Forgot your password?
typodupeerror
Security

SmoothWall Firewall Review 495

Posted by michael
from the security-in-a-box dept.
ray-x sent in a pointer to a review by c't of the Smoothwall firewall product. c't's reviewer described several flaws in the firewall. We asked Smoothwall for their comments on the review, which are posted below.

Daniel Goscomb, one of the lead developers of Smoothwall, responds:

In our opinion this article is extremely badly researched and written. Furthermore it shows a lack of knowledge on the author's part.

The main concern he has is that of people being able to log in to the firewall and read configuration files. This point is irrelevant as there is only a single user that can access the shell, root. This also removes the need of shadow password files, if you have access to the machine to get the passwd file, you are already in as root anyhow.

Secondly he complains of plain text passwords for the ppp passwords. This is not our doing. The passwords are stored in this format as pppd requires them to be in plain text in the two files. He also mentions that the permissions of these files are wrong. If he looked a little more closely he would have seen that they are in fact symlinks to the 2 real files, which do have the proper permissions on them.

He also mentions the same "problem" with the shared keys system in FreeSWAN. Again, they are stored like this as FreeSWAN requires them in this format to read them.

As to the part about user authentification of the CGI scripts. This is completely irrelevant. There is no authentication in the CGI scripts. The authentication is done via .htaccess files, and has no interaction with the CGI at all, other than when you change the passwords.

I also find it disturbing that the author gave us no room for comment in his article, nor did i see anything to suggest he had even asked us about these so called "problems". We would have been happy to answer any questions he had.

Sincerely,

Daniel Goscomb.

This discussion has been archived. No new comments can be posted.

SmoothWall Firewall Review

Comments Filter:
  • Smoothwall is Great! (Score:5, Interesting)

    by beezly (197427) <beezlyNO@SPAMbeezly.org.uk> on Wednesday January 09, 2002 @07:28PM (#2813364) Homepage
    I've been using Smoothwall for a while now. I'm extremely satisified with it. I've hand crafted firewalls in the past and I decided to give it a try to ease the burden and it has more than filled the shoes of the things I manually configured before.


    It's secure, featurefull and easy to configure - what more could you want?

  • by zzzeek (43830) on Wednesday January 09, 2002 @07:36PM (#2813412)
    He says shadow files are irrelvant as the box has only one account, root. Whatever happened to rule # 1 of having your web server and CGI's run as a different user ?
  • by chrysrobyn (106763) on Wednesday January 09, 2002 @07:37PM (#2813427)
    I hope it is on-subject enough to point out that I believe this is an excellent job Slashdot has done, going out and getting the rebuttal for the review. Although it is not quite perfect -- it acts partially to discredit the link source -- it is much closer to what I think Slashdot could be, a first-run news source with original articles -- for [nerds|geeks]. Until then, while the editors post their comments after a link, it's little more than the second-run movie theatres (which have their place, don't get me wrong). Thanks, Slashdot.
  • by DaveJay (133437) on Wednesday January 09, 2002 @07:38PM (#2813441)
    I, too, found it extremely easy to configure. I have been using it, and appreciate the availability of it.

    Ultimately, though, this is a very interesting notation by Daniel:

    >"...nor did i see anything to suggest he had even asked us about these so called "problems"."

    In the review, the reviewer actually states:

    >"My concrete indications of security problems within SmoothWall found sheer disinterest with Richard Morrell, developer and project initiator. "That doesn't matter" was about the politest of all comments comment (sic)."

    The reviewer apparently did attempt to have a dialogue with one of the developers, and was rebuffed (apparently impolitely.) I have had a similar experience with at least one SmoothWall developer behaving somewhat less than tactfully.

    If the reviewer is wrong about the security issues, the development team may feel justified in treating him thusly -- At the same time, I sincerely hope that the development team keeps a reasonably open ear in case a legitimate bug is discovered.
  • Re:Smoothwall Sucks. (Score:0, Interesting)

    by Anonymous Coward on Wednesday January 09, 2002 @07:40PM (#2813458)
    the point is that smoothwall is NOT SECURE. its does stupid things because according to the developers the daemons concerned require it to be that way. thats just STUPID. those daemons are GPLed. how long does it take to add a small encryption routine to a piece of GPLed source ? its trivial and the developers deserve to be bitchslapped HARD for this STUPID RESPONSE to a perfectly valid article.
  • Re:sharethenet (Score:2, Interesting)

    by mrpotato (97715) on Wednesday January 09, 2002 @07:41PM (#2813459)
    [...] but OTOH, that hardware can be very old and still perform.

