Linux Firewall: Smoothwall & IPCop

Smoothwall is a special Linux-based distribution that turns an old-fashioned computer into a fast installed, web-base configureable firewall. But Smoothwall does not last only positive impressions...

Who takes advantage of a firewall?

A firewall secures a local network or a single user computer from being accesed by someone unknown while being online.
Whether the installation of a firewall is profitable depends on how secured you want to be. Users that own a flat-rate or a real leased-line should use a firewall cause of many peaople check the known IP-pools for computers providing security holes just for fun.
Especially ISPs offering services for "newbies" such like AOL or T-Online are preferred targets for crackers.
In those networks users running unsecure computers can be found easily.

Often those malconfigured systems are used to store illegal files (using FTP or SMB) and share them with others without wasting their own bandwith (and using yours instead).

Especially if you're providing internet services with your system (such as http, ftp, cvs, ssh and so on) you should use a firewall to block the unused services for theo outside world not to provide more backdoors.

Nowerdays many distributions bring their own firewall solutions with them to provide at least a little feeling of security when using dial-in access.
Those solutions do hve the big problem that they run on the users workstation and several users may have an account on this machine. If user accouts do exist on a firewall-machine it is much easier to get rid of the firewall.

For this reason a firewall should be run on its own machine only the admin can access. All services that should be accessible from the internet should be located in a so-called "demilitarized zone" (short DMZ). This DMZ is a special computer (or more) which is seperated from the LAN itself (meaning that this machine uses its own subnetwork without routing into the LAN containing the workstation computers).
So possible security holes on the DMZ do not mandantory giv access to the more sensible LAN.

Typical network containing a LAN for workstations, a webserver locaed in the DMZ and a firewall that allows access to the internet

This is of course not the only possibility. If no services shall be probived the DMZ can be left away for example.
You could also think of a machine that communicates with the firewall just for saving the log-files. This way it is much harder for intruders to hide themselves. But we won't get into detail that much but work with the "standard configuration" as shown above.

Smoothwall

Setting up a simple firewall is not hard, but basic knowledge about routing, port-forwarding and packet-filtering should be present.
Often this be more than the average users knowledge and even many small or semi-large companies can'tafford a special IT-team for maintaining a firewall.

As critical as the installation the continuous maintenance of a firewall is. Fixing security holes is not less important to provide security.

Smoothwall, proivides by "Smoothwall Ltd." tries to hop into that gap being an easy-to-install firewall that can be kept up-to-date using security updates while investing only litte time.
Smoothwall bases on a heavily cut RedHat distribution using Kernel 2.2 and is thought for being used on older hardware (minimum should be a 4x86 with 16MB Ram and 300MB harddisk).
The distribution is developed under the GPL-license and can be obtained from http://www.smoothwall.org as ISO-Image.

Installation

Cause Smoothwall is intended for "firewall-newbies" the installation is rather simple.
The easiest way is using a bootable CDRom. You can obtain the needed ISO-image (about 23 megs) from the smoothwall homepage. The newest version is 0.9.9SE which differs from version 0.9.9 the way that 6 scurity updates are already installed. But there are already 6 more security updates to be installed.

Cause Smoothwall is made specially for older systemns that often do not provide a CDRom drive (or can'T boot from them) a installatoion using floppy disks is provided, too.
Those disk images aren't available from the Smoothwall homepage and have to be extracted from the ISO-images manually.

This can be done using the loop-device which allows to mount an ISO-image just as a "normal" CDRom.
As root you execute:

  >> losetup /dev/loop0 /pfad/zum/smootwall-0.9.9.iso
  >> mount -t iso9660 /dev/loop0 /mnt/cdrom
  

  >> dd if=/mnt/cdrom/images/boot-0.9.9.img of=/dev/fd0 bs=1k count 1440
  

Now the installation can be started using either the CDRom or the created disks.
But attention: Smoothwall does not allow any operation system beneath itself! It deletes the whole harddisk during the installation process and is therefor not for being tested on yourworkstation!
There is no possbility to interact while partitooning the harddisk. The installation routine creates boot-, swap-, log- and system-partition fully automatically!

The questions asked during the installation are cut down to the minimum. Only the network interface devices can cause some problems. Especially when using old ISA-NICs the system may fail the automatic detection and IO- and sometimes IRQ-adresses have to be entered manually.
But also modern PCI-cards using Plug'n'Play can cause strange effects. Often the automatic IRC-assignments fails so those IRQs should be assigned to the specific PCI-slot explicitely in the BIOS.

Detailed information for the installation can be found in the guide at http://www.smoothwall.org/community/docs/. (Available in german und english)

A big disadvantage is that you have no chance of catching errors. Not only that there is no possibility to correct wrong data using a "back" button. Furthermore the installation will stop when an error occurs and you can only retry by rebooting and going through the installation process from the beginning.

Although a shell is provided during the installation it is not that handy because you are forced to reboot after an error occurred. So solving problems by hand brings no use.

On testing system A for example an I/O-error occurred when initializing the SWAP-partition. This problem couldn't be solved.
The only workaround was using the old 0.9.9 bootdisk which installs the newer 0.9.9SE-image via network without problems.

