) http://www.linux-noob.com 2007.
Please send corrections/suggestions/spelling mistakes to
anyweb