Introduction
Smoothwall Ltd. SmoothWall Express Firewall | |
---|---|
Summary | Open source based firewall with nice GUI, on-line help and very efficient (fast) routing |
Update | None |
Pros | • Easy installation • Graphical configuration interface • Online help system • Free |
Cons | • Installation completely erases hard disk • Limited functionality for power users |
A good firewall these days is pretty much a necessity, especially if you have a broadband connection to the Internet. But which firewall is best for you? How about a free system that runs well on older hardware, uses a graphical configuration system, and is easy to install and configure? If that sounds like your cup of tea, then let’s take a look at Smoothwall Express 2.0.
Features
Smoothwall is software that can turn a low-end PC into a dedicated firewall system, equaling and even exceeding the performance and features of many hardware firewall appliances. Smoothwall Express is licensed under the GPL and based on Linux, but the thing that sets Smoothwall apart from other Linux-based firewall systems is the graphical configuration interface. From the comfort of your desktop browser, you can configure some advanced networking capabilities without even breaking a sweat.
Smoothwall is targeted at users of all capabilities, from home user to network administrator, but personally I’d have to say that the Express version is probably most attractive to the home user. The online context-sensitive help system alone can catapult even the technically challenged to near geek status. While Smoothwall Express is free, the Smoothwall company also sells a Corporate Server version, which of course costs money, but offers more features.
Installation
You can download an iso file which you can use to create a CD of Smoothwall Express 2.0 at their website here. Once created, the CD is bootable, so starting the installation for most PC’s is simply a matter of turning on the power with the CD in the drive. If you don’t have a CD drive on your target machine, there’s also an option for performing a network install.
Smoothwall Express 2.0 installation is a very straightforward affair. Part of the reason it’s simple is because you don’t have very many options to choose from, which can be a good thing or a bad thing, depending on your perspective. One thing that really stands out to me about the installation is that there are no partitioning options. The Smoothwall installation will completely wipe out, repartition, and reformat the entire primary master hard disk, and apparently there’s no way around it. Of course, the installation routine warns you before doing this, but it can be a little worrisome if you’re not sure Smoothwall is going to work for you.
After the hard disk warning, you’re prompted to configure your “green” network interface. This is where it’s a good idea to be familiar with your network cards and what Linux driver they use. If you know that, then you’re all set. If you don’t know, then you may have to do some experimenting after the installation to figure out which cable connects to what. Smoothwall refers to network interfaces by color – “green” for the local network, “red” for the Internet, and “orange” for the DMZ (the “demilitarized” zone where web servers and such should go). Once the local network is configured, the installation will copy files to the hard disk before continuing. The rest of the installation will have you setting up your remaining network cards and other basic information like your hostname. You’re also offered the opportunity to restore a configuration from a previous installation – a good thing if you’re upgrading from an older version. For the most part though, the installation is pretty much automated.
Using Smoothwall
Smoothwall will work with several types of Internet connections, such as ISDN, ADSL, and even dialup. I used all three Smoothwall zones, placing my web and mail server in the “orange” zone. Once installation is complete, you can connect to the Smoothwall web interface from any computer in the “green” zone. You’re greeted by the following home page:
Figure 1: Control : Home
(click image to enlarge)
If you’ve just installed Smoothwall, the home page will display a message telling you there are updates available. Smoothwall handles updating in a rather curious way. First, from your local desktop, you download the updates. Then, using the Smoothwall web interface as shown below, you upload an update file to the Smoothwall, where it’s installed.
Figure 2: Maintenance : Updates
(click image to enlarge)
After all available updates are applied, you can then move on to setting your Smoothwall up to your liking. Smoothwall includes a DHCP server (dhcpd), a web proxy (squid), and an intrusion detection system (snort). In addition, there’s also a dynamic DNS updating system, which works with services like Dyndns.org, a SSH server, and even an IPsec VPN system (FreeSWAN). Each service is easily configured through the web interface, an example of the DHCP configuration page follows:
Figure 3: Services : DHCP
(click image to enlarge)
Some services have several options to configure, while others like SSH just have a checkbox or two as shown below:
Figure 4: Services : Remote Access
(click image to enlarge)
Using Smoothwall, Continued
All of the services are easy to set up using the web interface, which while not providing a high degree of control, still manages to make enough options accessible to get the service up and running. Another great thing about the web interface is the online context sensitive help system. Even configuring things that you don’t fully understand can be made easier just by reading the help. When you click on help, a new window pops up explaining what it is you’re looking at and how to set it up.
Figure 5: Online Help
(click image to enlarge)
I consider the online help system to be one of the Smoothwall’s greatest strengths. Many folks simply don’t have the patience to dig around on the Internet or through a manual for help, but nearly everyone will click a single button when they need it. This feature alone in my opinion gives Smoothwall a huge edge over many other web-based interfaces I’ve seen, especially for people new to firewalls.