  4x86DX2-66
  1x PCI NE-2000 komp. (RealTek)
  2x ISA NE-2000 komp. (RealTek)
  Seagate ST32132A, 2015MB w/120kB Cache
  8 MB Ram (70ns)
  

  Intel Pentium 166
  2x PCI NE-2000 komp. (RealTek)
  1x ISA NE-2000 komp. (RealTek)
  Seagate ST32132A, 2015MB w/120kB Cache
  32 MB Ram (60ns)
  

The next step is installing additional NICs and, if available, the ISDN device. To ease up the firewall administrationthe different subnetworks are givven different colors.

• The red network interface is your internet connection, the most insecure part of your network. This connection can be established via modem, DSL or ISDN (even USB-DSL modems are supported).
  
• The orange is the demilitarized zone (DMZ)
• The connection to he local (secure) network is being made using the green interface.

Configuration and administration

After rebooting your firewall you can connect to the machine using your choosen IP-adress either via HTTP on port 81 or via HTTPS on port 445 (441 on smoothwall voyager beta).
This eases up the firewall configuration much, butis also a bit dangourus. Nothing is easier to catch up a password transmitted via HTTP. But the intruder has to be located inside the LAN already for listening to the firewall network traffic.
Knowing about this you can make it harder for wannabe-listeners using the encrypted HTTPS-connection.

You can still access the linux system using SSH. To do so the web-frontend contains an applett basing on Mindterm (www.appgate.com/mindterm/). (Cause of licensing problems Mindterm doesn't support SSH2 yet so the connection is being established using SSH1)

SSH-connection via Java-Applett. Smoothwall is searching for new network interface cards

Using this shell you can change the system manually whereas it is mainly used for changing the NIC configuration. Most of the other work can be done using the web interface.
For configuring the NICs later, Smoothwall provides the "setup" tool.
Using this tool you can even configure the NICs via a network connection because setup pays attention not to break the SSH connection while loading and unloading network drivers.

Updating Smoothwall is rather easy, too. After downloading patches from the smoothwall website (http://www.smoothwall.org/community/get/download/patches/) you can upload them to the firewall using your webbrowser and let them become installed automatically.
Depending on what kind of update you installed the firewall might have to be rebooted (Which can also be done using the web frontend).
But you have to trust the smoothwall.org-webserver. If this one should be cracked and the update packages should have been manipulated all smoothwall-systems would install those packages in full trust.
At least a MD5-sum could increase the trust into those packages. Unfortunately there is no such thing.

Paranoid natures should set up and configure their firewall in an existing LAN first and replace it with the existing firewall after installing all patches. Unfortunately you can install patches only if the firewall brought up the internet connection by itself and already has the correct gateway settings. The firewall installs patches only if it successfully downloaded the list of available files out of zthe internet. To do so the computer providing the current internet connection has to be used as gateway. Just execute the following command at the SSH shell:

  >> route add default gw 192.168.1.1
  

Problems while updating smoothwall occured on testsystem A. On this system large updates (especially fix 4) could not be installed cause the webserver ran into a timeout before the installation was finished. Though this system only contained 8 MB of RAM snd the computer extensively used the swap-partition the installation of this patch simply needed to much time.
Unfortunately due to this timeout the patch could not be installed. A manual installation would have corrected this, but there is no documentataion how to do so (Though it is that simple: Copy the patch-archive to the firewall using scp, unpack it and run the included 'setup' script. This patch won't show in the list of updates in the web frontend).
According to this a 4x86 with 8MB RAM is simply too poor for running the firewall.

T-DSL

Another important aspect is the support for T-DSL (A DSL product by Deutsche Telekom). Smoothwall natively supports DSL connections and can bve used with T-DSL in nearly all cases. Only creating the username is a bit complicated when using T-DSL.

As T-Online customer you get your personal data like this:

• Anschlusskenung - 000920367867
• Zugehoerige T-Online-Nummer - 530014442280
• Mitbenutzernummer/Suffix - 0001
• Personliches Kennwort - 03387223

  Username : 000920367867530014442280001@t-online.de
  

  Password : 03387223
  

Connecting to T-DSL may fail in some situations. If you are one of the very first DSL-customers the connecton attempt may fail. In "/vatr/log/messages" find a message like

  T-DSL :"Timeout waiting for PADO socket"
  

Step 1 shows the broadcast message of your network interface to the access concentrator to connect to. This access concentrator sends his name [AC-Name] and offers his services in step 2. We again answer him requesting a special service (service request) in step 3. Finally the access concentrator establishes the connection (in our example using tze connection id 0x5340). From step 5 on the communication via PPPoE takes place. The connection has been established successfully. (Lots of further information for FreeBSD-systems can be found at http://www.ruhr.de/home/nathan/FreeBSD/tdsl-freebsd.html).

Unfortunately older T-Online acces concentrators do not answer upon a Linnux-PCs broadcast so that no connectoion can be etsablished. This could be worked around using a newer PPPoE driver version (e.g. the Roaring Penguin driver, http://www.roaringpenguin.com/pppoe/) but changing components with "all-in-one" systems like smoothwall may cause some problems. The different components do depend on each other too much.

