Experiences with the Smoothwall Installation: How to Implement a Linux Firewall (part 1)

Some people are still on dialup, or have been sold a cheap broadband modem by their ISP. In either case they may find themselves without a firewall. This is a very bad position to be in, sooner or later a worm will infect a Windows PC connected to the internet like this, even with XP SP2 (with its updated s/w firewall) and all the auto updates turned on. Of course there are other risks, and if you use your machine for filesharing (legitimate or otherwise) you expose yourself to considerably greater risk.

Software firewalls running on your main machine are inherently vulnerable to trojans and things that slip in via email. You should try and run your firewall on a device that is not used for anything else. A dedicated device, be it custom hardware or a PC dedicated to firewalling is always going to be a more secure.

One solution is to purchase a hardware firewall/router, or perhaps a modem/firewall/router that the ISP should probably have recommended in the first place. Pure firewall/router devices are hard to find in the main consumer outlets, but can certainly be obtained by mail order. Around A$70 is the bottom of the price range for firewall/router devices. A complete all-in-one solution such as a ADSL modem with firewall, router, four port switch and wireless access is far from cheap (at around A$150), but probably the best way to go if you don't have any existing kit. However, if you have old PC hardware lying around that you want to make useful again, or just want configurability and choice, an old machine running Linux could be the answer.

Linux has been a viable option for a firewall solution for several years. The creators of distributions have recognised this and make efforts to make setting up a Linux firewall a fairly painless procedure. Red Hat offers a firewall install option that I've used in the past, and there are several Linux distributions that are intended for nothing else. Some install from a single floppy, and others from a CD.

You could try to run Windows on an old PC and run something like ZoneAlarm, but old versions of Windows are vulnerable to attack, and new ones require expensive hardware to run well. On top of that Windows licenses and good firewall applications are far from free. When you throw in the fact that Windows PCs are the main target of attack you have to conclude that Windows is not a good tool for this job and that Linux is by far the better choice for a dedicated firewall.

One popular firewall solution is the smoothwall Linux distribution. This falls into the category of 'security focused' distributions and by default comes with secure default settings and is generall 'hardened' against attack. By reducing the number of components in the distribution, the number of possible vulnerabilities is reduced and the specification of hardware required made as low as possible. Add to which, hardly anyone attacks Linux vulnerabilities right now anyway.

Another possible alternative, which was originally a smoothwall derivative, is IP Cop, but I will write about that at a later date. It is in the process of losing its last vestiges of smoothwall code, and seems headed off in a different direction. I chose not to use it for my first foray into the area of specialised distributions because smoothwall seemed to have a better community forum.

Smoothwall's community seems one of its best strengths. Almost every question you could think of is already answered on the forums, and the greatest problem is the vast body of material already there. There are many 'mods' for smoothwall, and most of the features you could wish added have already been considered.

The distribution can be downloaded with or without the documentation, but I can see no real reason not to download the documented version, as it's not that much larger.

Choosing and Configuring Hardware

Smoothwall seems to run on some pretty low end machines. I'm running it on a 500MHz Pentium II with 1Gb of RAM and 8Gb of drive space, but it will run happily on much less. With the configuration above I see CPU utilisation of below two percent, even with large numbers of active connections and my cable modem running flat out.

After installing and allocating a large buffer area for the web proxy, I had over 6Gb free of the 8Gb drive (which didn't provide a full 8Gb anyway). If you have an old 2Gb SCSI drive (or IDE for that matter) hanging around, it should provide plenty of space.

Clearly, 500MHz is overkill, and if memory is sufficient I believe even a P60 or 486 DX66 would suffice for most tasks. A friend of mine has reported issues with a 166 being slightly strained by heavy loads with large numbers of connections, but I suspect it's more likely due to limited memory than CPU given the usage figures I've been seeing.

I have observed that left to its devices, smoothwall makes use of my entire 1Gb of RAM, so it's a good bet that the more RAM you have the better. You can adequately run with 128Mb. I suspect more RAM aids performance significantly when you have large numbers of connections to your machine, but makes little difference if you don't.

Ethernet Cards

You will usually need at least two ethernet sockets free on your firewall machine: one for the broadband modem and one for the rest of the network. A switch or hub doesn't help you with the basic requirement for at least two ports because you need to pass everything through the firewall. If you do have a switch or hub, it should go on the protected side of the firewall so that your other network machines pass their traffic through the switch, then through the firewall machine, and then, if necessary, through the wall itself to the modem. If that sounds confusing, as long as you plug the modem directly into the firewall machine, all should be well. Put another way, do not plug your modem straight into your switch or hub :)

If you want to use the DMZ facility of smoothwall, you will need a third available ethernet socket on your firewall PC, which might be a bit of a stretch for some people. The DMZ facility is a (stupid slang) 'de-militarized zone', which is to say it has thin firewall protection. The DMZ is for running applications that have problems running through a firewall. Most hardware firewalls offer a DMZ, but not like the smoothwall one. Keep reading and you'll see the difference.

