Is Smooth Firewall good?

Discussion in 'other firewalls' started by tonyseeking, Nov 27, 2008.

Thread Status:
Not open for further replies.
  1. tonyseeking

    tonyseeking Former Poster

    Joined:
    Nov 12, 2008
    Posts:
    406
    Anyone know much about SMOOTH FIREWALL?

    Thanks
     
  2. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Are you referring to Smoothwall, a firewall/OS package that converts a PC into a hardware firewall? Smoothwall makes an old PC into a good hardware firewall. It is not a firewall that installs on Windows. I've used it for about 2 years and am quite happy with it.
     
  3. tonyseeking

    tonyseeking Former Poster

    Joined:
    Nov 12, 2008
    Posts:
    406
    Yeah that's it :thumb:

    So I install it on an old PC and it becomes a hardware firewall?
     
  4. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    I used smoothwall many years ago, its easy to use and works well. I resurrected an old pentium II 266mhz with 64mb ram and 2gb hard drive and installed smoothwall on it.
     
  5. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Yeah, works nicely... There are also alternatives like m0n0wall or IPCop.
     
  6. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    It's almost that simple. The PC you use will need at least 2 network cards, 3 if you need a DMZ, aka demilitarized zone, defined here. Chances are you don't need that 3rd card. Smoothwall comes as an ISO, which is burned to CD and makes the CD a bootable installer.

    You'll also need a crossover cable. A crossover cable looks just like a normal ethernet cable but is wired differently. Quite often they're red. This is needed whenever 2 network cards are connected together, such as the one on your PC to the one on Smoothwall. I wasn't aware of this at first and couldn't figure out what was wrong.

    Install the network cards, then install Smoothwall. There's some configuring to do but it's not that bad. Mainly card assignments and basic network setup. When the initial install and setup are done, Smoothwall can be configured via the browser. Once it's all done, the Smoothwall PC doesn't need a monitor, mouse or keyboard.

    I haven't tried Smoothwall 3, been using version 2 for about 2 years. I installed it on a P5-133 with 32MB RAM. It's fast enough for 864/160 DSL. Since Smoothwall runs on a small Linux system, it's not like Windows and its needing regular restarting. Even on my low power hardware, mine has run for 6 months and longer with no problems.
     
  7. tonyseeking

    tonyseeking Former Poster

    Joined:
    Nov 12, 2008
    Posts:
    406
    And how is that better than a software firewall, such as COMODO or ZoneAlarm?
     
  8. tonyseeking

    tonyseeking Former Poster

    Joined:
    Nov 12, 2008
    Posts:
    406
    Thanks for the time you invested into telling me this. Great tip about the crossover cable. :thumb: I will keep that in mind.
     
  9. tonyseeking

    tonyseeking Former Poster

    Joined:
    Nov 12, 2008
    Posts:
    406
    Does anyone know how I can get Content Filter on Smoothwall? What are my FREE options?
     
    Last edited: Nov 27, 2008
  10. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    I feel its better due to the fact that its a seperate stand alone unit. If your computer is somehow compromised smoothwall will still continue protecting you. A software firewall may not. Plus it allows you the option of not running a software firewall which helps free up system resources and eliminate potential conflicts.
     
  11. tonyseeking

    tonyseeking Former Poster

    Joined:
    Nov 12, 2008
    Posts:
    406
    Good points, thanks. :thumb:

    Any ideas how to get a free content filter installed on Smoothwall?
     
  12. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    FYI, I believe the crossover cable is only necessary if you patch directly from the smoothwall PC to your personal PC. If you have a router between smoothwall and your PC then you would use regular ethernet cables. I'm pretty sure this is how I had it setup when I used smoothwall for a while, but perhaps someone will chime in and confirm...?
     
  13. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.

    If "newer" nics are used I do not think a crossover cable is needed at all. Nics for the most part are auto-negotiating.
     
  14. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The network card I bought earlier this year still required the use of a crossover cable. It was an EtherFast, made by Linksys.
    That is basically correct. Then again, if you use a 4 port ethernet card, Smoothwall could also serve as the router. I don't know which ones would be compatible. Their forums would be the place to ask that. Another company makes a PCI ADSL modem that can replace the standard DSL modem most ISPs supply. At least one of these is compatible with Smoothwall. With the right cards, Smoothwall could replace much of the network hardware. In some cases, all of it.
    Hardware and software firewalls are not entirely comparable. Each has their strengths. A hardware firewall is more resistant to malware because it's separate from the PC and isn't affected by exploits of Windows and other user software. This is often used to claim that hardware firewalls are stronger than software firewalls. In reality, both are software firewalls. Hardware firewalls just have their own operating system. What makes software (installed on Windows) firewalls weaker in comparison are the weaknesses and vulnerabilities of the operating system they're installed on, plus all the vulnerabilities in all the other installed software.

    Hardware firewalls do not control traffic on an application level. They're not "aware" of individual applications, just whole PCs. Whatever they pass or block applies to everything on the PC. Only a software firewall can control internet access for individual applications. A hardware firewall can control traffic to and from specific ports, which will give some control over certain applications.

    Hardware firewalls don't come with HIPS like many other firewalls, but some like Smoothwall do come with IDS (Intrusion Detection System). It's more useful for businesses with large networks but the logs can be handy, especially if you want to keep up with what's trying to connect to you.

    A hardware firewall is best viewed a shield in front of your PC. Their primary role is blocking inbound traffic. Routers also do this but hardware firewalls are more versatile. Myself, I use both Smoothwall and a software firewall (Kerio 2.1.5). Smoothwall provides the strength against unwanted inbound traffic and Kerio provides the control over internet access for individual applications. Unlike using 2 software firewalls, Smoothwall won't conflict with a software firewall or an installed security app. It's up to you if you also want a software firewal or if strong inbound protection from Smoothwall is enough.

