Forgot your password?
typodupeerror
Security

SmoothWall Firewall Review 495

Posted by michael
from the security-in-a-box dept.
ray-x sent in a pointer to a review by c't of the Smoothwall firewall product. c't's reviewer described several flaws in the firewall. We asked Smoothwall for their comments on the review, which are posted below.

Daniel Goscomb, one of the lead developers of Smoothwall, responds:

In our opinion this article is extremely badly researched and written. Furthermore it shows a lack of knowledge on the author's part.

The main concern he has is that of people being able to log in to the firewall and read configuration files. This point is irrelevant as there is only a single user that can access the shell, root. This also removes the need of shadow password files, if you have access to the machine to get the passwd file, you are already in as root anyhow.

Secondly he complains of plain text passwords for the ppp passwords. This is not our doing. The passwords are stored in this format as pppd requires them to be in plain text in the two files. He also mentions that the permissions of these files are wrong. If he looked a little more closely he would have seen that they are in fact symlinks to the 2 real files, which do have the proper permissions on them.

He also mentions the same "problem" with the shared keys system in FreeSWAN. Again, they are stored like this as FreeSWAN requires them in this format to read them.

As to the part about user authentification of the CGI scripts. This is completely irrelevant. There is no authentication in the CGI scripts. The authentication is done via .htaccess files, and has no interaction with the CGI at all, other than when you change the passwords.

I also find it disturbing that the author gave us no room for comment in his article, nor did i see anything to suggest he had even asked us about these so called "problems". We would have been happy to answer any questions he had.

Sincerely,

Daniel Goscomb.

This discussion has been archived. No new comments can be posted.

SmoothWall Firewall Review

Comments Filter:
  • Smoothwall is Great! (Score:5, Interesting)

    by beezly (197427) <beezlyNO@SPAMbeezly.org.uk> on Wednesday January 09, 2002 @07:28PM (#2813364) Homepage
    I've been using Smoothwall for a while now. I'm extremely satisified with it. I've hand crafted firewalls in the past and I decided to give it a try to ease the burden and it has more than filled the shoes of the things I manually configured before.


    It's secure, featurefull and easy to configure - what more could you want?

    • by DaveJay (133437) on Wednesday January 09, 2002 @07:38PM (#2813441)
      I, too, found it extremely easy to configure. I have been using it, and appreciate the availability of it.

      Ultimately, though, this is a very interesting notation by Daniel:

      >"...nor did i see anything to suggest he had even asked us about these so called "problems"."

      In the review, the reviewer actually states:

      >"My concrete indications of security problems within SmoothWall found sheer disinterest with Richard Morrell, developer and project initiator. "That doesn't matter" was about the politest of all comments comment (sic)."

      The reviewer apparently did attempt to have a dialogue with one of the developers, and was rebuffed (apparently impolitely.) I have had a similar experience with at least one SmoothWall developer behaving somewhat less than tactfully.

      If the reviewer is wrong about the security issues, the development team may feel justified in treating him thusly -- At the same time, I sincerely hope that the development team keeps a reasonably open ear in case a legitimate bug is discovered.
      • If my, and many of my friend's, experiences of Richard Morrell are any indication, the reviewer got off lightly with "That doesn't matter". There's not even an expletive in there. I'm sure many other users here would back me up on this: Richard Morrell is like RMS but without the charm or patience. Smoothwall, however, is very good stuff. It runs excellently on a battered old 486 and is the ideal solution if you are looking to share a DSL/Cable connection, at any level from a simple home LAN to a hosted domain

    • Agreed. I use it at home to share a dialup and loves it much, I tell you what.
  • sharethenet (Score:4, Offtopic)

    by graveyhead (210996) <fletch@fletchtroni c s . n et> on Wednesday January 09, 2002 @07:29PM (#2813372)
    For an affordable, very easy to configure, and speedy (excellent performance on my 386/33 with 8mb ram) firewall/gateway, you just can't beat sharethenet [sharethenet.com]. I had it up and running in 1/2 hour, and there is almost no performance difference when I have my cable modem hooked up directly to my speedy p3 desktop. It "embeds" linux by loading it from a floppy onto a ram disk. If you get hacked, simply restart your machine, and you are back to factory settings. Downside is you need dedicated hardware, but OTOH, that hardware can be very old and still perform.
    • Re:sharethenet (Score:2, Interesting)

      by mrpotato (97715)
      [...] but OTOH, that hardware can be very old and still perform.

      True. I have a 486/33Mhz acting as a router for 5 computers, and at 250 kb/s download using cable-modem the cpu usage is around 15-20% only.

      Using adsl and pppoe though used to get much worse performance, the cpu being used at 95-100% for 100kb/s download.

    • Re:sharethenet (Score:2, Interesting)

      by karnal (22275)
      I've recently been using a similar product (except $free as in beer) called BBIagent... or is it BBIagent.net? not sure...

      You go to BBIagent.net's page, and then proceed to answer a few questions about the machine you'll be using as the gateway (nic cards for WAN,LAN etc). Also, it has a built in proxy DNS and built in DHCP serving, so it can replace any firewall you have.

      The only extra support I'd like to see is a dial-up option (I have a dial-up line I dial into to make sure the links are up etc, and would like to run it on this same box)... But, it has basic QOS, Port Forwarding, and access controls!

      What more can you ask for than free? :)
    • Re:sharethenet (Score:3, Insightful)

      by shani (1674)
      If you get hacked, simply restart your machine, and you are back to factory settings.

      And are hacked again in 15 minutes.

      This is why computer forensics [honeynet.org] are important.
      • Re:sharethenet (Score:2, Interesting)

        by hearingaid (216439)

        It's also why setting up a bootable CDROM is in many cases the way to go.

        Keep your logfiles on the HD. Nothing else really needs to be there.

        Of course, I don't do this. But I'm only protecting a few home computers. If I had an organization... I'd burn a CDR and boot firewalls from it. Just leave it in the drive. Good luck hacking that.

    • Re:sharethenet (Score:2, Informative)

      by Anonymous Coward
      70 Dollars?! Coyote Linux [coyotelinux.com] does this too, and is free.
    • ...is http://www.fli4l.org/ [fli4l.org], a one disk (floppy) router, comes with all kinds of add-ons (firewall, etc.).

      Works very nice for me.

  • Response (Score:4, Informative)

    by wpanderson (67273) on Wednesday January 09, 2002 @07:29PM (#2813374)
    we have an article taking what dang has said along with our comments on the way the article author behaved when collecting his "evidence" ...

    our response [smoothwall.org]
    • Re:Response (Score:2, Interesting)

      by Anonymous Coward
      You say he asked in IRC. Does anyone have the IRC log so we can judge for ourselves on his "rudeness"?

      (not to be rude myself, but it's clear that the technical points the review makes aren't true, and it'd be nice if the social points were also disproved)

  • by snake_dad (311844) on Wednesday January 09, 2002 @07:30PM (#2813376) Homepage Journal
    as c't is (imho ofcourse) a much respected magazine, and normally I would call it a trustworthy source. I would certainly not expect them to publish such a damaging article without giving the authors of Smoothwall a chance to comment on the findings.
    • by 3247 (161794) on Wednesday January 09, 2002 @08:27PM (#2813770) Homepage
      ... c't publishes an article that completly pans a very hyped product. Of course, the author/vendor/manufacturer then loudly complains and quotes several articles from other respectec computer magazines that say his product is OK and c't is wrong.

