Smoothwall: to use or not to use?
 

Hi everyone,

It seems there is no Distro forum for Smoothwall, so I'm hoping some of you people have used Smoothwall and can give me your opinions.

We currently have one network server with about 20 Windows clients.

This server doesn't have to do that much. It filters and caches all Internet traffic, acting as a firewall (iptables), proxy (squid), and filter (squidGuard).

In the future we may want to add a Windows network share.

Currently the server is running Mandrake Multi Network Firewall (kernel 2.4.18-8) and I don't like it at all. It is quite unstable, crashes nightly (I have a thread open about this issue) and configuring this OS was a nightmare. It was supposed to have a "Friendly" web-based config utility, but it was useless. Most of the packages I needed were missing (like a C compiler, for one), and getting my hardware working was a huge headache. One thing I did like is it was a stripped down OS, no GUI, so there was no extra crap filling the 20G hard disk.

I mainly deal with Windows, I do know some Linux stuff but not that much.

We are purchasing a new server as the current one is also starting to show signs of an impending CPU failure. The new server will use RAID1 (my first ever raid machine) and I want it to do exactly what the current one does, i.e. firewall, proxy cache, and filter. And add a network share later on, perhaps.

The hot-swap drives for the RAID are only like 34.5 GB (I'm getting 2 drives for the RAID setup). So I don't want a bloated OS with fancy stuff in it or a GUI. (Edit: a GUI is fine if it's real small, but you get the idea)

If you're still with me, my question is: Is Smoothwall the Linux distro I want for this, or should I stick with the Mandrake distribution that we paid over $2000 for?

I feel really bad for you, that you paid 2K for such a setup, which would easily be replicated for absolutely nothing. I can't believe they even have the nerve to charge that much.

Reading your post, SmoothWall seems both a good choice, and a bad one. One one hand, SmoothWall is very capable, very stable, and has a very nice configuration setup. You should not have any problems getting it installed and administering it. I am fairly sure it can do everything you want as of right now, as well.

On the other hand, the last time I used SmoothWall (which was awhile, admittedly) it was clearly not designed to be doing anything but acting as a firewall. I don't think that you could easily setup file sharing on it. Even logging into it locally was called something like "Emergency Mode", it was not even designed to be run through anything but the web-frontend.

Again, this is based on the last version I have used. Perhaps more recent ones allow for a little more leeway, and I am sure somebody else would have more recent information if that is the case.

Personally, it sounds like your best bet would be to build your own server from the principal software you want to use, Samba for file sharing, Squid for proxy, etc. That way it will include everything you want and nothing you don't, and it won't cost you 2 grand.

Of course, it you aren't too advanced in Linux, that might prove impractical. Though there is no shortage of guides on the Internet or forums like these which can help you through whatever problems you may have.

Thanks for the reply.

I just found the invoice for that Mandrake purchase:
MANDRAKESECURITY MULTI-NETWORK FIREWALL SINGLE USER CDROM - 30-SEP-2003 - QTY 1 - UNIT PRICE $2,500.00

I agree that we could have got the whole setup for free if I would have done it myself, problem was I didn't have the know-how, and that CD was supposed to come with support (I found out later it was only e-mail support, it was only for 30 days, and they take 31 days to reply. Oops! Your support expired.) But that's another story.

I appreciate your input. You're saying the version of Smoothwall you tried, did not have any Samba file sharing on it. Do you think it would be possible to install it into smoothwall later on? Since Mandrake, I have lots of experience "tacking on" features that were not originally included, thanks mainly to Google and to this forum.

question...
 

First off, I have used smoothwall for years, and have set up dozens for other folks. It can't be beat, my LAN behind it is dead silent, devoid of all the internet mayhem. (all my machines run Linux, but in the past I ran an entirely unpatched win98 install, no AV, and it ran like new 'till the mobo went bad...)

The question: do you need or plan to share anything out over the internet? If not, go for a smoothwall asap! If you do, you'd need to forward ports through the smoothwall to the internet-accessible server. I do this routinely, but the machine presented to the internet is not part of the LAN, it's on a separate interface on the smoothwall called the "orange zone."

There are other things you can do, such as have the smoothwall feed the input of another firewall, which in turn handles the LAN, then punch a DMZ pinhole to the orange zone server from the LAN so it can be accessed locally. (though any pinholes introduce dangers... I always use non-standard ports and shove everything through SSH to the extent possible)

For most folks who have no need to serve over the internet, smoothwall is as good as it gets, the free version 2.0 constantly yields near perfect results when I run simulated attacks against it. I can't believe it's free!

cat /world | brain

I did a little searching today, and it looks like the situation is still the same in SmoothWall, it does not include Samba by default. I did however find a guide from a year ago that details how to hack in Samba support to run a file server off of a SmoothWall machine.