    I just checked all the network cards I have. All required the crossover cable to connect to another card.
     
  15. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Main difference is that the desktop firewall is more about application control than packet control.
     
  16. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Try a more "UTM" distro.....than a plain old NAT router distro...
    UTM = Unified Threat Management...brings antivirus/antispam/intrusion detection features to the table.

    Some UTM distros.....
    The "Copfilter" add-on for IPCop
    http://www.copfilter.org/
    Endian
    http://www.endian.com/en/
    Astaro
    http://www.astaro.com/

    and..my favorite that I've been using for more and more of my business client networks...Untangle.
    http://www.untangle.com/

    Untangle has quite a few features the others don't have....such as an AntiSpyware component.

    All your networks internet traffic pass through these...so it's a great added layer of protection.

    Untangle is a layer 7 platform..so it CAN control traffic on the application level. You CAN control what traffic is allowed to/from the workstation.

    And yeah, crossover cables have pretty much become extinct...gone the way of the floppy drive. With PCs coming with gigabit NICs for quite a few years now...part of the standard for gigabit is auto MDI-X..so the NIC figures it out for you. Plus most switches for quite a while now, even if 10/100, are also auto MDI-X.

    Since implementing UT at some of my clients, the number of times I've had to go clean a PC that got hit with a Virtumonde/Smitfraud/ZLob trojan has plummeted. IMO, this added layer of protection for the network is worth it. And..it's an added layer of protection that doesn't slow down your PC like installing another application would. You get the benefit of scanning from other products, without having to install those other products.

    Even for home use, I've not run a plain old off the shelf NAT router for a long time, I run these distros on an old laptop, which is great for the home user. You get a small footprint, low energy consumption, low noise and heat output...and it has its own built in battery backup! :D

    All the above have "free" versions you can download/install. They are really very easy to install, setup, and manage...if you've been able to setup your own Linksys/Netgear/DLink router...you can do one of these. You do not need to know linux at all.
     
  17. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Hi YeOldeStonecat,

    Do you know if those programs mentioned by you, use an AV etc or can use, and if yes, which one(s)?

    Thank you in advance !
     
  18. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    Hey Fanj,

    Untangle uses clam av as part of the standard set of applications.
    for $10 a month you can add Kaspersky as a second engine.

    the spyware blocker can Filter Spyware by URL, Subnet, Cookie & ActiveX
    or you can block all activex controls.
     
  19. simmikie

    simmikie Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    321
    very intriguing. but would this be overkill for a home system with but one box on it? i was considering a Trendnet Firewall/Router for around $120-150, to use with Defensewalls outbound protection, whenever that comes about. but you say Untangle can control outbound as well as inbound at layer 7?

    i like the laptop as the gateway too. what are the specs on it? how many boxes are run through it? how did you cram three nics into it?

    thanks in advance to any of this you may choose to answer.

    oh, and what about SPI or DPI? is the firewall stateful? and does the IDS use DPI?


    Mike
     
  20. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    The firewall uses standard linux iptables, which of course is stateful. The IDS uses a customized Snort (pretty much an overkill for home use).
     
  21. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Hi lodore,

    Oops, sorry for not replying earlier :oops:

    Thanks for your info :)

    Keep the info coming, thanks !
     
  22. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    With 1 box...perhaps overkill. I constantly try different *nix distros...across several laptops.

    I frequently keep turning back to a distro called PFSense, because its QoS/Traffic shaping are tops. I can prioritize my online gaming, deprioritize the kids P2P traffic...and with 3x other PCs in the house...wifes aggressive online shopping 'n stuff..my online gaming is prioritized so they don't impact me.

    However, back towards the subject of UTM distros....yes in my opinion Untangle is overkill for the single user, it's more for SMB networks. Since I deploy it frequently for my SMB clients, I need to keep familiar with it, so I have a couple of boxes running it at home now 'n then...an IBM Thinkpad T41 laptop with a Pentium M 1.6 a 1 gig, and an IBM @Server X335 with dual Xeons which is currently running UT 6.0 which I fire up now 'n then.

    I run PFSense on an old IBM Thinkpad T23 which has a Pentium 3 1.0, 256 megs, onboard Intel and a PCMCIA NIC. I don't need a 3rd NIC/orange zone.

    Another good UTM distro is Endian, which runs on older mid-range hardware such as the T23 above. It also has antivirus scanning, SPI 'n Intrusion, content filtering, etc. May be a good fit for you, it's a great distro. I used to use that at quite a few clients...have replaced most of them with Untangle due to better malware scanning with UT. But Endian is still heads 'n heels above the others IMO.

     
  23. illicit

    illicit Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    91
    Untangle seems like a pretty slick app. Must give it a try.
     
  24. simmikie

    simmikie Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    321
    yes, it's easy to see why Untangle would be overkill in my situation. are you suggesting to me the hardware Endian? i attempted to find pricing for the entry model to no avail...guess i will need to connect with a rep.

    i actually like the software UTM PFSENSE over all of them. i like the logging and rules creation seems to be very comprehensive, but pretty stright forward.

    thanks for your further input.


    Mike
     
  25. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Endian has a community software distro you can download for free...and install on your own software. I've used it at some clients...it's very stable, a great little distro.

    Even though it's not a UTM distro, I run PFSense at home mostly...because of its superior QoS/packet shaping features. I deprioritize P2P traffic, and prioritize VoIP and gaming traffice. So the kids downloading stuff doesn't impact my online gaming. Also has good IPSec VPN compatibility...I have it doing a full time tunnel to the cisco at the office.

     
Loading...
Thread Status:
Not open for further replies.