    True. I have a 486/33Mhz acting as a router for 5 computers, and at 250 kb/s download using cable-modem the cpu usage is around 15-20% only.

    Using adsl and pppoe though used to get much worse performance, the cpu being used at 95-100% for 100kb/s download.

  • by DaveJay (133437) on Wednesday January 09, 2002 @07:44PM (#2813471)
    Actually, the reviewer seems to have contacted the developer. Daniel said:

    >"...nor did i see anything to suggest he had even asked us about these so called "problems"."

    In the review, the reviewer actually states:

    >"My concrete indications of security problems within SmoothWall found sheer disinterest with Richard Morrell, developer and project initiator. "That doesn't matter" was about the politest of all comments comment (sic)."

    The reviewer apparently did attempt to have a dialogue with one of the developers, and was rebuffed (apparently impolitely.) I have had a similar experience with at least one SmoothWall developer behaving somewhat less than tactfully.
  • by mathrawka (549683) on Wednesday January 09, 2002 @07:44PM (#2813475)
    I have noticed that the founder of Smoothwall, Richard Morrell has some issues to deal with. He has a huge ego and does not like users that do not pay for his "open source software." He enjoys complaining about how much money he has spent on making CDs and giving them away for free and how people don't donate to him. I have a few quotes that I have collected that he has said on the mailing lists for smoothwall. "i have contacts with people at the kernel team that none of you have... i know people who can get this fixed and i'm on top of it... so stop complaining because you don't know what you're talking about" "i used to work for microsoft, i know how they work" (he worked in the sales dept selling licenses) "You're also not a paying customer - I'll email DIRECTLY my friend who WROTE the official driver. Friendships help. Thats why I'm richard@linux.com" "this is fuck all to do with SmoothWall its hardware level" Also, Mr. Morrell decided to turn it into closed source "enterprise version" that isn't free with extra features. So he's not allowing open source developers to add new features to the open source project because it will compete with his private closed source project.
  • Re:sharethenet (Score:2, Interesting)

    by karnal (22275) on Wednesday January 09, 2002 @07:51PM (#2813522)
    I've recently been using a similar product (except $free as in beer) called BBIagent... or is it BBIagent.net? not sure...

    You go to BBIagent.net's page, and then proceed to answer a few questions about the machine you'll be using as the gateway (nic cards for WAN,LAN etc). Also, it has a built in proxy DNS and built in DHCP serving, so it can replace any firewall you have.

    The only extra support I'd like to see is a dial-up option (I have a dial-up line I dial into to make sure the links are up etc, and would like to run it on this same box)... But, it has basic QOS, Port Forwarding, and access controls!

    What more can you ask for than free? :)
  • by Anonymous Coward on Wednesday January 09, 2002 @08:01PM (#2813605)
    I agree, i had issues getting a smoothwall box up and running (turned out to be a duff network card in the end.) so I logged on the smoothwall irc server to get some advice, Richard Morrell was in the channel and I asked if anyone could give me some advice, his attitude was "have you paid any money to us?" straight off, not the most warm and welcoming of attitudes. I told him straight that I wanted to get it working before I parted with any of my hard earned cash. I have got to say that other people on the channel were more helpful, but the guys attitude put me off using his product to the point where I binned the installation and started using freesco instead...
  • Re:Response (Score:2, Interesting)

    by Anonymous Coward on Wednesday January 09, 2002 @08:06PM (#2813636)
    You say he asked in IRC. Does anyone have the IRC log so we can judge for ourselves on his "rudeness"?

    (not to be rude myself, but it's clear that the technical points the review makes aren't true, and it'd be nice if the social points were also disproved)

  • by TheSHAD0W (258774) on Wednesday January 09, 2002 @08:13PM (#2813675) Homepage
    There's a very good reason not to store passwords in plaintext -- even if the file containing the passwords has restricted permissions.