Unfortunately, one thing that ancient PCs rarely seem to have in them is a sufficient number of network interfaces. I was lucky in that I had three spare Intel chipset, PCI ethernet cards lying around. Most people probably don't, and most old PCs had zero ethernet sockets, which is two short of what you need.

Cheap 10/100 Network Interface Cards (NICs) as the jargon aware like to call their ethernet cards, retail for around A$10, but that's a mail order or computer market price. Expect to pay a lot more at popular retail outlets - if you can find anything that isn't an overpriced gigabit card. In any event, $30 isn't too much to spend, but it's a long way from the 'totally free' setup that most people are probably hoping for. The upside to using a modern PC is that it is more likely to have two or more NICs installed as standard, though this is still hardly a given.

Perhaps the best source of cheap NICs, apart the second hand bin at computer markets, is the junk heap of workplace IT departments. In many cases businesses are paying people money to take away old 'useless' PCs, usually 486 or early Pentium machines that have tiny amounts of memory and equally tiny monitors like little goldfish bowls. These machines often contain old 10/100 PCI NICs because they were networked. Often they contain Intel cards, which used to be by far the best. The IT staff may let you take away as many of these machines as you like (use one as the basis for your firewall), or may take the NICs out for you. Whether it's your workplace or a friend's, you can often get this 'scrap' for free. If you aren't so lucky to get something for nothing, the computer markets often have people who deal in this old hardware selling parts and entire machines for very low prices. There will always be junk from corporate upgrade programs.

However, there are some other hardware issues you need to think about before you proceed. If you only have a USB modem, you will need a machine with USB sockets. While many old machines have these, they are typically USB1, which is pretty slow. It's OK if you are on dialup, but chances are you aren't. USB broadband modems are generally a bad thing all around, so if you have one, think about getting something better when an opportunity to upgrade appears. For dialup, USB1 should be quite sufficient. On the up side, if you have a USB modem you will need one less ethernet device.

Once you have sufficient NICs, USB sockets, COM ports or whatever you need installed in your machine to support the setup that you want to use, you are ready to address the software installation.

Installing the Smoothwall

Installation is straightforward. Most of the install documentation is devoted to 'tricky' installs, such as when you don't have a bootable CD drive. It's possible to boot from a floppy and install from CD or from a network device. All the tools to create a boot floppy are included as part of the distribution.

Assuming you have a bootable CD, you simply write the downloaded .iso file to a CD, put it in your target firewall, and boot. You are faced with a set of menus that ask simple questions and in most cases the options are explained to you.

I would suggest that for a home network you use addresses 192.168.1.X and a mask of 255.255.255.0, as so many devices default to values like this. Also, you can add another network on 192.168.2.X if you need to for some reason (something I'll talk about in a later part in this series).

Things can seem a little complicated when you are asked to choose the base configuration, simply because of the jargon used. Smoothwall has a concept of interface 'colours' which are used to refer to interfaces connected to the LAN (GREEN interface), the outside world or WAN (RED interface), and to a DMZ machine or network (orange interface). Unlike IP Cop there is no BLUE interface as yet (which is used specifically for isolating wireless), though there is a mod for it.

You can configure with just a GREEN interface if your internet connection is on a USB port and doesn't come through an ethernet NIC. If you have an ADSL modem or cable modem with an ethernet connection, you need to configure at least GREEN + RED. You can switch ORANGE in and out depending on whether you want a DMZ machine or network. Most people probably don't.

A DMZ machine is a machine that isn't fully firewalled and is used to run services accessible to the outside world. On most hardware firewalls the DMZ machine is left wide open and unprotected. On a few (Billion for example) the DMZ machine is still potentially firewalled and you can control how its accessed.

The smoothwall approach is more like the Billion approach, where the DMZ is still partially firewalled. However, smoothwall firewalls both sidesw of the ORANGE interface, so its communications with GREEN are filtered. The smoothwall ethos favours using a DMZ for anything that communicates with the outside world. Your ORANGE network is considerably isolated from both RED and GREEN interfaces and so even whem compromised attackers can be contained there.

To reiterate: the smoothwall authors suggest you never let outsiders connect to any service on your GREEN network because if that server is compromised, attacks can access your entire GREEN network with no additional effort. This is why the ORANGE net exists: machines in ORANGE are isolated from the GREEN network, so if they are compromised by a worm or other exploit, your entire GREEN network remains safe.