If you should unfortunately be one of those customers you simply can't use smoothwall. In that case you have to use IPCop (see below) which already has the necessary updated included. But more in this later.

More Options

Smoothwall brings a nuber of useful tools along that can be conigured using the web-interface.
Firts of yourse the rules which ports are to be forwarded to the DMZ and which are rejected.
Additionally smoothwall brings along a DHCP-server and a webproxy (Squid). Different Dial-In-profiles can be created to switch between different dial-in-accounts.
Furthermore an "Intrusion Detection System" (short IDS) whhich recognizes and logs a variety of intrusion attempts can be activated. A more detailed is not (as far as for the web interface) posibe.

Very useful is the native support for dynamic DNS provider like www.dyndns.org. Those services enable internet users to be available viya a domain name although their IP address changes upon every connect. If you want to provide services to the internet from your DMZ and do not own a static IP address such services are very useful and mostly free of charge.

Dialing out via ISDN is suppported, too, but channel bundeling is not yet possible.

Very interesting is the installation of a VPN (Virtual Private Network). Using this functionality you can connect two different LANs via the internet. Every communication will be transfered encrypted. On the VPNs other site not necessarily a smoothwall system has to be present but all IPSEC-supporting systems will work.

For further questions upon installation and administration a mailinglist as well as an IRC-channel for urgent quetions can be used. More informtion can be found at http://www.smoothwall.org/community/interact/

Company philosophy

It seems that smoothwall is, with some smaller disadvantages, a good package. But smoothwall worked hard for getting bad publicity regulary. Not beacause of a bad product but because of the politics of Smoothwall Ltd., the company behind Smoothwall.
Smoothwall Ltd. earns his moey with security, especially firewalling. So Smoothwall released under GPL is the little sister of the professional version.
Unfortunately it seems the Smoothwall GPL-version is lower prioritisized.

The following email received by Guid Stepken (some of you surely known as security-expert and especially because of his firewall-texts on www.little-idiot.de/firewall/) after he informed "Smothwall Ltd." of some security holes shows that rather clearly:

  ....
  I have sent this off to the submissions department to be evaluated.  They
  will reply to you to get more specifics.  I am not going to approve it to
  the list until they have had a chance to verify that these things are
  "solved", but some of what you have solved, are the things we have in the
  corporate version, and so putting them in the GPL version prevents us a
  chance to make a living.
  
  So many people tell us they don't want us to ask for money for GPL, this
  will only ensure that we can't make money with the commercial either.
  
  I believe I also said in the first reply that sales@smoothwall.org does send
  a receipt to those who donate, but that is also not handled by this list,
  but by them.
  
  
  
  Rebecca Ward
  Worldwide Online Manager
  Smoothwall Users List Co-Moderator
  

It seems that not only security updates have lowe priority with the GPL-version but it seems that some updates shall never be included for the GPL-version to enlarge the interests for buying the "large" version.
But which GPL developer shall then still nform them about security holes if he get the opinion to work for a commercial compüany and not for the Linux community?

The problem got solved as easy as that: As Smoothwall is released under the GPL license (meaning that the source code must be available) some free developers decided to create their own firewall based on the smoothwall sourcecode (they "forked" the code). This caused (and still causes) some angriness between the IP-Com developers and Richard Morell fromm Smoothwall.
The GPL-version of Smoothwall will - except for security patches - not be developed further. It should be replaced by something like "smoothwall lite" which then will be available under its own lcense.
Onme reason more to change to the GPL-fork. This new version is named

IPCop

and can be obtained from ipcop.sourceforge.net. Actually IPCop is completely based on smoothwall-0.9.9SE but it already provides security updates which are not available for Smoothwall or have been made available for Smoothwall later. Installation and configuration are absoultely the same as for Smoothwall, only the logos have been changed and the installation is english-only.

According to that fact there were problems installing IPCop on testsystem A whereas it could be installed on testsystem B without problems.

Installing updates with IP-Cop

For those having problems regarding the T-DSL-access should change right now because IP-Cop already provides updates to correct that.
To install those update you need an established internet connection. This connection has to be provided by anither gateway PC. At the IP-Cop console you have to set this one as gateway:

  >> route add default gw 192.168.1.1
  

  >> echo "nameserver 212.185.253.70" > /etc/resolv.conf
  

Beneath that both distributions are nearly identical so all options found in Smoothwall can be found in IP-Cop, too.

Configureing dynamical DNS

The IP-Cop developers do work on a completely restructured version of IP-Cop which then should no longer base on Smoothwall.
Till this version is released the current version will still be maintained and upated.

• Smoothwall Homepage: www.smoothwall.org
• IP-Cop Homepage: ipcop.sourceforge.net
• IP-Cop Forum: ipcop.hopto.org/
• Hompage of Guido Stepken containing interesting information about Smoothwall and firewall in general www.little-idiot.de/firewall/
• Information about T-DSL and its usage on Free-BSD: http://www.ruhr.de/home/nathan/FreeBSD/tdsl-freebsd.html
• PPPoE-driver: http://www.roaringpenguin.com/pppoe/

Talkback Area