    Adam decides to change one of the passwords. Adam loads the password file in vi, makes the change, exits, and walks away from his console, happy.

    Bill, a guest-class user who wants higher-level access for nerfarious purposes, creates a file in /tmp and blindly allocates disk space. He then closes it and reads what it contains.

    Well, when Adam saved the password file and closed, vi did the following: It created a new file containing the revised information, then deleted the old file, and finally renamed the new file to match the original file. The space allocated by the original file was released to be reused. When Bill allocated space for his temp file, he happened to get the same space the original file used -- and its contents.

    Bill identifies the file fragment as having belonged to a password file. While one password was changed, there may be others which haven't; or the format of the password used may allow Bill to make some educated guesses about Adam's new one.

    While this form of attack isn't always successful, password data can be exploited; and the more passwords on the system that aren't encrypted, the more likely one may be discovered. In other words: Routinely encrypt passwords!
  • by wpanderson (67273) on Wednesday January 09, 2002 @08:13PM (#2813677)
    There's a difference between code released from a single source that has been audited, tested and integrated by the team, and code downloaded from tumtetum.tripod.com/haxx0rme/ and slapped in without thinking about it. I'm not suggesting that ALL homebrew patches are security holes in the making, but this is a security project, not an mp3 player.
  • Re:Smoothwall & GPL (Score:5, Interesting)

    by Anonymous Coward on Wednesday January 09, 2002 @08:14PM (#2813683)
    I have also evaluated smoothwall, and while reading up about it noticed the "attitude" to the GPL so looked carefully at the licensing for all parts of the distro as they are very pushy about their rights to do what they like with code they have written (which I fully support).

    However the version I looked at (0.9.9) includes a java ssh terminal (MindTerm [appgate.org]) that is a commerial product that is "Free for non commerial personal use and may be included with other products so long as the different license is drawn attention to" to paraphrase this [appgate.org] license agreement. I saw no sign of this.

    I am posting this anonymously and I haven't rasied this elsewhere as the attitude of the developers to these sorts of questions is well known and I don't really have the time for that.

    How this applies to their commerial support offerings I'm not sure either.
  • by Anonymous Coward on Wednesday January 09, 2002 @08:21PM (#2813727)
    no remote access to the machine ? when the machine is running CGI SCRIPTS ?? and a WEBSERVER ??? and is passing PACKETS and running rules on them ?
    HUH ? one buffer overflow and the firewall gets OWNED. REMOTELY.
  • by Anonymous Coward on Wednesday January 09, 2002 @08:24PM (#2813744)

    Both of you are as good/bad as me, the Anonymous Coward:

    hellcore (User #549684 Info)
    HiltonT (User #549696 Info)

    In other words: Two fresh acounts which probably represent the same person and are created just to post at +1. Show some logs.

  • by 3247 (161794) on Wednesday January 09, 2002 @08:27PM (#2813770) Homepage
    ... c't publishes an article that completly pans a very hyped product. Of course, the author/vendor/manufacturer then loudly complains and quotes several articles from other respectec computer magazines that say his product is OK and c't is wrong.

    In most of these cases, c't is right. I think we can expect an exploit very soon... ;-)

  • by Anonymous Coward on Wednesday January 09, 2002 @08:30PM (#2813790)
    The web server is only accessible internally (required for web administration). It uses http authentication which doesn't get near the CGI (only the splash page can load with username/password).

    It has no external access to the machine.

  • by mwhahaha (172475) <mwhahaha.vt@edu> on Wednesday January 09, 2002 @08:46PM (#2813869)
    Twice this evening I've tried to get questions answered about their gpl'd smoothwall because my boss saw this slashdot article. And both times I've been nothing but insulted by Richard Morrell, the founder. The first time I was childish and incompetent all because I had the nickname 'nameless'. The second time I was k-lined from the server and he insults me because I have a german last name.

    smoothwall.org.txt [widomaker.com] and smoothwall.org2.txt [widomaker.com]

    Makes you wonder how these guys really act to customers.
  • by TellarHK (159748) <[tellarhk] [at] [hotmail.com]> on Wednesday January 09, 2002 @09:04PM (#2813966) Homepage Journal
    Several months ago, I was messing around with Smoothwall as a possible simple solution to my home LAN situation. It was the eve of the 0.9.8 release, and I went on the Smoothwall IRC chat area and joked about getting an early copy of the release. Joked. I know that doesn't happen, and figured that with a technically oriented crowd, that I'd be understood as kidding. At the time, it seemed that I was. However.

