Matt Fiddles

Life's so vast, there's just so much to do...

User Tools

Site Tools


Sidebar

“The pessimist complains about the wind; the optimist expects it to change; the realist adjusts the sails.”
- William Arthur Ward



Where will you go today?

"`...You hadn't exactly gone out of your way to call attention to them had you? I mean like actually telling anyone or anything.'
`But the plans were on display...'
`On display? I eventually had to go down to the cellar to find them.'
`That's the display department.'
`With a torch.'
`Ah, well the lights had probably gone.'
`So had the stairs.'
`But look you found the notice didn't you?'
`Yes,' said Arthur, `yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying "Beware of The Leopard".'"

- Arthur singing the praises of the local council planning department.
computers:firewalls:smoothwall

Smoothwall

There is both a open source version and a commercial version. This page refers to the open source version. The commercial version is at the bottom.

What works

Smoothwall does the following

  • Link and Load Balancing
    • Bandwidth Management (QoS)
    • Prioritize different types of network traffic
  • Real-time Content Analysis
    • Mobile Filtering clients for Windows, OSX and iOS
    • Anonymous Proxy Blocking
    • Search Term Filtering and Forced Safe-search
  • HTTPS Filtering (using a bad certificate)

What I've found:

  • Works well
  • Records traffic
  • Has a web proxy (cache) at the click of a button
  • Good web interface
  • Blocks all traffic except selected traffic
  • QoS
  • But…
    • Logging is per day
    • No filtering service
  • Blocks bitorrent, even when changing port (yes, I know… terrible).
  • Web cache works, but needs refresh_patterns to really do anything.

Access the smoothwall using a browser pointed to https://smoothwall:441 (you may have to edit your system's hosts file).

Modifications

You can ssh to the smoothwall host. Make sure 'ssh' is enabled in remote access.

ssh -p 222 root@smoothwall

smoothiemods

Download these to /tmp (using wget) and extract using

tar zxvf <name.tar.gz> -C /

Then run the /tmp/install.sh file (if present after extraction).

Mods from http://sourceforge.net/projects/smoothiemods

  • Captive-Portal-1.0.tgz does not work. Or may require another module.
  • net_scanner-V1.1.tgz ???
  • sw3-proxy-v2.0.tgz works, but not needed?
  • Guardian GAR-3.0a-SWE3.tgz installs, but snort-2.8.4-update.tgz and sw3-updatesnortrules3.tgz do not work, so Guardian does not do anything
    • This is a smoothwall 3.0 problem. Version 3.1 ids works.
  • SW3_Enhanced_FW_Logs-V1.4.3.tgz works beautiful. Gives much more info on about logs and blocks
  • sw3-activeblock-V1.0.tgz ???

Squid

See Squid Web Cache and Proxy for more squid tips

Modify settings in /var/smoothwall/proxy/cache. That way Smoothwall will use the setting when you make changes in the webproxy page.

[root@smoothwall]# vi /var/smoothwall/proxy/cache

Apply changes by disabling and then re-enabling the web proxy in the web interface. It will write all appropriate changes to the squid.conf file. Thus, do not edit the squid.conf file as any changes made via the web interface will overwrite it.

Some notable ones to add:

# increase RAM size
cache_mem 256 MB
maximum_object_size_in_memory 512 KB

Don't add any options that are used in the web interface, such as object size or cache size.

By default there is no refresh_pattern, meaning the web cache misses a lot of files (try tail -f /var/log/squid/access.log. Here's a few that can be put in to increase the amount of cached traffic.

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
refresh_pattern . 0 40% 40320

References

Commercial Version

Smoothwall builds a system made for Hospitality sector. It focuses on wireless usability and giving each user a good experience.

Additional modules:

  • Gateway Anti-Malware
computers/firewalls/smoothwall.txt · Last modified: Dec 5, 2013 (5 years ago) by Matt Bagley