      In most of these cases, c't is right. I think we can expect an exploit very soon... ;-)

  • Smoothwall & GPL (Score:5, Insightful)

    by johnburton (21870) <johnb@jbmail.com> on Wednesday January 09, 2002 @07:30PM (#2813380) Homepage
    I used smoothwall for a short time to evaluate it and technically it looked like quite a nice product, but then I started reading about the attitude of it's creator to the GPL.

    Now I'm happy for people to write GPL software if they like, and I'm happy for people to write commecial software if they like, but smoothwall seems to want to get the benifits of both.

    They seem to want to get make free use of other peoples work through the GPL, but to feel free to only release parts of their software commercialy. I'm not claiming they are breaking the GPL or anything, but there seems something very unfair about their approach.

    Also if you get the GPL edition, there are all kinds of requests on the web site that you donate money to them "SmoothWall developers have kids and families too, and it's all about giving back to the people who helped you.
    ". And yet I would guess that about 90% of what they are giving out was written by other people and they don't suggest they are going to give 90% of their donations to them.

    Again, nothing wrong with that, I just don't much like it.

    Basically I suggest that people look at their web site, and search the internet for comments about the creators of this software and how unhappy some people are with them before they go and use it.
    • Re:Smoothwall & GPL (Score:5, Interesting)

      by Anonymous Coward on Wednesday January 09, 2002 @08:14PM (#2813683)
      I have also evaluated smoothwall, and while reading up about it noticed the "attitude" to the GPL so looked carefully at the licensing for all parts of the distro as they are very pushy about their rights to do what they like with code they have written (which I fully support).

      However the version I looked at (0.9.9) includes a java ssh terminal (MindTerm [appgate.org]) that is a commerial product that is "Free for non commerial personal use and may be included with other products so long as the different license is drawn attention to" to paraphrase this [appgate.org] license agreement. I saw no sign of this.

      I am posting this anonymously and I haven't rasied this elsewhere as the attitude of the developers to these sorts of questions is well known and I don't really have the time for that.

      How this applies to their commerial support offerings I'm not sure either.
    • Re:Smoothwall & GPL (Score:3, Interesting)

      by rossz (67331)
      Some of you go on about how great and how wonderful the GPL is. You say everyone should support GPL software.

      I went beyond that. I didn't just write GPL code as a hobby. I bet my family's well being on open source when I took a job with Sendmail, Inc. Unfortunately, Sendmail was forced into massive layoffs, and at the worst time economically. It took four months to find another tech job. It doesn't matter that I am good at what I do. There were a hundred other guys interviewing for the same job who were just as good or who wanted a lot less money.

      Your precious GPL doesn't pay my rent or buy clothes for my daughter. If I had a choice between unemployment and Microsoft, then what the hell, "start me up".
    • by King_TJ (85913)
      Almost all of the complaints I've ever seen lodged against Smoothwall were either accusations of the author being rude, a jerk, etc. - or accusations of GPL violations.

      I think it's pretty clear that they haven't openly violated GPL. (They had a previous version where some wording needed a couple small changes to fully comply with GPL, but those changes were made before the latest release.)

      As for the author, so what? The guy invested a lot of his time to give you a product that you can use for free. *That* is the bottom line. Is there a requirement anyplace that says you have to regularly report to Richard Morrell or interact with him directly in any way while you use Smoothwall? Not that I know of!

      I joined the Smoothwall mailing list for quite a while, and what I saw was a flood of beginner questions that could have been answered by the user reading the instructions (or by actually installing the product before asking if it did or didn't have certain features!). If I was the author, I'd get angry with these people after a while too.
  • Old debate...? (Score:5, Insightful)

    by mwalker (66677) on Wednesday January 09, 2002 @07:35PM (#2813406) Homepage
    This debate seems to be over whether Smoothwall was designed to secure against attack from outside your DSL dialup or against attack from the inside. Shadow passwords are meant to provide a safeguard against dictionary attacks from logged-in users on a multiuser system. c't's complaint that there is no shadow password on a single-user system is valid; if you're worried about people in your own house trying to hack into your firewall.

    It is true that internal security against logged in users can help defeat attackers who can only partially penetrate external defenses. If, for instance, you can only use a CGI bug to get ahold of the passwd file, you can leverage this with a dictionary attack if shadowing isn't installed. Provided you can disable the packet filter and attempt to login as root externally once you have the password... or even use an su type exploit from your original CGI bug. Either way, there are a lot of large corporations with bigger security holes than this.

    However to claim that his review "shattered the illusion" of Smoothwall being a complete solution for home users is complete hyperbole. A home user who is trying to secure himself from internal attack from other logged in users in his house is probably pretty savvy in the first place and also has bigger problems. If the purpose of this product is have a CD you can ship to your parents to secure their DSL line against script Kiddiez and Hotmail's Traceroute function, then Smoothwall sounds to me like an outstanding effort.

    c't': Two demerits.
    • Re:Old debate...? (Score:4, Informative)

      by strags (209606) on Wednesday January 09, 2002 @07:49PM (#2813509)
      This debate seems to be over whether Smoothwall was designed to secure against attack from outside your DSL dialup or against attack from the inside. Shadow passwords are meant to provide a safeguard against dictionary attacks from logged-in users on a multiuser system. c't's complaint that there is no shadow password on a single-user system is valid; if you're worried about people in your own house trying to hack into your firewall.

      From what I understand, even a user in your own house wouldn't be able to get at the password file, since only the root account (which one would assume is password protected) has access to a shell. This isn't a multiuser system that people log into.

      (This is my understanding from what I've read - I've never used SmoothWall - please correct me if I'm mistaken).
    • Re:Old debate...? (Score:4, Insightful)

      by RC514 (546181) on Wednesday January 09, 2002 @07:53PM (#2813537) Homepage

      A false sense of security is worse than no security.

      Even if no users other than root should ever be able to log in to the firewall, there is a reason to carefully set file permissions: Just like on a server, the services running should do so under their private username. That is to prevent a security related bug (aka vulnerability) from compromising the whole system. This is obviously less important on a router/firewall where services are only provided to the inside, but the attitude shown by the authors of Smoothwall certainly destroys my confidence in their general ability to provide a secure system.

      Then there is the false discrimination between inside and outside: Especially when you deal with "non-techie" users you have to expect their systems to become infected by the latest worms and viruses. This opens the possibility of attacks from the inside which really are attacks from the outside. Granted, that is a remote possibility and if it happens, you have bigger problems than firewall file permissions, but it is still not understandable how an easy to fix thing like this is completely ignored. The german review makes it quite clear that the attitude of the firewall authors played a big part in the thumbs-down.

      • "Even if no users other than root should ever be able to log in to the firewall, there is a reason to carefully set file permissions:"

        According to the response, the only files with "wrong"/"insecure" permissions are the sym-links. Granted, I'm the n00bs n00b in unix, but if your symlink points to something with different permissions, aren't the permissions of the ACTUAL file the ones used? If so, then the quoted "gripe" is a bit mute with regards to this product, wouldn't you say?
        • Re:Old debate...? (Score:2, Insightful)

          by RC514 (546181)

          From the review: The password for the DSL access was in plain text in an unprotected file.

