What are the benifits of having a smoothwall over a firewall?

Why should you need a second computer for it? It's just software isn't it?

from my understanding,
a hardware firewall is a device which can do many things more and give you better security than software can.
a smoothwall is just a cheap way of doing it, same like a printer server, you can use an old 100MHz PC or buy a little 10x15x3cm printer server.

The thing with say using a smoothwall is that your computer IP address is not accesiable, whereas with say running software firewall on your computer you can still pickup your IP address if you were on the outside.
also, you save a % of your CPU processing cause another computer does it for you.

"The main difference is a hardware firewall is a separate hardware unit that blocks attempts before they enter the system/network and a software firewall sits in the back of a system and reacts when an attempt has been made. A software firewall is no match for a hardware appliance's performance. "

Originally posted by Deviant
What are the benifits of having a smoothwall over a firewall?

Why should you need a second computer for it? It's just software isn't it?

1) silly question, smoothwall IS a firewall, its like asking "whats better? smoothwall or smoothwall?" or "whats better? firewall or firewall?" ;) Sorry to be just a little pedantic.

2) one of the intentions of smoothwall was to provide a cheap, if not free, alternative to cisco hardware firewalls. The idea was, a network admin could dig up some old company hardware, install smoothwall, and save the company 4 or 5 digits... not such a silly idea now is it :D

3) its not just software, its a stripped down linux distribution that has been tailored specifically for use as an "internet firewall appliance" So basically it is an OS in its own right.

a hardware firewall is a device which can do many things more and give you better security than software can.
yup, basically host-based firewalls only give a limited level of protection... a system admin worth his teeth could secure a fresh OS install better than say blackice could. Another goal of the smoothwall team was to make smoothwall as easy to use as possible, and they really hit the nail on the head here. It's basically set and forget, I cant say the same for the pack of lesser software firewalls.
"The main difference is a hardware firewall is a separate hardware unit that blocks attempts before they enter the system/network and a software firewall sits in the back of a system and reacts when an attempt has been made. A software firewall is no match for a hardware appliance's performance."
couldnt have said it better myself.

Also, smoothwall is by far a superior option if you are running servers etc as it provides a demilitiarized zone. Basically put, smoothwall has up to 3 networks running on it.
The red network is the untrusted/insecure network eg the Internet.
The green network is the trusted network, eg your internal lan, and is the network to be protected.
The optional orange network is for servers that are to be accessed by outside sources, such as a webserver or internet games server. The orange and green networks cannot intercommunicate, protecting the green network.

And the reason I went to smoothwall in the first place... it doesnt interfere with lan traffic at all. not a bit. I dont have to shut down a cute software firewall everytime i go to a lan, I dont have to create rules to allow others on a permanent lan to access my shares etc. That was my major beef with NIS way back when.. it blocked network traffic and prevented ICS from working properly... NIS2k3 is significantly improved in these areas, but its too late.

The set and forget smoothwall box wins.

Originally posted by whetu
Also, smoothwall is by far a superior option if you are running servers etc as it provides a demilitiarized zone. Basically put, smoothwall has up to 3 networks running on it.
The red network is the untrusted/insecure network eg the Internet.
The green network is the trusted network, eg your internal lan, and is the network to be protected.
The optional orange network is for servers that are to be accessed by outside sources, such as a webserver or internet games server. The orange and green networks cannot intercommunicate, protecting the green network.


So from what your saying whetu the orange and green networks can not intercommunicate. So this would mean that I can't be sitting at my normal computer and update the website on the webserver. So what is the point in having a webserver if you can change the stuff on it?

Being a UC COSC student ( the UC COSC department is basically one big Linux-nazi convention ;) ), I've been lectured several times over the EVILS OF SMOOTHWALL.

Yes Whetu, I said the:

EVILS OF SMOOTHWALL

Aparently many of the controlling programmers are rather anti-GPL, which of course puts them in a bad light with many. The alternative is a similar distribution ( which apparently isn't anti-GPL.... ) called IP-COP (http://www.ipcop.org/).