Smoothwall also includes a web-based Java-driven SSH interface as shown below:
Figure 6: Tools : Shell
(click image to enlarge)
Figure 7: Networking : Port Forwarding
(click image to enlarge)
Adding and removing rules are as easy as clicking a button. Above you can see I’m removing a temporary rule that I had set up to improve Gnutella performance.
Reports and Logs
Once Smoothwall is set up the way you want it, you can check in from time to time to see how things are going. Smoothwall has you covered here too, with status pages and even traffic graphs containing all the information you should ever need. Here’s a look at the “Traffic Graphs” page:
Figure 8: About : Traffic Graphs
(click image to enlarge)
You can even click each interface graph for a detailed look at traffic by the day, week, month, and year. In addition to the status pages and graphs, there’s also a page for viewing logs. Some logs are viewed as just plain text, but others, like the “Firewall” and “Intrusion Detection System” logs are formatted for easier reading. The “Firewall” log page even includes checkboxes and buttons for looking up or blocking offending IP addresses.
Figure 9: Logs : Firewall
(click image to enlarge)
The “Intrusion Detection System” logs as shown below displays attempts by others trying to compromise your system, which can frankly be rather unsettling.
Figure 10: Logs : IDS
(click image to enlarge)
Keep in mind that Intrusion Detection is just that – detection only. Smoothwall doesn’t block these attacks unless they’re on a port that the firewall rejects. If you have set up any port forwarding rules, just make sure that the system you’re forwarding traffic to (hopefully in your “orange” network) isn’t vulnerable to all the junk out there, because there’s a lot of it.
Smoothwall also includes facilities for changing passwords, performing backups, and getting information about Internet addresses (whois, ping, and traceroute) among other things. All in all, it’s a very complete system that works well for many users.
There’s a couple of things about Smoothwall however, that just seem left out or kind of weird to me. First of all, wiping out the entire hard disk during the installation is a bit drastic considering that Smoothwall was originally based on Redhat, which has long had an excellent partitioning system as part of the installation. Also, there’s no web interface edit utility for the /etc/hosts file, although you can of course use the SSH login to edit it manually. Next, Smoothwall uses NTP to synchronize time with Internet based time servers, but doesn’t in turn make that service available to the “green” or “orange” network. And finally, Smoothwall provides DNS resolution, but only to the “green” network. Systems in the “orange” network must resolve addresses using an external DNS service (probably your ISP’s). None of these things are showstoppers or major problems, just curiosities in the system that can possibly be changed with some research and persistence. Remember, it’s Linux underneath – you could probably transform it into a Bigmouth Billy Bass if you really wanted to.
Performance and Conclusions
As I mentioned earlier, since Smoothwall is based on Linux, performance is quite high, even on low-end systems. Some resource-intensive features like the web proxy service and maybe VPN performance may be limited by your hard disk and processor, but the real work of moving network packets around can be handled quite easily by just about any old box. To measure network throughput, I installed Smoothwall Express 2.0 on a PII 400MHz system with 256M of memory and connected a PII 333MHz box with 256M of memory (the “endpoint” system) to the “orange” network. From my desktop on the “green” network, a P4 2.6GHz system with 512M of memory (the “test” system), I launched several tests across the Smoothwall box to the system on the “orange” network. Here are my results:
With the “endpoint” running Windows 2000 Pro and the “test” system running Windows XP Home, using the QCheck utility, I measured TCP throughput at 93.023 Mbps using 1000kByte data size and I measured UDP throughput at 27.778 Mbps using 1000kByte data size. With “endpoint” and “test” both running Mandrake Linux 10.1 Official, using the IPerf utility, I measured TCP throughput at 93.6 Mbps using a 16kByte TCP window size. As I’ve mentioned in earlier articles, the practical limits of 100Base-TX Ethernet are generally considered to be somewhere between 60 and 95 percent of the 100Mbps theoretical limit, so these results are definitely towards the high end. What this means is that the limiting factor here, at least when it comes to raw network throughput, is definitely not the software.
Conclusions
Smoothwall Express 2.0 is a great firewall system right out of the box that will work well and provide more features than many users will ever need. The system is easy to install and configure, and the online help system will benefit nearly everyone. Advanced users or complex environments however, may require something with a little more flexibility.
Since I recently reviewed ClarkConnect – another free Open Source firewall – I thought I’d offer a few points of comparison. The biggest difference between the two is that Smoothwall is designed to be a dedicated firewall only, while ClarkConnect can be a firewall, a server, or both. On the other hand, both distros are alike in that they are designed to be administered from a web based configuration utility.
But I think Smoothwall’s web interface is a little better laid out and easier to navigate than ClarkConnect’s. And I found Smoothwall’s online help system to be more helpful and complete than Clarkconnect’s method of putting general descriptions alongside configuration options. In the end, both distros are reliable and will get the job done, while at the same time being easy for almost anyone to get up and running.