    A couple days later, after having installed Smoothwall and found it to be almost-but-not-quite-right, I popped on and asked a pretty simple question. Why wasn't there a copy of any compilation tools present, or any other services that someone on a small, personal network might like?

    The response was pretty terse. "It's a firewall." Repeated inquiries resulted in various forms of the same answer. Now I understand that a firewall has one main purpose, but the -attitude- I got from the developers was really too much. I figured, after being booted from the channel, I'd email Richard and hope that a cooler, more corporate head might reside at the leadership of the Smoothwall project.

    Unfortunately, I could -not- have been further from the truth. The situation escalated with Richard harassing me VIA email for several days, after repeated requests of mine not to email me any longer. He continued, his crude insults became -threats-, and it took three days for the matter to settle.

    I am currently an assistant administrator at a small college using Linux as a gateway/NAS solution that's desperately in need of updating. Smoothwall might have once been a contender for this, but definitely not now.

    I have posted a rather extensive website airing the entire situation with Richard, my own warts and all, at my Smoothwall site [wctc.org] for the perusal of anyone interested. Sure, I might have made a mistake or two, but I don't feel anything I may have said justified what I recieved.

    Anyone else have similar experiences?
  • by Anonymous Coward on Wednesday January 09, 2002 @09:05PM (#2813975)
    there is no such thing as an INTERNAL webserver. its on the net with a non routable ip. boo friggin hoo. someone spoofing packets can get into it if they do it properly. or 0wn one internal box on the network. unless smoothwall filters email and other viruses to potential M$ targets behind the firewall.
  • by TellarHK (159748) <[tellarhk] [at] [hotmail.com]> on Wednesday January 09, 2002 @09:19PM (#2814034) Homepage Journal
    I would like to add, as an afternote to this, that when I contacted my ISP in order to be sure that Richard was not going to pull a fast one and get my account yanked, that I was then contacted the following day and asked if I had indeed been hacking Smoothwall's parent site. My reply was no, and I pointed my ISP to the site given in my previous post. After a quick examination of my site, my ISP apologised for the trouble, and said things would be taken care of. Nothing ever came of that, but I hope others would agree that what happened was quite low.
  • Re:Smoothwall & GPL (Score:3, Interesting)

    by rossz (67331) <ogre&geekbiker,net> on Wednesday January 09, 2002 @09:25PM (#2814050) Homepage Journal
    Some of you go on about how great and how wonderful the GPL is. You say everyone should support GPL software.

    I went beyond that. I didn't just write GPL code as a hobby. I bet my family's well being on open source when I took a job with Sendmail, Inc. Unfortunately, Sendmail was forced into massive layoffs, and at the worst time economically. It took four months to find another tech job. It doesn't matter that I am good at what I do. There were a hundred other guys interviewing for the same job who were just as good or who wanted a lot less money.

    Your precious GPL doesn't pay my rent or buy clothes for my daughter. If I had a choice between unemployment and Microsoft, then what the hell, "start me up".
  • Re:sharethenet (Score:2, Interesting)

    by hearingaid (216439) <redvision@geocities.com> on Wednesday January 09, 2002 @09:32PM (#2814079) Homepage

    It's also why setting up a bootable CDROM is in many cases the way to go.

    Keep your logfiles on the HD. Nothing else really needs to be there.

    Of course, I don't do this. But I'm only protecting a few home computers. If I had an organization... I'd burn a CDR and boot firewalls from it. Just leave it in the drive. Good luck hacking that.

