Topic: SMEServer and Smoothwall Comparison

[itkiwi]

I have been using Smoothwall successfully for about a month, only as a RED and GREEN firewall and proxy server (without webserver or email).  It was only when looking for some server software that I discovered SMEServer, and that it can also act as firewall, webserver, etc.

What are the pro’s and con’s of using a separate box for firewall/web proxy duty, compared with using a single box, having SMEServer do everything for me ?

I will use my server mainly as a file server, for back up, family photos, etc.  4 home users.  Will also have Apache, PHP and MySQL for web development only.

Thanks for all valued opinions.

[arthurhanlon]

Hi there,

I can only comment on my experience but I started off using Smoothwall as a means of Internet sharing on a small home network and let me tell you, for what it is it's a great piece of software. But, and there is always a but, I wanted to run servers also and the Smoothwall community were screaming that it's a sever security breach to try to convert Smoothwall into any kind of server although there are how-to's that show you how it's done. This is of course a very valid point so I looked into getting a dedicated router and placing the smoothwall machine on the DMZ with SME server installed, works a treat.

Smoothwall and SME Server are both excellent pieces of work but they are designed for totally different purposes, Smoothwall as a dedicated firewall and SME as an all round home networking solution.

As far as I know, the firewalling capabilities, while being very good on SME are quite limited (someone correct me if I'm wrong) therefore if it's a server solution that you are looking for then SME+dedicated router as I have done will do the job very very well otherwise, keep Smoothwall on that baby and you will have a very secure network indeed.

I'm sure others will be only to happy to contribute and tell you their opinions but I suppose in the end it all boils down to what tasks you are needing to perform with the little box.

Hope this helps,

Arthur

[itkiwi]

Thanks Arthur,

I posted this question here expecting to get the "pro SME" side of the story.  Lets see what other ideas come up.
 

[raem]

itkiwi

> I will use my server mainly as a file server, for > back up, family photos, etc.  4 home users.  Will > also have Apache, PHP and MySQL for web
> development only.

sme server is designed for your type of usage and is also very capable on much larger systems. It already has apache, php & mysql installed & functional.

sme server is designed to be easy to use, and non technical administrators can manage it on a daily
basis. Within the GUI interface there is still quite a scope for both automatically changing the firewall by selecting required services etc, and manually by using portforwarding & other contribs etc. The hard work is done for you by using the GUI options.

Behind the scenes though, using the command line, you have extensive customisation options either by using other contribs or by creating your own code, and changes can be easily undone or reinstated using the templating system.

Opinions will vary of course ie "how secure is secure", "and another product or method is more secure".
I can only say that in 5 years of usage 24/7 the "built in" firewall has never been breached.
The most likely weakness will be the (php) application code that you will undoubtedly install on your server and no server whether behind dedicated firewalls, DMZ or whatever is immune from attack at crappy php code exposed to the web.

Put your attention re security towards the real problem ie your web applications.

[arne]

I think it is a question of the type "which are the best apples or bananas".

I have used the sme server for years in server only mode for years, not because I wanted it but because I got a adsl router modem, with firewall, that I can not avoid.

For a period I expermented with 3 different firewalls, the adsl router/firewall, then the first gateway firewall, a smoothwall, the sme server, the chock firewaall, smoothwall number 2 in front of the lan computers. It gave a some kind of a emotional feeling of living in a computer store or a netcafe, with first of all the sound of fans days and nights. I think there were even a lan sme server inside the second smoothwall for a period. So the days of tripple nat, went pritty well untli I realized there might be more silent heaters for my apartment.

My next planned project is to try to do nasty things with my adsl modem router, so it will bypass all firewall functions and work in a bridge mode, delivering the external ip direct into my lan.

Should I need a smoothwall or should it be a sme gate keeper ?

Well the last thing I would think about was that the sme server is not safe enough.

So I think the more right question would be: Should I like to join the user community of the sme server only, or should I like to join the user comunity of smoothwall as well.

