SmoothWall Firewall Review

ray-x sent in a pointer to a review by c't of the Smoothwall firewall product. c't's reviewer described several flaws in the firewall. We asked Smoothwall for their comments on the review, which are posted below.

Daniel Goscomb, one of the lead developers of Smoothwall, responds:

In our opinion this article is extremely badly researched and written. Furthermore it shows a lack of knowledge on the author's part.

The main concern he has is that of people being able to log in to the firewall and read configuration files. This point is irrelevant as there is only a single user that can access the shell, root. This also removes the need of shadow password files, if you have access to the machine to get the passwd file, you are already in as root anyhow.

Secondly he complains of plain text passwords for the ppp passwords. This is not our doing. The passwords are stored in this format as pppd requires them to be in plain text in the two files. He also mentions that the permissions of these files are wrong. If he looked a little more closely he would have seen that they are in fact symlinks to the 2 real files, which do have the proper permissions on them.

He also mentions the same "problem" with the shared keys system in FreeSWAN. Again, they are stored like this as FreeSWAN requires them in this format to read them.

As to the part about user authentification of the CGI scripts. This is completely irrelevant. There is no authentication in the CGI scripts. The authentication is done via .htaccess files, and has no interaction with the CGI at all, other than when you change the passwords.

I also find it disturbing that the author gave us no room for comment in his article, nor did i see anything to suggest he had even asked us about these so called "problems". We would have been happy to answer any questions he had.

Sincerely,

Daniel Goscomb.

Lack of Testing

[Renraku]

Chalk it up to lack of testing. A firewall developer should let a team of hackers attack, poke, and prod the firewalls before releasing them to either eliminate or minimize vulnerabilities.

Response

[wpanderson]

we have an article taking what dang has said along with our comments on the way the article author behaved when collecting his "evidence" ...

our response [smoothwall.org]

Smoothwall

[futuresheep]

After trying several different Firewall products, I found smoothwall to be the easiest to setup and maintain. As far as the reviewers points, most are irrelavant, since the only access to the web interface and to SSH is from INSIDE your network. Unless you go out of your way to activate these things exterally, they're simply not seen to attackers. But then again, if you changed the way the product is shipped, then it's really working like it was intended anyway.

Re:Old debate...?

[strags]

This debate seems to be over whether Smoothwall was designed to secure against attack from outside your DSL dialup or against attack from the inside. Shadow passwords are meant to provide a safeguard against dictionary attacks from logged-in users on a multiuser system. c't's complaint that there is no shadow password on a single-user system is valid; if you're worried about people in your own house trying to hack into your firewall.

From what I understand, even a user in your own house wouldn't be able to get at the password file, since only the root account (which one would assume is password protected) has access to a shell. This isn't a multiuser system that people log into.

(This is my understanding from what I've read - I've never used SmoothWall - please correct me if I'm mistaken).

No more comments on Morrell, please! Try IPCop!

[BitMan]

As your momma always said: 'If you don't have anything good to say about someone, don't say it' or 'if you someone keeps "bothering" you, just stay away from them.' It's as simple as that.

So if you don't like Richard Morrell, head of the SmoothWall project, consider:

• ignoring him
• the fact that SmoothWall is free software and freely supported (regardless of the "requests" for monetary support made)
• disregarding SmoothWall altogether, if it really "bothers" you that much (see below)

Personally, I'm sick of the "one-sided" reporting on Mr. Morrell. I've seen way too many people "complain" about him, but never comment on various personal details that are partially the cause of this -- let alone the daily on-slaught of Windows users who've barely heard of Linux, who don't bother reading the FAQ, let alone demand that SmoothWall automagically support every little, crappy-designed Windows application and their proprietary protocols that don't work well with firewalls anyway. After a week of being on the SmoothWall lists, I'd kill some very rude and ungrateful users well before Morrell. If you feel Morrell is "really bad for the project," then that's his problem, not yours!

Now if you still want something like SmoothWall without the SmoothWall(TM), take notice that others have forked the project into a new one called IPCop [ipcop.org]. Version 0.1.0 features SmoothWall 0.9.9, all the major post-0.9.9 patches and various enhancements. A final 0.1.1 release is to follow shortly before the team starts to work on version 0.2.0, an Linux 2.4/Netfilter implementation.

For all I care, you can think of IPCop as "SmoothWall without Morrell." Just don't say it outloud since many of us are all sick of hearing it!

Another firewall product: Astaro

[Jacco de Leeuw]

Astaro [astaro.com] seems like an interesting product. It too is based on Linux (GPL) and sports a firewall, IPSEC, PPTP etc. I have downloaded the ISO but haven't installed it yet since it insists on whiping the harddisk. Seems reasonable but I'll have to find a test machine first ;-).

There's also a support community [astaro.org].

Some companies such as Pyramid [pyramid.de] are reselling [astaro.com] Astaro with hardware and support.

Re:Reveiwers have to listen...

[linzeal]

I can vouch for that logged in as linzeal or koat. I have moved on to Astaro linux firewall though. Smoothwall had a teensy problem with one of my ethernet cards that caused it to operate at half duplex besides that I wish some of the logging features were put into astaro on the web config side. Astaro however "requires" an i586/300mhz and a 10 gig hard drive but actually runs on much less.