          The provider password is probably the most valuable information on the firewall, second only to full backdoor access. I have not yet verified that it is actually the secrets file itself which has the wrong permissions, but since c't has a reputation to lose, they wouldn't let an obvious misperception as mistaking a link for the file slip through.

          There are many ways an attacker could gain inside access to the firewall. Most involve security vulnerabilities, others rely on uneducated users. Anyway, if the cgi-bins which are used to configure the firewall are not 100% secure, a buffer overflow in one of them could potentially be used to read any file which is accessible to the cgi-bins user. That's why file permissions do matter. Seeing how many people defend the "only root can log in anyway" statement, do you think they have really taken the necessary steps to avoid such a vulnerability by implementing several layers of security?

          Now aren't you in deep shit already if an attacker can use your inside systems to connect to the firewall? Of course you are. But think about this: Anti-Virus tools will eventually detect backdoors on your user system(s), but not on the firewall. An undetected attacker can easily cause much more damage by actively destroying your data or just abusing your connection for his purposes over a long time. And who would suspect a backdoor on a rock-solid, completely secure firewall? That's why a false sense of security is worse than no security.

          • "That's why a false sense of security is worse than no security."

            I couldn't agree more, and I don't think I was in any way picking on that specific detail.

            I do a little programming myself, and I'm not so dumb that I think, that anything is completely secure. I don't know ANYONE who does. The kind of people, who think that something can be completely secure are probably 10% dumber than a plywood door placed in a hole in the ground, and as such wouldn't know a mouse from an accellerator, and they wouldn't be using a computer in the first place.
      • Re:Old debate...? (Score:3, Insightful)

        by jcostom (14735)
        Finally, someone gets it.

        In this day and age, the majority of network security incidents have some sort of internal connection. Implicitly trusting your internal users is suicidal in terms of network defense.

        I think c't is right on with his assessment regarding things like file permissions, shadowed passwords, etc. In a security device, there is no excuse for not finishing the job - that is, securing your file permissions, using shadowed passwords, etc.

        The SmoothWall people argue against the need for shadowed passwords as the only interactive user on the system is root. How about the CGIs that manage the applications? How about the possibility of exploiting some sort of weakness in one of them, resulting in the display of the encrypted passwords? Or are they so arrogant as to believe there couldn't possibly be any vulnerabilities in their code?

  • by zzzeek (43830) on Wednesday January 09, 2002 @07:36PM (#2813412)
    He says shadow files are irrelvant as the box has only one account, root. Whatever happened to rule # 1 of having your web server and CGI's run as a different user ?
    • He actually stated that the only shell-access account on the box is root. This means that the only way you can get a command prompt is if you're logged in as root. Theoretically, if you can exploit a CGI bug, you could execute /bin/sh and have a shell, but they've probably disallowed that.

      The Dachstein images from the LEAF Project are set up similarly. Root is the only shell access, CGI/Web runs from another user.
    • That does not matter because we don't know how to do it better and still want to sell our product you ignored the fact that the CGI interface is already password protected.
  • by chrysrobyn (106763) on Wednesday January 09, 2002 @07:37PM (#2813427)
    I hope it is on-subject enough to point out that I believe this is an excellent job Slashdot has done, going out and getting the rebuttal for the review. Although it is not quite perfect -- it acts partially to discredit the link source -- it is much closer to what I think Slashdot could be, a first-run news source with original articles -- for [nerds|geeks]. Until then, while the editors post their comments after a link, it's little more than the second-run movie theatres (which have their place, don't get me wrong). Thanks, Slashdot.
  • by hellcore (549684) on Wednesday January 09, 2002 @07:39PM (#2813446) Homepage
    I was in the Smoothwall IRC channel on several occasions when this reporter came in. First of all he didn't conduct himself like any other reporter I have ever met. He was elusive regarding his motives (ie he wouldn't say he was from the press), he was beligerent beyond belief and gave the impression he already knew what he was going to write. Refusing to even listen to the dev team's answers, the sticking the fingers in the ears behaviour he exhibited was most flattering. I just hope c't are more exclusive in future with regards to the staff they employ. This guy was nothing but underhanded and stubborn.
  • Excuses (Score:4, Insightful)

    by Antity (214405) on Wednesday January 09, 2002 @07:44PM (#2813474) Homepage

    Secondly he complains of plain text passwords for the ppp passwords. This is not our doing. The passwords are stored in this format as pppd requires them to be in plain text in the two files. He also mentions that the permissions of these files are wrong. If he looked a little more closely he would have seen that they are in fact symlinks to the 2 real files, which do have the proper permissions on them."

    Tsstss.. Look at this excerpt from the article that this SmoothWall guy is complaining about:

    The PPP-Daemon complains in the log file, every start, about the permissive reading rights to its password file, hard to imagine that the developers missed this one.

    I also have a strange feeling about other "security" options that they choose. For example: Not using shadowed password files. They say it wouldn't be neccessary since the only user available is root anyway. But what is the _sense_ of not using shadowed password files? (And what is the sense to require the user to be root to configure the system? Even Apache is supposed to be quite secure, but nobody will run it as root because there still might be holes. Impossible in a hacked-together firewall distribution?) The bytes in length on the harddisk they would have saved would be a joke.

    All in all, I believe there are some truth- and insightful bits in the c't review, even if the reviewer did a mistake.

    btw: To complain that the passwords had to be plaintext because PPPd and FreeSWAN required it is complete nonsense for a Firewall! Sources are available, so why not add a patch to have the passwords encrypted if this is supposed to become a Firewall?

    (Sorry, had to emphasize this, since this is not some desktop distribution but supposed to be a Firewall.)

    • btw: To complain that the passwords had to be plaintext because PPPd and FreeSWAN required it is complete nonsense for a Firewall! Sources are available, so why not add a patch to have the passwords encrypted if this is supposed to become a Firewall?

      In all fairness, this is referring to passwords that have to be sent to remote systems, so the cleartext has to be easily computable. Even if you encrypt the passwords, you still have to store an encryption key somewhere, in the end that's really just obscurity, not security. Very few "professional" firewalls even take that step, opting just to store remote passwords weakly masked (ie. Cisco's type 7 password hash, takes about 3 lines of code to recover the cleartext).

      • Agreed. Particularly on an open source product it makes no difference.

        Short of special hardware with BIOS support, or a password that has to be manually typed in to boot the firewall (you'd better have a *good* UPS!); there's no known way to do that securely.
    • Re:Excuses (Score:5, Insightful)

      by hearingaid (216439) <redvision@geocities.com> on Wednesday January 09, 2002 @09:56PM (#2814180) Homepage
      I also have a strange feeling about other "security" options that they choose. For example: Not using shadowed password files. They say it wouldn't be neccessary since the only user available is root anyway.

      Let's go even farther on this theme of bad choices.

      You can logon directly to the root account remotely? You don't have to su first?

      Ouch, but that's a major hole. That's like waving a Big Flag. Kiddies, look at this "firewall." Guess what account you should try?

