SmoothWall Firewall Review 495
Daniel Goscomb, one of the lead developers of Smoothwall, responds:
In our opinion this article is extremely badly researched and written. Furthermore it shows a lack of knowledge on the author's part.
The main concern he has is that of people being able to log in to the firewall and read configuration files. This point is irrelevant as there is only a single user that can access the shell, root. This also removes the need of shadow password files, if you have access to the machine to get the passwd file, you are already in as root anyhow.
Secondly he complains of plain text passwords for the ppp passwords. This is not our doing. The passwords are stored in this format as pppd requires them to be in plain text in the two files. He also mentions that the permissions of these files are wrong. If he looked a little more closely he would have seen that they are in fact symlinks to the 2 real files, which do have the proper permissions on them.
He also mentions the same "problem" with the shared keys system in FreeSWAN. Again, they are stored like this as FreeSWAN requires them in this format to read them.
As to the part about user authentification of the CGI scripts. This is completely irrelevant. There is no authentication in the CGI scripts. The authentication is done via .htaccess files, and has no interaction with the CGI at all, other than when you change the passwords.
I also find it disturbing that the author gave us no room for comment in his article, nor did i see anything to suggest he had even asked us about these so called "problems". We would have been happy to answer any questions he had.
Sincerely,
Daniel Goscomb.
Lack of Testing (Score:1, Informative)
Response (Score:4, Informative)
our response [smoothwall.org]
Smoothwall (Score:2, Informative)
Re:Old debate...? (Score:4, Informative)
From what I understand, even a user in your own house wouldn't be able to get at the password file, since only the root account (which one would assume is password protected) has access to a shell. This isn't a multiuser system that people log into.
(This is my understanding from what I've read - I've never used SmoothWall - please correct me if I'm mistaken).
No more comments on Morrell, please! Try IPCop! (Score:5, Informative)
As your momma always said: 'If you don't have anything good to say about someone, don't say it' or 'if you someone keeps "bothering" you, just stay away from them.' It's as simple as that.
So if you don't like Richard Morrell, head of the SmoothWall project, consider:
Personally, I'm sick of the "one-sided" reporting on Mr. Morrell. I've seen way too many people "complain" about him, but never comment on various personal details that are partially the cause of this -- let alone the daily on-slaught of Windows users who've barely heard of Linux, who don't bother reading the FAQ, let alone demand that SmoothWall automagically support every little, crappy-designed Windows application and their proprietary protocols that don't work well with firewalls anyway. After a week of being on the SmoothWall lists, I'd kill some very rude and ungrateful users well before Morrell. If you feel Morrell is "really bad for the project," then that's his problem, not yours!
Now if you still want something like SmoothWall without the SmoothWall(TM), take notice that others have forked the project into a new one called IPCop [ipcop.org]. Version 0.1.0 features SmoothWall 0.9.9, all the major post-0.9.9 patches and various enhancements. A final 0.1.1 release is to follow shortly before the team starts to work on version 0.2.0, an Linux 2.4/Netfilter implementation.
For all I care, you can think of IPCop as "SmoothWall without Morrell." Just don't say it outloud since many of us are all sick of hearing it!
Another firewall product: Astaro (Score:3, Informative)
There's also a support community [astaro.org].
Some companies such as Pyramid [pyramid.de] are reselling [astaro.com] Astaro with hardware and support.
Re:Reveiwers have to listen... (Score:1, Informative)
Re:Attitude Problems with Smoothwall Developers (Score:3, Informative)
Re:Excuses (Score:1, Informative)
The other option is to require the remote end to authenticate to you. Unfortunately, I doubt there's an ISP out there that would do that.
In other words, the developers are entirely correct.
Another alternative (Score:3, Informative)
Re:Reveiwers have to listen... (Score:3, Informative)
The second time he visited #smoothwall, he did not introduce himself as a journalist, nor did he say he was writing an article, and he proceeded to try and grill the channel members on the points he wrote about in the article. This is where some misunderstandings are appearing, as not everyone posting here about their IRC experience was online the first time Jürgen appeared.
Re:Bad Modding -1 offtopic (Score:2, Informative)
Re:No more comments on Morrell, please! Try IPCop! (Score:2, Informative)
Anyway, I do not know the gentleman that posted that little piece. However, I do have a tendency to agree with him.
As for the spam. OK, if you see it that way.
Also, I never claimed that it was anything other than a fork. As a matter of fact it's plastered in every piece I write on my site. http://slydder.homelinux.com
I hate not being clear on matters.
As for having problems from SourceForge, I don't think so. But then again if we did it could only be because a certain person keeps on us to remove all mention of SmoothWall. hehe. What a character.
chuck
Re:The smoothwall team is full of GREAT IDEAs.. (Score:2, Informative)
Smoothwall GPL requires seperate hardware interfaces (modem/nic) per ip. The internal NIC can only view the splash page of smoothwall, and the external can't see it at all. By merely spoofing packets you cannot get to the internal ip.
But then you don't actually have an example of this spoofed packet that will fool smoothwall, do you?
Yes, smoothwall doesn't filter email. It's a conventional firewall. It's not a virus-checker. Compromised machines on the internal network can view the splash page of smoothwall. The splash page reveals the smoothwall version number and " 1:19pm up [REMOVED] days, [REMOVED], 0 users, load average: 0.38, 0.54, 0.57".
Anything more and you need http authentication. Show a theoretical exploit or calm down, please.
Comment removed (Score:4, Informative)
Re:sharethenet (Score:2, Informative)
Re: Attitude Problems with Smoothwall Developers (Score:5, Informative)
for me it was a straightforward switch from smoothwall to ipcop. easiest install of any operating system i've ever seen. ipcop supports ext3 (for no extra cost!) which is great for unplanned reboots.
another free alternative... (Re:sharethenet) (Score:3, Informative)
Works very nice for me.
point your boss (Score:3, Informative)
another free Firewall: Gibraltar (Score:1, Informative)
Having read the C't article and also some comments here, I would like to say that there ia another free firewall solution. Gibraltar is a CD-ROM based firewall that does not need to be installed on harddisk but runs directly from the bootable CD. You can find more information about it at
http://www.gibraltar.at/
Although I am - as the founder of this project - obviously biased, I think that Gibraltar can offer quite some functionaliy and is rather easy to use. There will be a commercial version with a web interface (which is currently developed) and installation suppoer, but the free version will always have exactly the same functionality as the commercial one (besides the web interface). The fist free version has been released about 1 1/2 years ago and is now used by a lot of people all over the world.
Gibraltar should be listed in a Linux-based firewall survey in the next issue of the German Linux Magazin.
Smoothwall and Gibraltar both have it's strengths and I can only recommend to look at both to decide which one suits your needs best.
Rene Mayrhofer,
Gibraltar project manager
rene.mayrhofer@vianova.at