I am forever on the prowl for good security tools that don’t come with a hefty price; after all, not everyone can afford a full-featured SonicWALL device. My searching usually leads me to various Linux distributions, and this time I discovered SmoothWall Express, a full-featured firewall distribution that can be installed on commodity hardware.
SmoothWall Express offers these features:
- Stateful inspection
- Unlimited local IP addresses
- Dynamic Network Address Translation
- Limited outgoing Egress traffic control
- Port Forward from public IP address to DMZ/local IP
- Administrator maintained IP Block list
- Total network interfaces allowed: 4
- External network interfaces: 1
- Internal Network Zones (Local Networks and DMZs): 1 Local + DMZ + 1 Wireless
- PPP Connections
- PPPoA ADSL
- PPPoE ADSL
- PPTP ADSL
- The distribution can be installed on just about any commodity hardware.
- Two network interface cards (one for internal and one for external)
Remember, this is a distribution based on the Linux kernel, and since we’re not talking a live distribution, and the end result is a console-only operating system, the installation is an old-school curses-based install. However, anyone who is looking at a tool like SmoothWall Express shouldn’t be afraid of a little curses-based installation.
All you have to do for the install is tap the Tab key and the Enter key now and then and maybe enter a hostname or IP address. The install isn’t challenging — it just looks a bit old school. Trust me, the end result (specifically the end user-friendly web-based interface) is well worth it. Now let’s get SmoothWall Express up and running.
Step 1: Download the iso of the latest SmoothWall Express build (make sure to download the iso that matches your architecture.)
Step 2: Burn the ISO image onto a CD.
Step 3: Boot the machine with the newly burned disk in the CD drive.
Step 4: Walk through the installation process. Make sure to note any passwords associated with the root and admin user. The root user is for the console login, and the admin user is for the web-based interface.
Step 5: Assign an internal and an external network.
Step 6: Assign the SmoothWall static IP address for (at least) the internal NIC. Depending on your setup and situation, you may need to install the external NIC as a static IP.
Step 7: Point your web browser to the web-based interface and start setting up your firewall.
Step 7 might be the one piece of the installation puzzle that will trip up users. If you log in to the SmoothWall console using the username root and the password you created during installation, you will notice things aren’t exactly as you expect. This tool has a web interface, yet the standard http daemons are nowhere to be found — at least not on the surface. In order to access the web-based tool, point your browser to https://ADDRESS_TO_SMOOTHWALL_SERVER:441. You will be prompted to log in using the admin user and the password you created during the installation. Once you have successfully authenticated, you will see the SmoothWall Express web interface (Figure A).
If you configured SmoothWall Express to use NIC(s) and a modem or ISDN card for Internet connectivity, you will see the web interface.
Configuring your firewall
You should go into the Maintenance tab and then go through the following setup/configurations:
- Proxies (you can configure web, IM, pop3, sip proxies)
- Dynamic DNS
- Static DNS
- Remote access
Not all situations will warrant the configuration of every option, so make sure the configuration of your new SmoothWall Express firewall server matches your needs.
You do, however, definitely need to create incoming and outgoing rules. These rules are handled by clicking Networking and then Incoming or Outgoing. In these tabs (Figure B), you can then create the firewall rules necessary for your network.
This is how Outgoing rules are created. Outgoing rules control internal machines’ access to external services.
As you can see, Outgoing traffic is either Blocked or Allowed with exceptions. Regardless of which option you choose, make sure to create the exceptions; otherwise, your network is either wide open or closed off. Also, make sure to go through each of the Networking tabs and get the most out of these configuration options.
Backing up your profile
Once SmoothWall Express is up and running and configured to your needs, you need to create a backup of your profile. To do this, go to Maintenance | Backup and then click Create Backup Floppy Image File. This will create and download the file backup.img. As you can see, it does say “floppy” (why SmoothWall is still using floppy technology is beyond me). Since no new machines have a floppy, you have to take these steps:
- Open a file manager (preferably on a Linux box; otherwise, you’ll have to install a tool like winrar).
- Double click the backup.img file.
- Within the backup.img file is the backup.dat file, which you should copy to the SmoothWall machine using a tool like scp.
- Find the backup.dat file in /var/smoothwall/restore/backup.dat and then run the /etc/rc.d/restorescript tool. This will restore your configuration back to the server.
Note: There is also an Advanced (or Corporate) edition of SmoothWall. Check out this feature matrix for to see a comparison chart between SmoothWall Express and SmoothWall Advanced Firewall.