      Never allow remote logons to uid 0. Always at least force wheels to su.

      There are CGIs available to manage the firewall? Oh, and they use port 81 to access it. How... creative. And it gets better. SSH is on port 222. Have you guys ever heard of port scanners? Custom ports is a way of flagging to intruders which firewall software is being used, except when the custom port pattern is unique.

      I can go on. It has a built-in DHCP server. DHCP servers should never be mounted on external firewalls as their logfiles contain too much valuable information when the firewall's security is compromised.

      Hmm, at least it has an HTTP proxy. Probably Squid. No SOCKS support though. And yes, it uses NAT. Gack.

      Well anyway, maybe this c't review will convince a few people to give up a NAT-based solution. Sadly, they'll probably just go to another one.

  • by mathrawka (549683) on Wednesday January 09, 2002 @07:44PM (#2813475)
    I have noticed that the founder of Smoothwall, Richard Morrell has some issues to deal with. He has a huge ego and does not like users that do not pay for his "open source software." He enjoys complaining about how much money he has spent on making CDs and giving them away for free and how people don't donate to him. I have a few quotes that I have collected that he has said on the mailing lists for smoothwall. "i have contacts with people at the kernel team that none of you have... i know people who can get this fixed and i'm on top of it... so stop complaining because you don't know what you're talking about" "i used to work for microsoft, i know how they work" (he worked in the sales dept selling licenses) "You're also not a paying customer - I'll email DIRECTLY my friend who WROTE the official driver. Friendships help. Thats why I'm richard@linux.com" "this is fuck all to do with SmoothWall its hardware level" Also, Mr. Morrell decided to turn it into closed source "enterprise version" that isn't free with extra features. So he's not allowing open source developers to add new features to the open source project because it will compete with his private closed source project.
    • by Anonymous Coward
      Been there done that..I urge all who plan on downloading Smoothwall to first hang around for a minute in their IRC channel. Dick Morrell has the worst attitude I have ever seen. Their clame to fame is that it will run on older machines, so I tried it. The 540mb hard drive was filled with logs and took the box down after a couple weeks. I asked Mr. Morrell if it cleaned itself every once in a while and his reply was "get a bigger hard drive". He then started going off on how I shouldn't criticize his product because I'm not paying for it.. All I asked is if the logs would clear eventually! That's just my incident that happend within 5 minutes of meeting him online. I've heard much worse about him. Because of that, I will never tell my friends about Smoothwall again. If you would like an excellent firewall, with more options, better security, and an excellent support team, I recommend you check out www.astaro.com ( which is also a linux firewall ).
    • by onya (125844) on Thursday January 10, 2002 @12:34AM (#2814695)
      for this reason, (and others) there has been a fork from smoothwall gpl to create a new project called ip cop. you can download a beta .iso from the website. ipcop.org [ipcop.org]

      for me it was a straightforward switch from smoothwall to ipcop. easiest install of any operating system i've ever seen. ipcop supports ext3 (for no extra cost!) which is great for unplanned reboots.
  • by Lumpy (12016) on Wednesday January 09, 2002 @07:44PM (#2813477) Homepage
    First off reviewing a firewall like that is just whining by a non-techie. you want to review a firewall? crack it... Show me times it took and what kiddie tools took it down or circumvented it because of a flaw in the firewall. bitching about how the scripts are written is clutching at straws and trying to add content to an already empty review.

    Why is it that we all will not listen to a SQL review without stats and figures but a firewall review get's any attention at all if it isnt even tested properly by the reviewer?

    This review was like a review about ram and bitching about the color and shape.
  • Smoothwall (Score:2, Informative)

    by futuresheep (531366)
    After trying several different Firewall products, I found smoothwall to be the easiest to setup and maintain. As far as the reviewers points, most are irrelavant, since the only access to the web interface and to SSH is from INSIDE your network. Unless you go out of your way to activate these things exterally, they're simply not seen to attackers. But then again, if you changed the way the product is shipped, then it's really working like it was intended anyway.
  • by BitMan (15055) on Wednesday January 09, 2002 @07:57PM (#2813567) Homepage

    As your momma always said: 'If you don't have anything good to say about someone, don't say it' or 'if you someone keeps "bothering" you, just stay away from them.' It's as simple as that.

    So if you don't like Richard Morrell, head of the SmoothWall project, consider:

    • ignoring him
    • the fact that SmoothWall is free software and freely supported (regardless of the "requests" for monetary support made)
    • disregarding SmoothWall altogether, if it really "bothers" you that much (see below)

    Personally, I'm sick of the "one-sided" reporting on Mr. Morrell. I've seen way too many people "complain" about him, but never comment on various personal details that are partially the cause of this -- let alone the daily on-slaught of Windows users who've barely heard of Linux, who don't bother reading the FAQ, let alone demand that SmoothWall automagically support every little, crappy-designed Windows application and their proprietary protocols that don't work well with firewalls anyway. After a week of being on the SmoothWall lists, I'd kill some very rude and ungrateful users well before Morrell. If you feel Morrell is "really bad for the project," then that's his problem, not yours!

    Now if you still want something like SmoothWall without the SmoothWall(TM), take notice that others have forked the project into a new one called IPCop [ipcop.org]. Version 0.1.0 features SmoothWall 0.9.9, all the major post-0.9.9 patches and various enhancements. A final 0.1.1 release is to follow shortly before the team starts to work on version 0.2.0, an Linux 2.4/Netfilter implementation.

    For all I care, you can think of IPCop as "SmoothWall without Morrell." Just don't say it outloud since many of us are all sick of hearing it!

    • You might be interested in what Mr Morrell has to say about IPcop...


      *dickmorrell* I'm actually having them shut down

      *dickmorrell* right now
      *dickmorrell* their Sourceforge listing
      *dickmorrell* for breach of GPL
      *dickmorrell* breach of copyright
      *dickmorrell* theft of documentation
      *dickmorrell* and oh
      *dickmorrell* see their lists ?
      *dickmorrell* I PAID FOR IPCOP f***o
      *dickmorrell* we sacked the crap developers involved
      *dickmorrell* they havnet the first f***ing clue
      *dickmorrell* lol
      *dickmorrell* we have 890,000 installs
      *dickmorrell* they have 82
      *dickmorrell* ipcop will need big pockets to get anywhere
      *dickmorrell* BIG pockets
      *dickmorrell* and BIG name friends
  • by OeLeWaPpErKe (412765) on Wednesday January 09, 2002 @07:58PM (#2813581) Homepage
    Daniel Goscomb, one of the lead developers of Smoothwall, responds:

    In our opinion this article is extremely badly researched and written. Furthermore it shows a lack of knowledge on the author's part.

    sjah ... reading on

    The main concern he has is that of people being able to log in to the firewall and read configuration files. This point is irrelevant as there is only a single user that can access the shell, root. This also removes the need of shadow password files, if you have access to the machine to get the passwd file, you are already in as root anyhow.

    so you only have one layer of security ? The inability of any attacker to get a shell ? That's it ? I must admit I have not checked if you do that or not but ...

    In my opinion you should at least take a number of these precautions ...