Here

But as you will see from the responses he gets, almost everyone feels doing this is a bad idea. SmoothWall is designed to do one thing, and to do it well. Adding in more servers and stray programs, especially ones that are not designed to be there, can seriously compromise the system's effectiveness at keeping the network secure.

Really the best idea would be to go ahead and run SmoothWall on an older machine, and then just run a second server with Samba and whatever other support software you want for the internal network as catworld suggested.

That might not be what you want to have to do, for budget reasons, space concerns, etc; but it is definitely the "right" way to go about it. Of course we have all done things the easy way in the past, I know I have run file/mail servers on the same machine that was running iptables for our primary firewall myself. Sure, it was pretty stupid, but we didn't have enough machines to dedicate to separate tasks.

If that is going to be an issue, budget or space concerns, you should try to lay the case out to whoever is signing the checks and just explain to them that the most secure route is going to require multiple machines. If they want to pay for that, wonderful, if not, then they need to understand there is a higher risk involved.

Thanks to you both for such excellent and detailed replies! So, I gather from what you are saying that my plan of having one server to do everything is a bad idea.

We do have some spare older machines (circa Windows 98) that I could use for a firewall. I have just convinced the "cheque signing people" that we needed an expensive new server (IBM System X 3400, to the tune of $2400.00) and I justified it by saying that it needs to be expensive so it could "do it all" -- haha, I guess i was wrong about that. However, with that said, putting in an old machine alongside should not be a big deal. I do want to do it right! Our new server should be arriving within the next month, plenty of time to get an old machine set up.

Which machine should be the firewall? and where should I put my other services (squid cache, squidGuard Internet content filter, print queue management, and file sharing). I see that print queue and file sharing should be on a different machine than the firewall, but what about the Internet software?

Thanks again for all your help, this has been great info already.

Edit: I dont need to serve anything to the Internet, but I do run Apache on my current server so as to access the configuration web site that's on it (over LAN), and SSH for local access via the LAN.

It sounds like you should be in good shape hardware wise then. SmoothWall is very efficient, and you will have no problems running that on the older machine with only 20 clients behind it. I think the last SmoothWall install I did was on a ~200 MHz processor and that was with over 100 clients running through it. The only thing you need to make sure of is that it has 3 spare PCI slots that you can put the NICs into. Some of the older machines from that era shipped with a combination PCI/ISA on the board, and you really should avoid using ISA if at all possible.

As for content filtering, have you looked into SmoothWall's included content filtering? I have never used it myself, but I know that it does include that capability as an option. Perhaps somebody else has had experience with it and could voice their opinions on it.

I don't think there is a caching element available for SmoothWall however, so that would be better off on the main server. That would actually be a better idea anyway, since that is likely to be taking a considerable amount of resources depending on how active your clients are on the Internet.

The rest, as you said, should be put on the new server you have ordered. I think you will find this to be the most efficient setup. You can devote the powerful machine to the tasks that are going to be most demanding (web cache, file serving, etc) and leave the relatively mundane task of firewalling to the older but still more than capable machine.

It also frees you from a lot of burden and responsibility, as you know you have a proven firewall product at the front gates and don't have to worry about it.

Thanks for the reply, that makes good sense.

So both servers would have 2 network cards. Smoothwall would have one to the Internet and one to server 2, and server 2 would have one from smoothwall and one to the LAN. Right?

Well I am ordering the new server today. So hopefully it will come in soon and I can get all this set up. I'm looking forward to it, thanks for all the help.

That is one way to do it, yes. There would be other configurations as well.

In that scenario, you would want to disable DHCP in SmoothWall, and then handle it on the main server. Or just use static IP, whatever you want.

Though many people feel that the main server should not be inside of the protected area of the firewall, and instead be in it's own zone. This is like what catworld was talking about earlier, with the "orange" zone.

The theory is that your server could be compromised, and from there an attacker could get inside of your network and render your firewall essentially useless.

But it is up to you, obviously. Personally I think it is being a little paranoid, if the server is compromised, then the whole setup is shot anyway; the hell with the client machines being attacked, they are just generic Windows boxes that can be reinstalled in 45 minutes by a 15 year old.

You mighy want to look into Xubuntu. As it whas the lightedt weightGraphical user interface As for a firewall you could run firestater which is suposeto be a pretty good internet connection sharing firewall, wou might want to also look into webmin which is a loght weight webadministation tool.