Climbing a SmoothWall
A closer look at the SmoothWall firewall
By Hal Eisen
March 15, 2004

"Linux is hard!" SmoothWall goes a long way towards dispelling that myth. Putting an emphasis on ease-of-use, SmoothWall is a firewall product intended for home users and small/medium sized businesses. It enables non-technical people to get the benefits of Linux/iptables, without needing to learn any obscure command line magic.

Two versions are available: Express and Corporate Server. Express comes as a free 50MB downloadable ISO image from the SmoothWall site (http://www.smoothwall.org). Corporate Server is also available on the web (http://www.smoothwall.net), but costs 180 ($340) to activate. The advantage of Corporate Server is that it is extensible, with nine add-on modules including web filtering, traffic shaping, and enterprise-grade VPNs.

The Smooths

The user interface is SmoothWall's best feature. Administered through a web browser, tabs are placed along the top of the browser window for easy navigation to each group of tasks. Another layer of tabs permits movement between tasks within the group. All pages have clearly written context-sensitive help. Installation is a breeze, and mostly involves hitting the ENTER key to accept the very sensible defaults. Hardware requirements are minimal, a 150MHz PC with 250MB of disk. SmoothWall is by far the easiest Linux installation I've ever performed.

I wanted to know just how secure SmoothWall really is, so I fired up Nessus, a commonly used network security scanning tool, and let it probe for vulnerabilities. The results were very good. The exception was that SmoothWall responded to ICMP timestamp requests, which can be turned off under "Networking >> Advanced". The scan was properly detected with details available under "Logs >> IDS". SmoothWall passed with flying colors!

SmoothWall supports several connection methods to the Internet: dial-up, DSL, ISDN, and a direct connection. Also included are sophisticated tools like Squid web caching, Snort intrusion detection, FreeS/WAN VPN, dynamic DNS registration, and NTP time synchronization.

Corporate Server

With the purchase of Corporate Server 3.0, you gain access to a variety of add-on modules for the basic SmoothWall firewall. These include better VPN technology for connecting satellite offices with headquarters, flexible web filters, and support for UPSs. I tested SmoothGuardian, SmoothRule, and SmoothTraffic.

I was impressed with the web filtering provided by SmoothGuardian. Filters can be based on IP Addresses, hostnames, URLs, web page content (either by keywords, or by no fewer than sixteen categories of offensive content), and file types. This is a very effective engine, which would be great for use in schools to protect children from inappropriate content and for corporations concerned with worker distractions or sexual harassment lawsuits. You must purchase licenses for your site to use SmoothGuardian, and if you have more web surfers than licenses, then the extra surfers are all blocked. Each license is released as soon as the web page has finished loading and it is possible to buy an unlimited license.

If bandwidth hogs are your problem, then SmoothRule combined with SmoothTraffic is your solution. With SmoothRule, limits are placed on the types of outbound network requests allowed, letting you restrict music sharing and movie downloads. SmoothRule can discriminate based on network ports and on internet subnets, giving the administrator a fine granularity of control. SmoothTraffic lets you prioritize network requests by examining from which subnet the request originates, and which service is being accessed. Interactive SSH sessions can be expedited, while music downloads and email worms can be squelched.

The Bumps

One of the few difficult aspects of setting up a SmoothWall box is configuring the network settings. SmoothWall breaks networks down into RED (dangerous, Internet), GREEN (safe, internal LAN), and ORANGE (caution, DMZ network). This is confusing for the layman. Fortunately, the supplied I documentation contains screenshots and clear explanations. While the basic firewall functions of DHCP, NAT, and port forwarding are all present and easy to work with, the firewall ruleset could be more flexible. It is not possible to create a group of servers, a group of external hosts, nor a group of services, and then enable or disable traffic en masse. Nor is it possible to inspect the flags on TCP packets and make decisions based on which ones are on or off.

The Textures

Two fixes are available for Express 2.0, while the Corporate Server has eight. The people behind SmoothWall have conscientiously kept the kernel and OpenSSH up to date. Installing a fix is simple using the browser interface -- much easier than upgrading a binary RPM. For the more advanced user, the "About" tab provides a good overview of the SmoothWall status. Services are shown first, with memory and disk usage displayed in the familiar format using the output from tools such as /usr/bin/free, /usr/bin/df -h, and /usr/bin/w. Network configuration details are shown using /sbin/ifconfig and /bin/netstat -rn. A list of the kernel version (/bin/uname -a) and loaded kernel modules (/bin/lsmod) is also available. Traffic graphs are illuminating, showing throughput in bytes/second for each interface.

Conclusion

SmoothWall is an excellent product, which provides cost-effective user-friendly security to a wide range of users while leveraging the power of Linux. In fact, I now keep a copy in my CaseLogic CD caddy, just in case.