    -> no shell access for nobody but root (of course this is enforced by putting a check in the main loop of bash, which mails "murder" if anybody tries differently)
    -> all binaries --x--x--x, on a single partition which is the only one mounted without the "noexec" and with "ro" flag
    -> *all* daemons chrooted, none have anything in their /bin or /sbin directory that even remotely resembles a shell or mount program (ie do not use perl, use mod_perl, do not use php, use mod_php, etc)
    -> *all* programs compiled from source
    -> there is no such thing as an irrelevant permission

    Secondly he complains of plain text passwords for the ppp passwords. This is not our doing. The passwords are stored in this format as pppd requires them to be in plain text in the two files. He also mentions that the permissions of these files are wrong. If he looked a little more closely he would have seen that they are in fact symlinks to the 2 real files, which do have the proper permissions on them.

    plain text ? wrong permissions ? why would you take a chance ?

    He also mentions the same "problem" with the shared keys system in FreeSWAN. Again, they are stored like this as FreeSWAN requires them in this format to read them.

    again ... why take the chance ?

    As to the part about user authentification of the CGI scripts. This is completely irrelevant. There is no authentication in the CGI scripts. The authentication is done via .htaccess files, and has no interaction with the CGI at all, other than when you change the passwords.

    user authentication is only irrelevant until a hacker gets by the first layer of security (which apparently on your system is the *only* layer of security)

    I also find it disturbing that the author gave us no room for comment in his article, nor did i see anything to suggest he had even asked us about these so called "problems". We would have been happy to answer any questions he had.

    to quote the other article :
    When a group of developers- more than ever one active in the spirit of GPL-want to successfully distribute a good product, they are usually interested in feedback, in order to improve their product. My concrete indications of security problems within SmoothWall found sheer disinterest with Richard Morrell, developer and project initiator. "That doesn't matter" was about the politest of all comments comment. Trust in the developer's competence and integrity is a basic pre-requisite for the usage of security relevant software. Morell has thoroughly destroyed mine."

    this suggests he has contacted you ... wether or not he did I cannot verify, but if he quotes answers from you ("That doesn't matter"), he probably did contact you, and you certainly confirmed that comment with the above reply, I politely wonder about the next part of that sentence ( ... was about the politest of all comments comment.)
  • by Jacco de Leeuw (4646) on Wednesday January 09, 2002 @08:00PM (#2813600) Homepage
    Astaro [astaro.com] seems like an interesting product. It too is based on Linux (GPL) and sports a firewall, IPSEC, PPTP etc. I have downloaded the ISO but haven't installed it yet since it insists on whiping the harddisk. Seems reasonable but I'll have to find a test machine first ;-).

    There's also a support community [astaro.org].

    Some companies such as Pyramid [pyramid.de] are reselling [astaro.com] Astaro with hardware and support.

  • by mikael (484)
    I don't want to buy a product made for stopping criminals that is called "SmoothWall". This is like calling a Rottweiler "Sugar". Gimme a better name, like "Brickwall", "Barbed wire" or "Minefield.

    Mikael
  • Another alternative (Score:3, Informative)

    by SonicBurst (546373) on Wednesday January 09, 2002 @08:25PM (#2813750) Homepage
    I've used Coyote Linux (http://www.coyotelinux.com) for about a year now, and it works great. It's a single floppy distro that runs on a dedicated 486 with 8 or meg of memory. It supports PPPoE and dial-on-demand (among other things), and is remotely manageable with ssh, if so desired. Just my $.02.
  • OpenBSD is a good solution for anyone with a 486 and 8MB RAM. It is fairly simple and easy to use. (If you are familiar with Unix).
    You can find all kinds of examples of how to set one up like here. [onlamp.com]
    Older distro's used IPF, but as of 3.0 they use pf. You can read about pf here. [openbsd.org]

    OpenBSD has gone 4 years without a remote hole in the default install. Pretty impressive.

    But hey, only use it if you are SERIOUS about security AND don't want to pay anything.
    Although you should consider helping fund the project out of the kindness of you ./ heart...;-)
    • It is fairly simple and easy to use. (If you are familiar with Unix).

      Is it just me or does that qualifying statement completely negate the previous statement?

      Of course it's "simple" and "easy to use" if you already know what you're doing.

      • Please consider this:
        • When I had my first experience with Unix, it was Solaris 7 / x86. I didn't learn
        • squat from it because of that damn CDE shell -- I didn't know where to look for anything, and (with my windows-addled brain) I didn't understand where the equivalent of the 'control panel' was.

          Fast forward (slightly) to 1998. I now had a cable modem, and wanted to share it between several computers. I had learned about the differences between proxies and NAT, and tried several products that would run under Windows. All of those were commercial demos, with rather aggressive pricing. I was not impressed.

          I had seen comments here about OpenBSD, so I looked into it. I took an old P-100, followed the directions, and had a working NAT firewall in a day. I had learned more about UNIX in about a week (this includes reading time) than I had in 4 months with Solaris!

          Today, it's still there. The same hardware, at least -- it just got upgraded to OpenBSD 3.0

        The moral of this story:
        • If you have the patience, it is both simple and easy to use. I found it very straight forward and logical -- follow the directions, it will work.

          (Yes, I know -- that can be a big "if.")


        On a side note, I installed OpenBSD 2.8 on a Thinkpad last year... it found the sound card, the peripherals (3com ethernet & US Robotics PCMCIA modem), and setting up XWindows was a piece of cake -- there were config files readily available. Perhaps not incredible, but it was easier than installing Windows on the same machine, and that is impressive!

    • BSD Based firewalls (Score:3, Interesting)

      by DreamerFi (78710)
      And there's plenty of others based on BSD freely available... see www.dubbele.com

      -John
  • by mwhahaha (172475) <mwhahaha.vt@edu> on Wednesday January 09, 2002 @08:46PM (#2813869)
    Twice this evening I've tried to get questions answered about their gpl'd smoothwall because my boss saw this slashdot article. And both times I've been nothing but insulted by Richard Morrell, the founder. The first time I was childish and incompetent all because I had the nickname 'nameless'. The second time I was k-lined from the server and he insults me because I have a german last name.

    smoothwall.org.txt [widomaker.com] and smoothwall.org2.txt [widomaker.com]

    Makes you wonder how these guys really act to customers.
    • It does beg a question, but not "how (do) these guys really act to customers" -- I believe the better question is "when you financially reward sociopathic behavior, is it likely to stop?"

      Consider: if I donated money or purchased the product outright, project members might begin treating me with respect and patience -- but that respect and patience would have been purchased, rather than genuine. I assume that the boorish behavior would have continued behind my back. Equally possible is the chance that the boorish behavior would have continued to my face.

      Ultimately, it was this thought that led to me voiding a donation check I had written to the project. I voided the check two days after installing SmoothWall, a few hours after writing the check, and half an hour after being insulted by Richard Morrell on the users mailing list.
    • by Anonymous Coward
      I concur with the assessment of Richard Morrell. Morrell doesn't appear to understand that getting angry at people that don't pay for SmoothWall is unlikely to encourage anyone to contribute charitably or think about purchasing a more functional SmoothWall. When people see Morrell cursing someone out on IRC, kicking and banning them from the channel and k-lining them from the server, they come away thinking Morrell has an explosive temper and they want nothing to do with him. If being on IRC helping people is that difficult for Morrell, he should reconsider going on IRC at all.