For many home users, the idea of a server machine in a DMZ is a step too far: they don't want their machine to offer any services at all anyway. Such considerations are particularly moot for people who only have one decent computer and just want to firewall it - but for people with a genuine home network it's worth thinking about.

For example, you could have a home network with three or four computers, plus a firewall machine and a DMZ 'server'. The main network is on the GREEN interface, the outside world (via your ADSL modem) on the RED interface and your DMZ server on the ORANGE. You can then explicitly open pinholes in the firewall so that people can connect from GREEN to ORANGE in a controlled way. People on GREEN can still use web browsers and such directly through the firewall, as it allows most outgoing connections.

Some of the options you deal with at installation can easily be changed later through the web interface, while others can not. Overall, the base configuration (GREEN, RED+GREEN or RED+GREEN+ORANGE) is the only thing you need to think about before installing. Even then, if you get it wrong you can change it by logging into the firewall machine as 'setup', which automatically runs the config program.

Most ISPs assign a dynamic IP to the connecting machine. Telstra and Netspace do, while Demon in the UK provide fixed IP addresses. If your ISP didn't give you a fixed IP (and they will most certainly have notified you if they have given you one) then you should configure smoothwall to obtain your IP address via DHCP, and possibly your DNS addresses as well. Smoothwall asks about this pretty clearly and tries to explain it, so you shouldn't have too much trouble.

If you know the addresses of your ISP's DNS (Domain Name Server) you should enter them during the install. Some ISPs recommend that you use DNS IPs returned by DHCP, in which case you should probably try configuring smoothwall to do so. It might not work, in which case you will have to find out the addresses and enter them into the smoothwall setup manually. I've noticed that some ISPs do not handle DHCP DNS assignment as reliably as they should, though Telstra seem fine in that regard.

For ease of use you should probably set your GREEN interface to provide DHCP to your LAN. You will be asked about this, and there are sensible defaults. Just make sure it's turned on. This saves a lot of bother when configuring machines on your network to connect to the smoothwall.

You will be asked about how you connect to the internet, and possibly offered a way to configure your modem. If it's an ordinary dialup modem, or an ISDN modem, then this might be useful. If it's an ADSL modem it may not be, as these are sometimes either pre-configured by the ISP, or through their own web interface. If you have a Telstra cable modem you can ignore it as you have to connect to Telstra in a special way: don't tell me you are surprised?

Install Complete: How to use the Smoothwall

Once you've completed the main install on your smoothwall machine you can probably remove the keyboard and monitor. Everything you need for day-to-day admin of the firewall is accessible via remote web interface, just like most hardware products.

Connect your main machine to the smoothwall's GREEN interface, either directly via a cross-over cable, or via a hub or switch. It may not be obvious which of your NICs ended up configured as GREEN. Just configure your main PC's TCP/IP for the NIC it's using, plug into one of the ports on the firewall, try and connect to the web interface. If you fail, move to the next port and so on until you can connect, it won't do any harm. You can't accidentally connect through RED or ORANGE :)

If you set your GREEN interface on 192.168.1.1, then that's what you need to connect to from your web browser. However, it won't work unless your machine has its TCP/IP network settings set up to match. If you enabled DHCP, then all you need to do is open the connection for the correct NIC on your main machine and bring up the properties. Once there you should see a list of networking components, most likely including Client for Microsoft Networks, File and Printer Sharing for Microsoft Networks, QoS Packet Scheduler, and Internet Protocop (TCP/IP). The last one is the important one: select it and then its properties. If you configured DHCP on the smoothwall all you need to do is set Obtain an IP address automatically and Obtain DNS server address automatically. These are the defaults, so you may not have to do much.

Unlike most hardware products, you can connect to the web interface via a secure connections (using HTTPS and SSL certificates). Type https://192.168.1.1:441 into the address bar of your browser. I think the smoothwall docs suggest you use the name of the smoothwall machine, but that is somewhat fallible, if you use the numeric address there's no chance of a DNS problem.

When you connect, the smoothwall provides an SSL certificate. Your main machine won't recognise this certificate because no authority has signed it, so you will probably want to tell the browser to add the certificate to those your computer recognises for future convenience. Even then, the browser will probably grumble about mismatches in the certificate name. No need to worry about that yet, just click ok and move on.

Once you are connected to the web interface you will see the welcome screen. The menu along the top allows you to access the smoothwall configuration facilities. When you click on one you will see a login popup. Enter a user name of 'admin' and the password you set during installation for smoothwall administration (not the password for your root or setup users).

You should be now properly logged in to the smoothwall web interface and can manage your firewall. In the second part of this series I'll talk a bit more about getting your smoothwall to actually connect to the internet through your modem or other device. (And will probably come back and update this article after I realise all the stuff I missed out).

posted by Peter Wake @ 9:07 pm