  • by whoppo (218875) on Wednesday January 09, 2002 @09:33PM (#2814084)
    Being a geek *and* the firewall/vpn admin for a large network I was compelled by geekiness to set up a tunnel between the corporate network and my home network. The lack of desire to spend way too much money for an IPSec compliant appliance I opted to try numberous open source solutions, including Smoothwall 0.9.9se. Despite a few shortcomings, I found the "Smoothie" to be quite impressive. A 23 Meg ISO image yielded a bootable CD that installed without a hitch, identified all the hardware and prompted well for install input (reading the install docs is of course advisable). The box was online is just about 10 minutes with internal clients playing quake and surfing for porn. A quick, yet educated review of the default configurations and a nmap scan and I was confortable with the security... onto the VPN config: A straight forward, web based config menu has fields for all the usual Free-S/WAN VPN stuff, like gateway IP's, site network IP's, next-route-hop IPs, preshared secret, but lacked some specific config options that are needed to create a tunnel with a Checkpoint FW-1/VPN-1 gateway (the reason I was trying this product). Manually adding these config options to the ipsec.conf file was easy enough and in just a short while I was enjoying an IKE/3DES/MD5 tunnel into work.. well.. maybe "enjoying" isn't the right word. My next step was to add a few additional work subnets to the tunnel. This is done by creating an additional connection.. like a second tunnel with the same addresses and preshared secret.. piece of cake.. except, adding more info to the VPN configuration overwrites the ipsec.conf file with a newly created one. Doh!. Fortunately, the web interface is well written and it was pretty easy to add some code to make the admin script create the new ipsec.conf file with the Checkpoint specific changes. Total time invested for a fully functional, easily configurable firewall/VPN: just a few hours. Satisfaction level: 90% Summary: It's easy, fast and works as advertised. Pros: Fast install, Works with Static or dynamic IP's, Many other good features (check the website for details)., Easy to customize the code for personal gratification. Cons: it could offer more flexible IP chains config thru the web interface, Could use those additional VPN options for Checkpoint interoperability. I like it and the smoothwall folks can expect documentation of checkpoint compat. fixes along with a PayPal donation very soon.
  • by BenBenBen (249969) on Wednesday January 09, 2002 @09:43PM (#2814121)

    If my, and many of my friend's, experiences of Richard Morrell are any indication, the reviewer got off lightly with "That doesn't matter". There's not even an expletive in there. I'm sure many other users here would back me up on this: Richard Morrell is like RMS but without the charm or patience. Smoothwall, however, is very good stuff. It runs excellently on a battered old 486 and is the ideal solution if you are looking to share a DSL/Cable connection, at any level from a simple home LAN to a hosted domain

  • by DaveJay (133437) on Wednesday January 09, 2002 @10:05PM (#2814210)
    It does beg a question, but not "how (do) these guys really act to customers" -- I believe the better question is "when you financially reward sociopathic behavior, is it likely to stop?"

    Consider: if I donated money or purchased the product outright, project members might begin treating me with respect and patience -- but that respect and patience would have been purchased, rather than genuine. I assume that the boorish behavior would have continued behind my back. Equally possible is the chance that the boorish behavior would have continued to my face.

    Ultimately, it was this thought that led to me voiding a donation check I had written to the project. I voided the check two days after installing SmoothWall, a few hours after writing the check, and half an hour after being insulted by Richard Morrell on the users mailing list.
  • by BenBenBen (249969) on Wednesday January 09, 2002 @10:23PM (#2814297)

    You might be interested in what Mr Morrell has to say about IPcop...


    *dickmorrell* I'm actually having them shut down

    *dickmorrell* right now
    *dickmorrell* their Sourceforge listing
    *dickmorrell* for breach of GPL
    *dickmorrell* breach of copyright
    *dickmorrell* theft of documentation
    *dickmorrell* and oh
    *dickmorrell* see their lists ?
    *dickmorrell* I PAID FOR IPCOP f***o
    *dickmorrell* we sacked the crap developers involved
    *dickmorrell* they havnet the first f***ing clue
    *dickmorrell* lol
    *dickmorrell* we have 890,000 installs
    *dickmorrell* they have 82
    *dickmorrell* ipcop will need big pockets to get anywhere
    *dickmorrell* BIG pockets
    *dickmorrell* and BIG name friends
  • by cvn65 (201649) on Wednesday January 09, 2002 @11:48PM (#2814563)
    I read it, too. And I find Richard's responses to be entirely unlike your childish simplicity.

    I find him to be arrogant, overbearing, thoughtless, anal, and childish.