      Please don't misunderstand me: I understand it requires a lot of time, money and effort to bring SmoothWall into existance; the work is appreciated. SmoothWall is a valuable addition to the free software world. It is frustrating dealing with people who won't read docs. But there is no reason to be belligerant. Morrell does his work and his SmoothWall finances no favors by being rude.
    • point your boss (Score:3, Informative)

      by DreamerFi (78710)
      To the firewall at www.dubbele.com
    • Sometime ago I helped my younger brother with a smoothwall install (I had to bolt on a pnp init script for an NE2000 isa card). I read through the docs and mailing list stuff to see if this has:
      1. Been done before
      2. Being worked on now

      It didn't apper tobe the case so I joined the irc chan and asked about the problem I had had, result: kickban

      I was actually going to offer to write the pnp stuff I had done properly and then submit it to them, not any more thank you :)

  • I wanted to use SmoothWall as my firewall, but I have a USR Sportster 128 ISDN card, and I can't figure out how to get it to work with smoothwall (or redhat, the documentation is sparse and tends to be in german).

    Anyone know if Smoothwall will work with this card without alot of configuration effort?
  • by 3247 (161794) on Wednesday January 09, 2002 @09:02PM (#2813960) Homepage
    The problem with the SmoothWall developers is that they completly fail to understand that security is always only a probability. A complex product can never have 100% security.
    Every part of the system has a (hopefully low) propability to be successfully hacked. The more barriers you have, the securer your system is.

    It's also worth nothing that the only interactive account is root. There are daemons running under different user ids (I assume in favor of the SW team). As with every remote exploit, these daemons are the entry gates. Also note that remote exploits by definition don't relate to any interactive accounts!

    Now, if one service has been hacked, the whole system is already compromised because there are no shadow passwords, files have the wrong permissions, etc.
    You can argue about the passwort files for remote connections. You can't argue about not using shadow passwords, that's just plain stupid.

    It's like leaving your safe unlocked because there is already the locked front door...

    • Yup. The situation is worse if you have multiple machines.

      If I can hack a service on one firewall, and it doesn't have shadow passwords, then I'll eventually figure out the root password.

      This has two serious implications:

      1. I can now log in as root, and erase any previous evidence of a breakin. This'll make detection of a breakin much more difficult.

      2. If any other firewalls/routers/etc. on the site have the same root password, I now have full access to those machines too.

      In an ideal world, every machine and router would have a separate, strong password. And those passwords are changed every 3 months. And none of the admins ever forgets them or writes them down.

      Unfortunately, no one I know does this. It's just too hard and cumbersome. So you end up with one password for each class of machines.

      Kinda makes you wish everyone used Blowfish for encrypting the passwords, doesn't it? Viva OpenBSD!

  • by TellarHK (159748) <[tellarhk] [at] [hotmail.com]> on Wednesday January 09, 2002 @09:04PM (#2813966) Homepage Journal
    Several months ago, I was messing around with Smoothwall as a possible simple solution to my home LAN situation. It was the eve of the 0.9.8 release, and I went on the Smoothwall IRC chat area and joked about getting an early copy of the release. Joked. I know that doesn't happen, and figured that with a technically oriented crowd, that I'd be understood as kidding. At the time, it seemed that I was. However.

    A couple days later, after having installed Smoothwall and found it to be almost-but-not-quite-right, I popped on and asked a pretty simple question. Why wasn't there a copy of any compilation tools present, or any other services that someone on a small, personal network might like?

    The response was pretty terse. "It's a firewall." Repeated inquiries resulted in various forms of the same answer. Now I understand that a firewall has one main purpose, but the -attitude- I got from the developers was really too much. I figured, after being booted from the channel, I'd email Richard and hope that a cooler, more corporate head might reside at the leadership of the Smoothwall project.

    Unfortunately, I could -not- have been further from the truth. The situation escalated with Richard harassing me VIA email for several days, after repeated requests of mine not to email me any longer. He continued, his crude insults became -threats-, and it took three days for the matter to settle.

    I am currently an assistant administrator at a small college using Linux as a gateway/NAS solution that's desperately in need of updating. Smoothwall might have once been a contender for this, but definitely not now.

    I have posted a rather extensive website airing the entire situation with Richard, my own warts and all, at my Smoothwall site [wctc.org] for the perusal of anyone interested. Sure, I might have made a mistake or two, but I don't feel anything I may have said justified what I recieved.

    Anyone else have similar experiences?
    • The response was pretty terse. "It's a firewall."

      And that was the answer.. so why take it any further?

      I was considering setting up smoothwall for a friend, because they aren't Unix savvy and I liked the idea of it's web control panels (seemed a little better than freesco's). However, this person would be doing it with their existing hardware, and they had a winmodem. So I wandered into the IRC channel and asked whether smoothwall had any support for winmodems.

      The answer was one you'd probably consider to be terse: "No." But it told me what I wanted to know.. I mean honestly, what did you want, an essay?

      I really don't understand what you were trying to achieve by "Repeated inquiries." And I suspect the developer's attitude was "we've heard this thousands of times before, he's said it about 40 times so far tonight, we keep giving him the answer and he won't shut up!"

      • My problem really was with wondering if the fact Smoothwall was a firewall somehow automatically -had- to preclude it from providing other features, such as the ability to run secure services for internal use. As Smoothwall was going on a machine with a three-gig hard drive, and would only use a few hundred megs, I was hoping that I could make use of that other space on a machine connected and up at all times. Also, if Smoothwall is so capable of running a web server for configuration on port 81 that's so secure, why couldn't a properly designed or even minimalist web server on port 80 be put in place with an emphasis on security?

        Given that Smoothwall's NAT features are at best, rudimentary (No port forwarding by range, no statically assigned IP addresses as of version 0.9.9) it seemed rather logical to want to be able to add in features myself, at my own rick, that would provide these functions. But without a C compiler, it's just easier to go with someone else.
    • by TellarHK (159748) <[tellarhk] [at] [hotmail.com]> on Wednesday January 09, 2002 @09:19PM (#2814034) Homepage Journal
      I would like to add, as an afternote to this, that when I contacted my ISP in order to be sure that Richard was not going to pull a fast one and get my account yanked, that I was then contacted the following day and asked if I had indeed been hacking Smoothwall's parent site. My reply was no, and I pointed my ISP to the site given in my previous post. After a quick examination of my site, my ISP apologised for the trouble, and said things would be taken care of. Nothing ever came of that, but I hope others would agree that what happened was quite low.
    • I was reading this article's comments with just cursory interest until I came across this post. I headed to your website and read the whole exchange.

      Frankly, I think you are totally in the right here. The IRC exchange was typical, from what I've seen, for IRC. You even provided help to other customers of the company. I was absolutely astounded to read the reply(ies) you received to the email you sent the 'president' of this company. I cannot believe that anyone in charge of a company (or any company public or private) providing a product could be so daft. After reading through the other comments, I can also see this is not an isolated incident.

      Well, one thing is for sure: this could be the most secure firewall ever , but after reading this and other exchanges with the people who make it, I'm not even going to bother trying it.

      Absolutely disgraceful...
    • Funny! True, but funny.

