SOHO Firewall Roundup
For several years now I have used SmoothWall Express as a personal firewall on my cable modem connection. I have been very pleased with it and have never had any successful breaches that I have been aware of. Having kids, I knew I would soon need some form of nanny filtering. Early on I investigated Dansguardian and found great support in the Homebrew forums of the SmoothWall community. Reason being... creator Daniel Barron also works for SmoothWall Limited. In my early testing of this custom addon I found it slowing my browsing experience dramatically to frustrating levels. This was largely due to running it on an old PII 200Mhz box with about 64MB RAM. The CPU was continually getting pegged! I found no reason for the torture as the kids were still too young to get into trouble... so needless to say I turned it off. Since then various other addons and updates have prevented the Dansguardian addon from even functioning.
I mentioned in a previous blog, I got some appliance hardware to boost my firewalling abilities. I was easily able to just plop my existing SmoothWall hard drive into this mini-itx box and run the setup to scan for the NICs and away it went. However, I would need to reinstall Dansguardian but I was tempted by other forks of SmoothWall; IPCop to be precise. I even did a presentation of IPCop at the last BillingsLUG meeting after only using it for about a week. I was fairly impressed with its out of the box features over SmoothWall however Dansguardian was not included. Adding the Cop+ (Dansguardian) addon was rather easy once I understood their GUI way of doing this. They did an awesome job of doing this for non-commandline people. The biggest problem I was facing was that some addons in IPCop were dead with the worst part being that Cop+ didn't work with the IPCop version I had installed. The Cop+ addon was last tested and confirmed working with a 1.4.4-1.4.13 and I had installed 1.4.15. Doesn't seem to be that big of a difference, but this latest Cop+ was done back in July of 2005 and 1.4.15 was just released in March 2007. So I thought I'd look for yet another firewall distro.
I didn't give m0n0wall any light of day, but did read into its addon package abilities which include Dansguardian. Most prided themselves with the lack of features in m0n0wall. After all it is just a firewall and not a jukebox eh? Installing Dansguardian is not out of the question with m0n0wall, but you would just not have any integration with the main control panel; this would be true if I had installed it this way with IPCop too. So no, I didn't even download the iso BUT... one great tip in their list archive pointed me to Endian Firewall (EFW).
At first glance Endian looked like some commercial product with everything I was looking for and more. Truth is, it is a commercial product out of Italy but there is also a EFW Community version which is provided without their support naturally but there is a small community following via list email.
My first attempt at installing the EFW Community version to my firewall appliance was plagued with problems and I thought this just would have to happen to me. It booted very slowly but I didn't think much of it. Then I noticed it trying to boot with an SMP kernel which soon failed in an endless loop trying to find the source USB connected DVD drive I was using. (Yes, Scott I was plagued again by yet another USB problem.) A few days later I decided to try again by moving the target drive into my desktop machine. The bootup zipped by with flying colours! The install was a total success and I plopped it back into the mini-itx box.
The rest of the installation has to be done remotely which is sort of a pain as it also needs to be the local DHCP server. It was a little inconvenient to set my IP and route manually to be able to remote in and sshd is disabled by default. The remainder of the setup was a snap and I also discovered tons more features including some interesting ones not available in SmoothWall nor IPCop:
Web based network setup for Red, Blue, Orange Connections (IPCop has this... very similar to iftop) SMTP Mail Statistics (not using) Mail Queue (not using) Clamav antivirus (nice out of the box feature) Traffic Shaping (IPCop has this but I'm not using) Traffic Monitoring (this is ntop... very sweet!) Outgoing firewall (on by default but I quickly disabled. I find this to be very IT Notzie like.) Content filter (Dansguardian out of the box! USING) Proxy (POP3, SIP, FTP, SMTP, and DNS. All very interesting but not using except testing FTP proxy) Openvpn Server (not out of the ordinary but just thought to mention what vpn it was) Firewall Logs (not that the other don't have... just wanted to point out this has setting to report on different features: Log packets with BAD constellation of TCP Flags Log NEW connections without SYN Flag Log accepted outgoing connections Log portscans (I'm logging this) Log refused packets (Was logging this for troubleshooting)
So far the only thing that I have found that the EFW Community version does not seem to have that SmoothWall and IPCop have out of the box is a web-based (one-click) updating procedure. Endian profits from their enterprise appliances pre-installed with Endian and from their maintenance subscriptions. Updates are applied to these automatically under their various paid contracts. Some in the community knock Endian saying you have to download the iso and re-install from scratch in order to upgrade. Then they restore their backup settings crossing their fingers. Community based updates are totally manual and not available until the packages are created and rolled up. Endian does provide these as tar'd rpm's. You just need to extract it to your firewall and since this is an RPM based distribution, you just run your 'rpm -Uvh' on the extracted updates. I am a fan of RPM's anyway so this is a plus in my book.
Endian uses the 2.6 kernel whereas both SmoothWall and IPCop are 2.4 based with the 2.6 kernel currently in beta releases only. SmoothWall is not using RPM but is a Red Hat 7 cousin. I'm not sure if IPCop is using RPM but is a fork from SmoothWall and soon to be driven by Shorewall code; loosing the remainder of SmoothWall code.
Depending on how my love of EFW Community goes, I may go back with SmoothWall Express. The development from this community seems to be picking up again after what seems to have been years of little progress.