    Okay, -almost- entirely unlike you. But then, you are not making threats and false accusations of illegal acts against a person who has offered you neither insult nor any offense whatsoever. You aren't trying to abuse the law and the trust of a corporation to attack an innocent man. And you aren't posting pointless, silly, ad hominem slander.

    Oh, wait. You are posting pointless, silly, ad hominem slander.

    I guess you're not that different after all.
  • by milath (547963) on Thursday January 10, 2002 @01:18AM (#2814851) Journal

    I was reading this article's comments with just cursory interest until I came across this post. I headed to your website and read the whole exchange.

    Frankly, I think you are totally in the right here. The IRC exchange was typical, from what I've seen, for IRC. You even provided help to other customers of the company. I was absolutely astounded to read the reply(ies) you received to the email you sent the 'president' of this company. I cannot believe that anyone in charge of a company (or any company public or private) providing a product could be so daft. After reading through the other comments, I can also see this is not an isolated incident.

    Well, one thing is for sure: this could be the most secure firewall ever , but after reading this and other exchanges with the people who make it, I'm not even going to bother trying it.

    Absolutely disgraceful...
  • Re:Excuses (Score:4, Interesting)

    by hearingaid (216439) <redvision@geocities.com> on Thursday January 10, 2002 @02:38AM (#2815034) Homepage

    Mainly, NAT can be persuaded to become bidirectional with relative ease. That is, you can trick it into giving access to machines behind the firewall. This is especially easy if there are servers behind the firewall.

    The explanation on how is technical in the extreme, and while I mostly understand it, I don't trust myself to explain it correctly; I'll recommend the Zwicky book again, [amazon.com] perhaps I should put it in my sigfile. :) If you're broke, go find your local university's library. Any decent uni library and many crappy ones will have at least the first edition of Zwicky.

    The simple answer, though: SOCKS4/5 is a server, and NAT is a router solution. Routers route packets around the 'net. They are designed to pass them back and forth. Servers, on the other hand, just receive packets, process them, and decide what to do with them.

    I talked about this a bit more in a BSD thread just earlier today: go here [slashdot.org] to see my other comment.

    Now, don't get me wrong; NAT is much better than just having an open connection. But it will usually pass ICMP packets, and that's an enormous security hole. Dumb network admins usually deal with it by blocking all ICMP packets, which of course breaks a whole pile of things. The better solution is to just not ever route packets from the 'net past the firewall. They should all be caught at the firewall and fed through some kind of proxy before they ever touch the inside. That can only be done if you give up NAT.

  • Some of this post is very on-topic, but I include the rest for context. Moderators, please be kind.

    I and a buddy recently completed a network installation for a small business. They had about 25 PC's in a 100-year-old wood-frame office building with asbetos everywhere and wanted these people to be able to utilize the Internet for such tasks as tracking packages via web sites, etc. They wanted to reduce costs by eliminating some 6 dialup accounts and free up phone lines for voice. They were less than a quarter mile from the local telco POP. So, they tried ADSL on one PC and consistently got about 1.5 Mbps down and about half that up. They loved it.

    They asked me as an independent consultant what they should do to get the access to the other PC's. We looked at wiring the building, but due to the structural nightmare of the building, we decided that for their needs we could go with 802.11b. We dropped several CAT5e lines to three locations in the building: the computer room, where their mission-critical apps run on an AS400, and two access point mounts we set up.

    We set up a SmoothWall box as their NAT since the evil ISP would only give us one static IP. It looked a lot better than FreeSCO. It was painless, absolutely painless to configure. But it had a shortcomming: it did not support PPPoE, which was necessary for the ADSL drop. Schucks! So we double-NATed using a little Linksys NAT/switch thingy to actually negotiate the PPP for us. We thought this would be nice because if someone were trying to hack in, they would have to circumvent 2 NAT's. We also thought it would have no significant impact on throughput. Big mistake (read on). Regardless, the NAT solution could remain in place should they ever want to add a stateful packet inspection firewall or something like that, or switch to better broadband, or even wire the building.