*shrugs*

Of course, I don't use either ATM, soo......
:D

hehe misinformed kj ;)

smoothwall started out GPL.

smoothwall branched into a semi-closed source corporate version (www.smoothwall.co.uk), and its free taster version (current name "smoothwall lite") which I dont know the GPL status of as its still in development... The present stable release (0.9.9se) of the freebie version IS GPL (www.smoothwall.org), hell its even called "Smoothwall GPL".

IPcop is commonly referred to as a fork of smoothwall, its a bunch of non-core junior smoothwall devs who had a bit of a disagreement with the boss (who is an arsehole when he doesnt get his way, or disagrees with you) and they went off, took the smoothwall source that was open and free for everyone to grab under the GPL from the smoothwall ftp. They changed a couple of images (namely replacing smoothie the polar bear with a faggy version of tux hiding behind a cop's badge), they slapped their names on it and released it! No mention anywhere to the original authors.. none.. at all... zilch. http://www.smoothwall.org/home/articles/dickmorrell/20020322.time.html So its not really a fork, its a GPL-defying RIPOFF.

So where exactly is smoothwall evil in gpl terms? They've always been pro-open source... just that the whole ipcop debarcle has proven to them that the GPL doesnt really mean jack in all instances...In reality its Ipcop that should be the evil one in regards to the gpl...

Aparently many of the controlling programmers are rather anti-GPL, which of course puts them in a bad light with many.http://www.smoothwall.org/team/ take a lookie through there.. there's a whole lot of nix/alternative-OS guys at the core of it all.. whether or not they like or dislike the GPL itself is irrelevant... and given that they've been producing and supporting a GPL'd product for so long... really... nuff said...

tell your comrades to get some stories straight ;)

hehe.. you just gotta laff at this smoothwall dev tho
http://www.smoothwall.org/download/images/team/williamanderson.thumb.jpg
what a picture! :D http://www.smoothwall.org/team/core/williamanderson.html :)

True, the lack of acknowledgement of the original smoothwall dev's is pretty d@mn scabby. ( and I didn't realise that, thanks for the headsup )

But doesn't that story show Smoothwall to be anti-GPL?

After all, they're making a closed-source commercial version. Are we to believe that they re-typed every last line of that OS's code, so that they can use it outside the GPL? Are we to believe that they'll continue to update the GPL version as frequently now that they can spend their time on a version that actually makes them money?
:confused:

Originally posted by KingJackal
[B]But doesn't that story show Smoothwall to be anti-GPL?Not particularly anti-gpl... perhaps... "experienced in the failure of GPL working, so slightly cynical" might be a bit more accurate... you could try emailing the boss richard@linux.com (yeah.. he's "richard@linux.com", thats how long he's been in the linux community) but as I said.. he can get a bit psycho so prepare to have your head bitten off ;)
After all, they're making a closed-source commercial version. Are we to believe that they re-typed every last line of that OS's code, so that they can use it outside the GPL? Are we to believe that they'll continue to update the GPL version as frequently now that they can spend their time on a version that actually makes them money?
:confused:Semi-closed source.. what they wrote they keep (or release some of it.. modules etc), stuff they borrowed will have kudos placed appropriately and left open source in compliance with the gpl.. they'll continue to update and support the free/lite/possibly-still-gpl-in-the-future version as its a free taster.. just not at such a fast rate as they used to... they are a security firm... they have issues sorted almost next day.. corporate or gpl version...

But you seem to see the code they wrote as 'their code'.

That's not the case under GPL.

That's in fact kind-of the whole POINT of the GPL - code becomes 'assimilated' as it were into a collective ownership over which no individual can assert control. That's the only reason it works. If you allow code to be controlled by individuals - you wind up with closed software such as is produced by corporates like Microsoft.

