[Sussex] Smoothwall

Jon Fautley jon at geekpeople.net
Fri Mar 28 11:08:01 UTC 2003 

On Fri, 2003-03-28 at 10:36, Mark Olliver wrote:
> Hi
> 
> I thought I ask some opions on smoothwall, I am looking at using it to
> replace are firewalls but so far i have found several holes. Does any
> one have any ideas?

I'll give it a go...

<Puts on ex-Smoothwall support engineer cap>

> General smoothie setup allows for one red, orange and one green network.

Correct.

> 
> My networks are slightly larger and have, one red, one orange and
> multiple green networks, of which only certain things are allowed to
> talk across. ie. mail is allowed across all networks but printing and
> http should be blocked.
>
> Under smoothie I can see no method for setting up this kind of
> configuration.

hmm.... AFAIK, this isn't possible in the GPL versions of smoothwall. I
believe we managed to bodge it in one of the corporate server builds
semi-sucsessfully, but I don't beleive it was released for public
consumption. It shouldn't be that hard to implement if you know perl and
a bit about network routing (sounds like you do)

> Also, I like to run an internal DNS server chrooted on the firewall.
> 
> Any Ideas?

SmoothWall has a DNS proxy built in, not a fully fledged DNS server. If
you ask any of the SmoothWall team they'll tell you that you shouldn't
be running any other services on the firewall itself and it should be on
a seperate box. IMO, a DNS server (providing it's not running THAT many
domains) is ok to be run on a firewall.

IIRC, nothing it chrooted on the Smoothies which probably means that
you'd need to copy the correct binaries over to the machine itself -
smoothwall is based on RedHat Linux 6.2 (originally) so any binary
compiled on/for a redhat 6 system should work.

> Another thing that would be useful would be the ability to have multiple
> smoothie's so if one breaks or falls down the redundant one takes over
> using standard heartbeat systems. has anyone tried this?

Again, something we played with for the corporate side of things, and I
believe it's going to be a feature of Corp Server 3 when it's released
later this year. I don't think anyone's bothered with the GPL version.

>From what you're saying, smoothwall isnt' really what you need. It would
probably be quicker to install a minimal <distro of choice> [*** USE
DEBIAN ***] system and customise that to your requirements.

Jon

More information about the Sussex mailing list