      No question that Rodney or whatever his name is is a bit of a RudeBoy, but there's also no question that you fed the flames as eagerly as he returned them. Granted, he sounds like a bit of a dork, but he has that right, as do we all.
  • by whoppo (218875) on Wednesday January 09, 2002 @09:33PM (#2814084)
    Being a geek *and* the firewall/vpn admin for a large network I was compelled by geekiness to set up a tunnel between the corporate network and my home network. The lack of desire to spend way too much money for an IPSec compliant appliance I opted to try numberous open source solutions, including Smoothwall 0.9.9se. Despite a few shortcomings, I found the "Smoothie" to be quite impressive. A 23 Meg ISO image yielded a bootable CD that installed without a hitch, identified all the hardware and prompted well for install input (reading the install docs is of course advisable). The box was online is just about 10 minutes with internal clients playing quake and surfing for porn. A quick, yet educated review of the default configurations and a nmap scan and I was confortable with the security... onto the VPN config: A straight forward, web based config menu has fields for all the usual Free-S/WAN VPN stuff, like gateway IP's, site network IP's, next-route-hop IPs, preshared secret, but lacked some specific config options that are needed to create a tunnel with a Checkpoint FW-1/VPN-1 gateway (the reason I was trying this product). Manually adding these config options to the ipsec.conf file was easy enough and in just a short while I was enjoying an IKE/3DES/MD5 tunnel into work.. well.. maybe "enjoying" isn't the right word. My next step was to add a few additional work subnets to the tunnel. This is done by creating an additional connection.. like a second tunnel with the same addresses and preshared secret.. piece of cake.. except, adding more info to the VPN configuration overwrites the ipsec.conf file with a newly created one. Doh!. Fortunately, the web interface is well written and it was pretty easy to add some code to make the admin script create the new ipsec.conf file with the Checkpoint specific changes. Total time invested for a fully functional, easily configurable firewall/VPN: just a few hours. Satisfaction level: 90% Summary: It's easy, fast and works as advertised. Pros: Fast install, Works with Static or dynamic IP's, Many other good features (check the website for details)., Easy to customize the code for personal gratification. Cons: it could offer more flexible IP chains config thru the web interface, Could use those additional VPN options for Checkpoint interoperability. I like it and the smoothwall folks can expect documentation of checkpoint compat. fixes along with a PayPal donation very soon.
  • I have installed SmoothWall four times, for friends, on machines running the gambit from P100/12mb ram to P166/96mb ram, and using ethernet cards for DSL/Cable, it's a dream. That is, as long as the distro has drivers for your card (damn Tulips).

    Then, for my parents who live in rural east Texas with a dialup connection, I had to figure out how to get an internal modem working in Linux. After reading the entire internet :-) and buying no fewer than four modems, I found one that should work. After another day or so of frustration, I contacted the helpful people at SmoothWall.org and I actually chatted with Mr. Morrell directly on their irc server. In five minutes, he'd set me straight and it was up and running. It was a CEBCAK (Computer Error Between Chair And Keyboard), naturally.

    For all the people bellyaching about how one guy represents the GPL developers, or doesn't use shadow passwords... whatever. At the end of the day, all that matters is getting the job done. And I recommend it to anyone who has a spare PC lying about, too.
  • by austad (22163) on Wednesday January 09, 2002 @10:54PM (#2814397) Homepage
    Even though the Smoothwall developers argue that shadow passwords are not required, I think they are. I have a box running right here with it. Apache runs as the user "nobody", and therefore can read /etc/passwd. If shadow passwords were enabled, reading /etc/passwd would not matter.

    By default, smoothwall does not allow access to the web interface from the outside, but, very frequently, people open that up to the world so they can get at it from anywhere (which is very easy to do through their menuing system). The box does not ask for a password until you actually get into the configuration screens, but cgi's that give you information are not protected by .htaccess files.

    I wanted to install it on a box that only had SCSI on it awhile back, but they ripped support out of the free version for SCSI. So I joined the irc channel and asked about it. They told me to wait until the commercial version was out and to buy that if I wanted scsi support. So I grabbed their *SDK* as they call it, and it had nothing useful in it at all. I joined back up to the irc channel to ask how to compile everything, they asked why, so I told them I was building in SCSI support so I could run it on the extra box that I had laying around. No one would talk to me after that.

    I found a different machine to run it on, but the only reason I'm still running it is because I haven't had time to get something else. I used to recommend smoothwall to people, but not anymore. The developers I talked to were conceited jackass's. If they had helped me out, I probably would have even donated a few dollars to them.
  • by dr.ka0s (549707) on Thursday January 10, 2002 @01:11AM (#2814830)
    I have visited irc.smoothwall.org only once. I do feel, however, that my experience there alone was almost enough to discourage my use of the product. I joined the #smoothwall channel in hopes that I might find answers from knowledgable users or developers that I had been unable to find in any of the available documentation (all of which I read in its entirety).

    Upon joining the channel, I was bombarded with the omnipresent topic, "Welcome to #smoothwall :: Please do not expect free
    support if you haven't donated. http://redirect.smoothwall.org/donate"

    Ignoring the blatantly anti-open-source sentiment, I proceeded to ask about features and functionality that I feel are paramount to implementation of a device designed to secure my entire network. Before anyone so much as regarded my first question, I was bombarded with "Have you paid yet?" A simple 'not yet' got me my first response: "Can't you read the f**king topc?!"

    Of course, I wasn't looking for support -- simply answers to questions about the products capabilities. Off to a great start.

    In the end, my questions were answered, privately, by MacGyver, whose answers unfortunaely indicated that features I think are critical in a firewall are only available in the commercial version. To suggest a few:

    - No support for multiple IP's on the external interface

    - No ability to write filter rules for outbound traffic

    - No inherent ability to manage IDS policies used by Snort

    - No immediate planned support for a stateful kernel

    etc...

    Granted, I could accomplish all of these tasks through custom modifications to the product -- but that would defeat the purpose of the product in the first place -- to create a secure filtering firewall that can be easily and securely managed through an integrated portable interface without the need for extensive customization.

    To comment on the article posted this evening, I think that despite the article author's process for review or lack thereof, SmoothWall's response was unacceptable. To say that passwords are not shadowed because the box has but the root user would be to say that Bind and Sendmail need not be firewalled because their latest revisions have no vulnerabilities...

    yet.

    To say that the open-source security packages that comprise the firewall _require_ clear-text passwords is to insult the intelligence of everyone here who knows better or has found more secure alternatives to the same problems in the past. The open-source community is not ignorant, nor are we fooled by any comapny's efforts to conceal laziness.

    Security is an unknown. We place our confidence in hybrid hardware and software solutions that provide protection from the exploits we've identified already, but we expect that new vulnerabilities are inevitable. We cannot neglect commonly accepted security practices because our products have not yet been broken. The correlary would be to argue against home alarms because we already have a lock on the door.

    A single layer of security is never enough. ESPECIALLY for a firewall. If this were to be an end-user distribution sitting _behind_ a firewall, the lack of external access would _probably_ be enough. However, as a firewall, such neglect for security practices that have a negligible effect on performance but provide such a significant measure of protection is both arrogant and ignorant at the same time.