    We spent almost an entire afternoon trying to configure the blasted access points. They were DLink 1000AP's. I followed DLink's instructions to the letter. I have a little beef with DLink about requiring a Windows machine to configure the things, but I can overlook that. I installed the configuration software on my laptop and was ready-to-rumble. The software failed repeatedly to detect the access point using a DLink branded 802.11b client device (USB DWL120). So I tried step two, isolating the AP's on an Ethernet segment. They failed detection again. So I fed the software MAC addresses manually. This failed. I was using only one machine with a known-to-work crossover patch cable. What the *(!@?

    We eventually tried swtiching PC's, and then we noticed that the typeface DLink used to print the MAC addresses on their AP's made 5's look like 6's because the ink ran too much. I was really pissed. Upon getting the conf software to work on a desktop, I went back to my laptop to try again. It flat out wouldn't work with either of my 3Com CC10BT PCMCIA cards in different machines. Don't know why to this day; DLink couldn't help me on that one. But it did work on a desktop wit a 3Com 3c509b.

    So, we got the access points set up and clients on all the PCs. We set up WEP encryption and tried to hack around a little to get in without the keys. We made sure we altered the default network ID and set good hard-to-guess passwords. It was like butta, for just one day.

    Next weekend, we came back and hooked up more PC's. We went up to say 18 from 12. This is where we started having problems.

    We used MAC address control on the APs as we promised the company we would. But after hours and hours of trial and error, we discovered that after adding more than 17 MAC addresses to the control list on one AP, the AP would spontaneously loose all of its configuration data. This worked this way on both AP's. DLink was not helpful. We would later RMA one of these and the replacement would do the same. So, we ended up having to have control lists that were local instead of network-wide. This defeated the roaming feature of 802.11b entirely (although nobody has a laptop there right now, I don't like it one bit). It also causes more difficulty in configuring the damn things. My friend, who is an Apple Campus Rep, haunts me to this day with suggestions of buying their AirPort brand equipment and says it would work better. Anyway, we choose DLink 'cause it was a hell of a lot cheaper than Orinoco.

    We saved the company lotsa money on their dial-up. Next, we moved their web pages in house on a Red Hat box on a DMZ. DMZ wasn't all that in SmoothWall at the time (no hole poking), but it did what we needed it to. We moved their primary DNS to publicdns.org and set up MX records, the whole works. Set up a sendmail box. Set them up with PHPGroupWare. And, we encouraged them to make donations to the various projects which provided them with these fine products and services. I felt all warm and fuzzy. I had turned them into a free-software shop on commodity hardware and it all worked.

    After a while, I started getting phone calls from them saying their web pages were only accessible to some clients. I looked into this. I left myself a way to get in (a port forwarded to a pc with sshd, I had permission to do this), and so I hopped on in and looked around. I became acutely aware that my ssh sessions were being dropped very frequently. I kept getting some sort of error from my ssh client during sessions.

    We went back down to isolate the problem. We kept removing pieces of hardware from the network to figure out what the &*^% was going on, but found nothing. Then we learned SmoothWall had added support for PPPoE. We scrapped the Linksys, and we had no more dropped TCP sessions. It was freaky . I have seen the same problem affect two other people who used port forwarding since then with Linksys boxes (I help folks out on Mandrake Expert). SmoothWall had also added better DMZ support. I just have to say the system works beautifully.

    Other issues we encountered in the project were users compromising security by using AOL clients. AOL clients create VPNs which in theory could allow hackers to circumvent your company's security. Don't let your users do this.

    Oh, I almost forgot, the AS400. Up until we set them up with a network, they were using this shitty twinax serial network to talk to their AS400. It was expensive. It required shitty ISA adapters to be installed in every PC. It almost made me puke.

    At the start of the project in our proposal we told them that they should use encrypt everything, even internally, and that that was just common sense. We told them they could put the AS400 on the LAN and use ssh instead of those card-and-twinax interfaces. I even verified this with my fiancee's dad, an old-AS400-fart himself, before I promised them this. WE WERE WRONG.

    IBM told us they COULD NOT RUN SSHD WITHOUT BUYING A NEW MACHINE. That is such a load of crap, but we, having no experience with AS400's, could do nothing about it. The IBM man convinced them to run telnet. We told them we would take no responsibility for that. End-of-story.

