Matt Fiddles

Life's so vast, there's just so much to do...

User Tools

Site Tools


Sidebar

Darth Vader: "Your powers are weak, old man."

Ben (Obi-Wan) Kenobi: "You can't win, Darth. If you strike me down, I shall become more powerful than you could possibly imagine."



Where will you go today?

Emperor Palpatine: "Everything that has transpired has done so according to my design."
computers:firewalls:smoothwall

Smoothwall

There is both a open source version and a commercial version. This page refers to the open source version. The commercial version is at the bottom.

What works

Smoothwall does the following

  • Link and Load Balancing
    • Bandwidth Management (QoS)
    • Prioritize different types of network traffic
  • Real-time Content Analysis
    • Mobile Filtering clients for Windows, OSX and iOS
    • Anonymous Proxy Blocking
    • Search Term Filtering and Forced Safe-search
  • HTTPS Filtering (using a bad certificate)

What I've found:

  • Works well
  • Records traffic
  • Has a web proxy (cache) at the click of a button
  • Good web interface
  • Blocks all traffic except selected traffic
  • QoS
  • But…
    • Logging is per day
    • No filtering service
  • Blocks bitorrent, even when changing port (yes, I know… terrible).
  • Web cache works, but needs refresh_patterns to really do anything.

Access the smoothwall using a browser pointed to https://smoothwall:441 (you may have to edit your system's hosts file).

Modifications

You can ssh to the smoothwall host. Make sure 'ssh' is enabled in remote access.

ssh -p 222 root@smoothwall

smoothiemods

Download these to /tmp (using wget) and extract using

tar zxvf <name.tar.gz> -C /

Then run the /tmp/install.sh file (if present after extraction).

Mods from http://sourceforge.net/projects/smoothiemods

  • Captive-Portal-1.0.tgz does not work. Or may require another module.
  • net_scanner-V1.1.tgz ???
  • sw3-proxy-v2.0.tgz works, but not needed?
  • Guardian GAR-3.0a-SWE3.tgz installs, but snort-2.8.4-update.tgz and sw3-updatesnortrules3.tgz do not work, so Guardian does not do anything
    • This is a smoothwall 3.0 problem. Version 3.1 ids works.
  • SW3_Enhanced_FW_Logs-V1.4.3.tgz works beautiful. Gives much more info on about logs and blocks
  • sw3-activeblock-V1.0.tgz ???

Squid

See Squid Web Cache and Proxy for more squid tips

Modify settings in /var/smoothwall/proxy/cache. That way Smoothwall will use the setting when you make changes in the webproxy page.

[root@smoothwall]# vi /var/smoothwall/proxy/cache

Apply changes by disabling and then re-enabling the web proxy in the web interface. It will write all appropriate changes to the squid.conf file. Thus, do not edit the squid.conf file as any changes made via the web interface will overwrite it.

Some notable ones to add:

# increase RAM size
cache_mem 256 MB
maximum_object_size_in_memory 512 KB

Don't add any options that are used in the web interface, such as object size or cache size.

By default there is no refresh_pattern, meaning the web cache misses a lot of files (try tail -f /var/log/squid/access.log. Here's a few that can be put in to increase the amount of cached traffic.

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
refresh_pattern . 0 40% 40320

References

Commercial Version

Smoothwall builds a system made for Hospitality sector. It focuses on wireless usability and giving each user a good experience.

Additional modules:

  • Gateway Anti-Malware
computers/firewalls/smoothwall.txt · Last modified: Dec 5, 2013 (5 years ago) by Matt Bagley