    In conclusion, neither the product's lackluster featureset, nor it's father company's poor customer support practices would have individually discouraged my using it.

    Couple those with questionable security practices, though, and I can assure you that SmoothWall will never be enough to protect _my_ network...
  • Some of this post is very on-topic, but I include the rest for context. Moderators, please be kind.

    I and a buddy recently completed a network installation for a small business. They had about 25 PC's in a 100-year-old wood-frame office building with asbetos everywhere and wanted these people to be able to utilize the Internet for such tasks as tracking packages via web sites, etc. They wanted to reduce costs by eliminating some 6 dialup accounts and free up phone lines for voice. They were less than a quarter mile from the local telco POP. So, they tried ADSL on one PC and consistently got about 1.5 Mbps down and about half that up. They loved it.

    They asked me as an independent consultant what they should do to get the access to the other PC's. We looked at wiring the building, but due to the structural nightmare of the building, we decided that for their needs we could go with 802.11b. We dropped several CAT5e lines to three locations in the building: the computer room, where their mission-critical apps run on an AS400, and two access point mounts we set up.

    We set up a SmoothWall box as their NAT since the evil ISP would only give us one static IP. It looked a lot better than FreeSCO. It was painless, absolutely painless to configure. But it had a shortcomming: it did not support PPPoE, which was necessary for the ADSL drop. Schucks! So we double-NATed using a little Linksys NAT/switch thingy to actually negotiate the PPP for us. We thought this would be nice because if someone were trying to hack in, they would have to circumvent 2 NAT's. We also thought it would have no significant impact on throughput. Big mistake (read on). Regardless, the NAT solution could remain in place should they ever want to add a stateful packet inspection firewall or something like that, or switch to better broadband, or even wire the building.

    We spent almost an entire afternoon trying to configure the blasted access points. They were DLink 1000AP's. I followed DLink's instructions to the letter. I have a little beef with DLink about requiring a Windows machine to configure the things, but I can overlook that. I installed the configuration software on my laptop and was ready-to-rumble. The software failed repeatedly to detect the access point using a DLink branded 802.11b client device (USB DWL120). So I tried step two, isolating the AP's on an Ethernet segment. They failed detection again. So I fed the software MAC addresses manually. This failed. I was using only one machine with a known-to-work crossover patch cable. What the *(!@?

    We eventually tried swtiching PC's, and then we noticed that the typeface DLink used to print the MAC addresses on their AP's made 5's look like 6's because the ink ran too much. I was really pissed. Upon getting the conf software to work on a desktop, I went back to my laptop to try again. It flat out wouldn't work with either of my 3Com CC10BT PCMCIA cards in different machines. Don't know why to this day; DLink couldn't help me on that one. But it did work on a desktop wit a 3Com 3c509b.

    So, we got the access points set up and clients on all the PCs. We set up WEP encryption and tried to hack around a little to get in without the keys. We made sure we altered the default network ID and set good hard-to-guess passwords. It was like butta, for just one day.

    Next weekend, we came back and hooked up more PC's. We went up to say 18 from 12. This is where we started having problems.

    We used MAC address control on the APs as we promised the company we would. But after hours and hours of trial and error, we discovered that after adding more than 17 MAC addresses to the control list on one AP, the AP would spontaneously loose all of its configuration data. This worked this way on both AP's. DLink was not helpful. We would later RMA one of these and the replacement would do the same. So, we ended up having to have control lists that were local instead of network-wide. This defeated the roaming feature of 802.11b entirely (although nobody has a laptop there right now, I don't like it one bit). It also causes more difficulty in configuring the damn things. My friend, who is an Apple Campus Rep, haunts me to this day with suggestions of buying their AirPort brand equipment and says it would work better. Anyway, we choose DLink 'cause it was a hell of a lot cheaper than Orinoco.

    We saved the company lotsa money on their dial-up. Next, we moved their web pages in house on a Red Hat box on a DMZ. DMZ wasn't all that in SmoothWall at the time (no hole poking), but it did what we needed it to. We moved their primary DNS to publicdns.org and set up MX records, the whole works. Set up a sendmail box. Set them up with PHPGroupWare. And, we encouraged them to make donations to the various projects which provided them with these fine products and services. I felt all warm and fuzzy. I had turned them into a free-software shop on commodity hardware and it all worked.

    After a while, I started getting phone calls from them saying their web pages were only accessible to some clients. I looked into this. I left myself a way to get in (a port forwarded to a pc with sshd, I had permission to do this), and so I hopped on in and looked around. I became acutely aware that my ssh sessions were being dropped very frequently. I kept getting some sort of error from my ssh client during sessions.

    We went back down to isolate the problem. We kept removing pieces of hardware from the network to figure out what the &*^% was going on, but found nothing. Then we learned SmoothWall had added support for PPPoE. We scrapped the Linksys, and we had no more dropped TCP sessions. It was freaky . I have seen the same problem affect two other people who used port forwarding since then with Linksys boxes (I help folks out on Mandrake Expert). SmoothWall had also added better DMZ support. I just have to say the system works beautifully.

    Other issues we encountered in the project were users compromising security by using AOL clients. AOL clients create VPNs which in theory could allow hackers to circumvent your company's security. Don't let your users do this.

    Oh, I almost forgot, the AS400. Up until we set them up with a network, they were using this shitty twinax serial network to talk to their AS400. It was expensive. It required shitty ISA adapters to be installed in every PC. It almost made me puke.

    At the start of the project in our proposal we told them that they should use encrypt everything, even internally, and that that was just common sense. We told them they could put the AS400 on the LAN and use ssh instead of those card-and-twinax interfaces. I even verified this with my fiancee's dad, an old-AS400-fart himself, before I promised them this. WE WERE WRONG.

    IBM told us they COULD NOT RUN SSHD WITHOUT BUYING A NEW MACHINE. That is such a load of crap, but we, having no experience with AS400's, could do nothing about it. The IBM man convinced them to run telnet. We told them we would take no responsibility for that. End-of-story.

    Hope this has been an informative venting session for all of you. Please note that there was some relevant content in here, and that SmoothWall solved some of my problems, and I think it is a great product.
  • by juct (549812) <ju@heisec.de> on Thursday January 10, 2002 @06:33AM (#2815448) Homepage
    Just a couple of comments to the Smoothwall answer to my review:
    My major concern is not, that somebody other than the administrator might log into the machine. The major issue of a firewall system is, to tighten security, not to remove existing security mechanisms like tight access rigts to sensitive files, shaddow passwords, etc. But that is exactly what Smoothwall does in direct comparism to any standard linux distribution.
    I'm sorry, if the text doesn't make it clear, that I'm not complaining about the format of files but about sensitive files with passwords or secret keys, that are world readable (ie mode 0644). Something like
    -rw-r--r-- /etc/ipsec.secrets
    is a bad thing - period.
    I made every effort, to get "printable" response from the developers. I wrote several E-Mails about the issues to Richard Morrel - who was named as contact person- and I went to the IRC channel of the developers. The only printable comment to the subject I got there is "This doesn't matter".

Organic chemistry is the chemistry of carbon compounds. Biochemistry is the study of carbon compounds that crawl. -- Mike Adams

Working...