And IPCop WAS initially a direct copy of Smoothwall. But they're not standing still - that was just the ( legally fine, as it's GPL ) starting point. They've since made several releases, fixed bugs etc etc.

Smoothwall isn't exactly an age-old trusted dev group that made an OS. They're a 2-year old group of guys that made a whole lot of firewall extensions to a Linux kernal. The vast majority of Smoothwall code was probably never touched by any of the Smoothwall team.

Now it is scummy that IP-Cop don't admit they're an evolved Smoothwall distro. But then, do you see all the Linux kernal dev's in this list:
http://www.smoothwall.org/team/
....I don't.....

this is a topic i've seen argued elsewhere... the response that stopped the arguing was "look at the source"

kudos to linus etc were sitting right there in the source of the kernel, and so forth on each of the modules and so forth and so on. (I have not looked at the source - no need to, so I cannot actually confirm this.. but there was at the time..)

I'm not a big open-source nut, I'm more experienced with NT than nix, so I really dont care either way

At the end of the day I see it as this:

Corporate Product:

Parts they wrote themselves for their corporate product, they decide whether those parts will be open-source released under the gpl, or closed source.

Parts that are borrowed (say, drivers from the manufacturers, the kernel etc) will remain open source, and have their authors given kudos to in compliance with gpl

Lite Product:

Current Stable release: GPL
Future releases: who knows?

also, I dont consider myself an authority on the matter to be honest.. I'm just going by what I've read on smoothie/ipcop forums, what's been said on the smoothwall mailing list etc...

Meh! I don't really care either way either....

....I was just wondering, as that sort of information generally allows you to tell ( via knowing how committed the devs are ) how good the software is.

I'd be keen to see an IP-Cop vs Smoothwall revue. There are several out there - but most are a little older, and were taken when the two distro's were virtually identical in functionality. They've ( at least they should have ) diversified by now in terms of their code-base, so I'd be keen to see a slightly-down-the-track comparison.

After all, if I do ever bother setting up a firewall box, I wouldn't want to be stuck with the less-secure option, now would I? ;)

they are still pretty neck and neck... which is good cos you can read how-to's for hacking extra functionality into one and apply the same hack to the other...

the major difference that I know of is Ipcop has improved transfer speeds with usb dsl modems... only an issue if you plan to use say an Alcatel Stingray on full blooded jetstream... if you are on jetstream starter there will be no diff either way...

maybe one of the smoothie minions (ragnor, sydog, city idiot etc) knows another difference...

The other alternative I see getting a lot of p1mp1ng is Astaro:
http://www.astaro.com/

Mandrakesoft also apparently make a firewall, though it appears to include webserving etc. It also seems a little bloated - requiring a Pentium and 32MB of RAM....
http://www.mandrakesoft.com/products/snf

There's also Gibraltar:
http://www.gibraltar.at/
....though I haven't seen a single person reccomend it, so chances are it's the loser OS :p :D

i looked at the mandrake solution.. bloated and quite a hefty download going into the hundreds of megs.. smoothie and ipcop weigh in at about 23megs an iso...

the other one i've seen pimped is freesco (www.freesco.org)... i gave it 5 minutes of attention and gave up

hehe they are all too easy these days... I remember hacking together my own custom build of LRP (http://www.linuxrouter.org/)

mmm lrp... thems was the days...

psycho so prepare to have your head bitten off
Psycho ? Hell the guy is seriously mentally unstable !

Mandrake SNF has been outdated by MNF for quite a few months now, its been in cooker for a while and is included in Mandrake 9

heres an analogy stolen from i forget where:

You have some jewellery/cash to protect.

Software Firewall:
Put a lock on the jewellery box.

Hardware Firewall:
Put a locked fence around your house.

With software firewall the intruder already has access to your computer (house). I use zonealarm mainly because it stops spyware/ie phoning home. I also don't get netsend spam and netbios attacks.