Re:Attitude Problems with Smoothwall Developers

[Anonymous Coward]

Been there done that..I urge all who plan on downloading Smoothwall to first hang around for a minute in their IRC channel. Dick Morrell has the worst attitude I have ever seen. Their clame to fame is that it will run on older machines, so I tried it. The 540mb hard drive was filled with logs and took the box down after a couple weeks. I asked Mr. Morrell if it cleaned itself every once in a while and his reply was "get a bigger hard drive". He then started going off on how I shouldn't criticize his product because I'm not paying for it.. All I asked is if the logs would clear eventually! That's just my incident that happend within 5 minutes of meeting him online. I've heard much worse about him. Because of that, I will never tell my friends about Smoothwall again. If you would like an excellent firewall, with more options, better security, and an excellent support team, I recommend you check out www.astaro.com ( which is also a linux firewall ).

Re:Excuses

[parc]

PPP sends the username/password in plain text. If the password is encrypted, how are you supposed to send it plaintext? I suppose you could use a symmetric cipher, but then you'd have to have the key hardcoded someplace. That doesn't seem secure either, does it?
The other option is to require the remote end to authenticate to you. Unfortunately, I doubt there's an ISP out there that would do that.
In other words, the developers are entirely correct.

Another alternative

[SonicBurst]

I've used Coyote Linux (http://www.coyotelinux.com) for about a year now, and it works great. It's a single floppy distro that runs on a dedicated 486 with 8 or meg of memory. It supports PPPoE and dial-on-demand (among other things), and is remotely manageable with ssh, if so desired. Just my $.02.

Re:Reveiwers have to listen...

[wpanderson]

The first time he visited #smoothwall, he fully announced his intention, and the publication he was writing for ... however there was hardly anyone there. He was pointed to Richard's email address by me, as a public IRC channel is hardly the place to conduct a press interview.

The second time he visited #smoothwall, he did not introduce himself as a journalist, nor did he say he was writing an article, and he proceeded to try and grill the channel members on the points he wrote about in the article. This is where some misunderstandings are appearing, as not everyone posting here about their IRC experience was online the first time Jürgen appeared.

Re:Bad Modding -1 offtopic

[wpanderson]

What company? SmoothWall GPL, which is the version reviewed, is released under the GPL by a volunteer team of developers, testers and helpers.

Re:No more comments on Morrell, please! Try IPCop!

[slydder]

Are you speaking of me? Must be.

Anyway, I do not know the gentleman that posted that little piece. However, I do have a tendency to agree with him.

As for the spam. OK, if you see it that way.

Also, I never claimed that it was anything other than a fork. As a matter of fact it's plastered in every piece I write on my site. http://slydder.homelinux.com

I hate not being clear on matters.

As for having problems from SourceForge, I don't think so. But then again if we did it could only be because a certain person keeps on us to remove all mention of SmoothWall. hehe. What a character.

chuck

Re:The smoothwall team is full of GREAT IDEAs..

[Anonymous Coward]

Well you're certainly loud, and vague, but it's all for nought.

Smoothwall GPL requires seperate hardware interfaces (modem/nic) per ip. The internal NIC can only view the splash page of smoothwall, and the external can't see it at all. By merely spoofing packets you cannot get to the internal ip.

But then you don't actually have an example of this spoofed packet that will fool smoothwall, do you?

Yes, smoothwall doesn't filter email. It's a conventional firewall. It's not a virus-checker. Compromised machines on the internal network can view the splash page of smoothwall. The splash page reveals the smoothwall version number and " 1:19pm up [REMOVED] days, [REMOVED], 0 users, load average: 0.38, 0.54, 0.57".

Anything more and you need http authentication. Show a theoretical exploit or calm down, please.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:sharethenet

[Anonymous Coward]

70 Dollars?! Coyote Linux [coyotelinux.com] does this too, and is free.

Re: Attitude Problems with Smoothwall Developers

[onya]

for this reason, (and others) there has been a fork from smoothwall gpl to create a new project called ip cop. you can download a beta .iso from the website. ipcop.org [ipcop.org]

for me it was a straightforward switch from smoothwall to ipcop. easiest install of any operating system i've ever seen. ipcop supports ext3 (for no extra cost!) which is great for unplanned reboots.

another free alternative... (Re:sharethenet)

[osolemirnix]

...is http://www.fli4l.org/ [fli4l.org], a one disk (floppy) router, comes with all kinds of add-ons (firewall, etc.).

Works very nice for me.

point your boss

[DreamerFi]

To the firewall at www.dubbele.com

another free Firewall: Gibraltar

[Anonymous Coward]

Hi all

Having read the C't article and also some comments here, I would like to say that there ia another free firewall solution. Gibraltar is a CD-ROM based firewall that does not need to be installed on harddisk but runs directly from the bootable CD. You can find more information about it at
http://www.gibraltar.at/

Although I am - as the founder of this project - obviously biased, I think that Gibraltar can offer quite some functionaliy and is rather easy to use. There will be a commercial version with a web interface (which is currently developed) and installation suppoer, but the free version will always have exactly the same functionality as the commercial one (besides the web interface). The fist free version has been released about 1 1/2 years ago and is now used by a lot of people all over the world.

Gibraltar should be listed in a Linux-based firewall survey in the next issue of the German Linux Magazin.

Smoothwall and Gibraltar both have it's strengths and I can only recommend to look at both to decide which one suits your needs best.

Rene Mayrhofer,
Gibraltar project manager
rene.mayrhofer@vianova.at