    Hope this has been an informative venting session for all of you. Please note that there was some relevant content in here, and that SmoothWall solved some of my problems, and I think it is a great product.
  • by Anonymous Coward on Thursday January 10, 2002 @03:48AM (#2815165)
    Why does't slashdot go to both sides more often for both sides of a story? Why did this guy get 'special treatment'? It seems like the slashdot articles have a decent rate of being incorrect of half-informed. I'd like to see more of this fair reporting, and I hope this one time wasn't just a fluke.

    If you agree, vote with upward moderation.
  • BSD Based firewalls (Score:3, Interesting)

    by DreamerFi (78710) <john AT sinteur DOT com> on Thursday January 10, 2002 @06:22AM (#2815419) Homepage
    And there's plenty of others based on BSD freely available... see www.dubbele.com

    -John
  • by keithdowsett (260998) on Thursday January 10, 2002 @06:52AM (#2815487) Homepage
    I considered using smoothwall for my home network, but the lack of SCSI support was a problem. Instead I downloaded the Mandrake SNF firewall as an iso image. It's based on Mandrake 7.2 so it's not the latest and greatest. However it does include a facility to update its components if you don't feel like downloading the RPMs yourself.

    IIRC this does implement shadow passwords as well as the SCSI support I needed and a web interface. There is also a Java encrypted terminal connection, which allows you to login securely from a browser. This is really handy for tweaking the config files without needing a screen and keyboard connected to the host.

    There were two areas which needed a little manual tweaking - dhcpd.conf and lilo.conf. Once these had been fixed everything worked a treat, it even handled the VPN connection to my office seamlessly. So, nine out of ten for Mandrake SNF from me.

    Keith.
  • Re:Smoothwall & GPL (Score:1, Interesting)

    by Anonymous Coward on Thursday January 10, 2002 @07:01AM (#2815505)
    Just a quick update, I have tried to post this to the smoothwall users list but the mail was rejected by the moderator. Take from that what you will.
  • Re:sharethenet (Score:2, Interesting)

    by shani (1674) <shane@time-travellers.org> on Thursday January 10, 2002 @07:57AM (#2815602) Homepage
    It's also why setting up a bootable CDROM is in many cases the way to go.

    This isn't the point. The problem is that whatever exploit the script-kiddie used to root your box is going to still be there, no matter how many times you hit the big red button and reboot.

    You need to know what happened, so you can patch the hole.
  • Re:Smoothwall & GPL (Score:2, Interesting)

    by Anonymous Coward on Thursday January 10, 2002 @08:36AM (#2815680)
    You mean like their IRC channel?

    Welcome to #smoothwall :: Please do not expect
    free support if you haven't donated.
    http://redirect.smoothwall.org/donate


    I guess it's not free support if you donate then so it's basically an unsupported GPL'd product. That's fine but too bad the author is a fucking putz. He reminds me of DJB or Theo from OpenBSD. They're all pompous arrogant primadonnas.
  • by fatrat (324232) on Thursday January 10, 2002 @12:53PM (#2817066) Homepage

    Also, as was pointed out on uk.comp.os.linux,
    anyone who thinks that

    /^\d+\.\d+\.\d+\.\d+$/

    is a correct way to match an IP address in a cgi-bin script shouldn't be let near a firewall.

    No shadow passwords? /etc/passwd is a+r on all
    systems I've ever seen (is Smoothwall different?
    I doubt it). That's why you need shadow passwords.

    Remember the old /cgi-bin/phf?cat%20/etc/passwd
    trick? Having seen the quality of the cgi scripts
    in smoothwall, do you want to promise that there's
    nothing similar in there?
  • by Genus Marmota (59217) on Thursday January 10, 2002 @02:06PM (#2817678)
    The response seems to support the criticism of devs being clueless and arrogant. Daniel seems to miss at least one point completely.

    From the review:

    The CGI scripts used to Administrate do not verify user data satisfactorily.
    From Daniel Goscomb's reply:
    As to the part about user authentification of the CGI scripts. This is completely irrelevant. There is no authentication in the CGI scripts. The authentication is done via .htaccess files, and has no interaction with the CGI at all, other than when you change the passwords.

The best way to avoid responsibility is to say, "I've got responsibilities."

Working...