Originally posted by Geek4Life
So from what your saying whetu the orange and green networks can not intercommunicate. So this would mean that I can't be sitting at my normal computer and update the website on the webserver. So what is the point in having a webserver if you can change the stuff on it?

whoops... made a little booboo there... the orange network cannot access the green network, but the green network CAN access the orange network... the orange network is a demilitiarised zone... so yeah

just straightening that up :)

Originally posted by haytona
heres an analogy stolen from i forget where:

You have some jewellery/cash to protect.

Software Firewall:
Put a lock on the jewellery box.

Hardware Firewall:
Put a locked fence around your house.

With software firewall the intruder already has access to your computer (house). I use zonealarm mainly because it stops spyware/ie phoning home. I also don't get netsend spam and netbios attacks.

Kind of - but software firewalls do have several advantages over hardware firewalls. They're generally more upgradable and more flexible. Hardware firewall products will generally have good support in the way of firmware patches etc - but it's differicult or impossible to add completely new features, like IPv6, or multicast, or whatever.

I have both, kind of. Smoothwall doing the firewall/router/NAT thing, and on my personal PC I have Norton personal firewall. And I'm sure I'm not the only one with similar setup...

yeah.. i'm using NIS for its adblocking/popup blocking.. i have the firewall side of NIS disabled tho

Kind of - but software firewalls do have several advantages over hardware firewalls. They're generally more upgradable and more flexible. Hardware firewall products will generally have good support in the way of firmware patches etc - but it's differicult or impossible to add completely new features, like IPv6, or multicast, or whatever.

and cheapy lunix-based solutions like smoothie, ipcop, freesco etc strike the happy medium in between :)

firewall is the only defence for a network. Ipcop is great. I'm gettin a 486 system to run Ipcop for my up and comming LAN.

If you are a single PC user software is the most logical unlesss you want to run a network.

Originally posted by haytona
heres an analogy stolen from i forget where:

You have some jewellery/cash to protect.

Software Firewall:
Put a lock on the jewellery box.

Hardware Firewall:
Put a locked fence around your house.

With software firewall the intruder already has access to your computer (house). I use zonealarm mainly because it stops spyware/ie phoning home. I also don't get netsend spam and netbios attacks.


I have been considering giving my old 486 a new life as a SmoothWall firewall but would like to get some facts right before I dive in.

One thing that I am not sure about is whether SmoothWall can block internet traffic going out like Kerio does. I read somewhere that to prevent and/or intercept programs going out one needs to have a software firewall as well. Is this true?

If it is not true, can SmoothWall be set up to provide alerts on programs wanting to go out, like Kerio does?

A smoothwall can block ports which programs use, smoothwall is not able to know what kind of programs are installed. It basically acts like a wall where you can give or disallow acess certain ports. or sumthing like that:rolleyes:

Originally posted by topazz
I have been considering giving my old 486 a new life as a SmoothWall firewall but would like to get some facts right before I dive in.

One thing that I am not sure about is whether SmoothWall can block internet traffic going out like Kerio does. I read somewhere that to prevent and/or intercept programs going out one needs to have a software firewall as well. Is this true?

If it is not true, can SmoothWall be set up to provide alerts on programs wanting to go out, like Kerio does?

Smoothwall is designed to be a like a hardware rotuer.. it's does NAT, port forwading, web Proxy.. it filtering and intrusion detection but on the incoming side.. stopping port scans and DOS attacks etc

You do need to have a software firewall installed aswell if you specifically want to control each applications internet access on your client machine

ie: does smoothwall detect windows application X trying to accessing the internet and popup a warning on your PC.. No it doesn't because that's not what it's designed to do..

I know a few people who run software firewalls on their machines and connect to the internet through a smoothwall box.. I personally think that's overkill.. I'm careful about what I install and I always configure applications to suit myself.. Just using NAT blocks most TCP connections itself

Thanks for those clarifications, things are a lot more clear now. :)