Since "the days of tripple nat" I have married, so for many other resons, and for safety reasons, the best choice be only that single sme gateway server.

If I still had a lot of time and interest of how firewalls really work, well then the smothwall user community has a relly good comunity that goes really into the deep of the firewalls. You can download different customized kernels for firewalling purposes and you can do a lot of things.

The user comunity around the sme server is really a very strong one, and I will call it "application and usage oriented" concerned with how a server can be used as a whole, and not only one certain detail like the firewalling. The sme server is also in some ways quite different from many other Linux distributions, because it is designed to do a real job, just from the start. In this way the sme server and the smoothwall has something in common, even though they are quite different products.

It is true that "computer security" does not really has so much to do with the firewall itself. The more dangerous things is related to that trafic firewalls are designed to pass trough, typical related to web server, php, mailservers, shh servers, etc. One thing that make the sme server "safe" as I will see it is that it is quite easy to backup and quite easy to reinstall and restore.

Concerning apples and bananas, it depends much of your apetite, how much computer stuff you want. Are you hungry enough you take them both.

If it is only a question of doeing the job, I'm quite sure the the sme server can do that.

By the way, there is also a wery nice one, floppyfw or floppyfirewall. You can boot it from a CD, a floppy or a USB stick, and its user socity is very strong on Linux kernel firewalling.
http://www.zelow.no/floppyfw/
If it was not for all the other firewalls I would certainly use it, and actually I do, but not every day. At the floppyfw user community, one does not discuss such a "far away thing" like a web proxy. You discuss the kernel. It's not aples it's not bananas, it's more loke an exclusive kind of grapes.

The SME server can for sure do the job, but there is a lot of interestings stuff out there.

Arne.

[itkiwi]

Thanks Arne and Ray.  From your replies, you are obviously both quite happy with SMEServer on it's own.  Like you Arne, I'm also concerned with having 2 PC's running 24/7, the noise, and the power consumption.  I'll probably give SMEServer a crack on it's own, but I'll also ask the Smoothwall community for their opinions.  There is already a chat thread (which has gone off topic).  I'll try and steer that back on topic.

Thanks again.  

[arne]

By the way ..., I think for a "ordniary home" a two PC solution with Soothwall and SME is a bit of "overkill" when it comes to noice and, use of space and power consumption.

On the other hand, I think it is a good solution to use a small and cheap firewall router, like that kind you can buy for 50-100 us dollar, and then locate the sme at the lan together with the workstations.

This is the solution I use today. Of cource the small firewall box could have been a Smothwall, but for a private home, I think the small box can do an equally well enogh job.

This works very good I, think, and there is generally no configuratiuon issues or other problem involved with running the sme as a "server only" on lan.

There is actually one thing with that sme server gateway solution, when I remember and think it over ..

There is allways, sooner or later, some bugs with the server, or something that does not work, possibly because yourself will like to check out some new software ..

Then it is a very little practical that all data connections for all your home will be lost because of that server error.

So if you use a small hardware firewall box that will be reset by just pulling out the power cable, the the errors that apears on the server will only "belong" to the server allone and not all the other PC's in your house.

I think there are many strong and good arguments why a home could need a SME server, like web server, file server, printer server, mail server and so on, but there is not really many good arguments for replacing a small hardware firewall with a PC based firewall.

[hordeusr]

I have a small home network like you are talking about.   I started out with smoothwall.  Then installed sme (I use it at work)  I ended up with a wireless-g router and the sme, because I wanted to do wireless with my laptop.  I could have gotten an accesspoint, but the cost was nearly the same.  The added benefit is that I can play around/reboot the sme server whenever I want to and the internet keeps working.  I'll vote for a little router.  d-link netgear smc linksys....take your pick.  Mine is a wrt54gs (I think that's the model) running 'aftermarket' firmware...the box runs linux. Less that 20 bucks for a linksys BEFSR41 on ebay.  Just a simple router with a 4 port switch.

[itkiwi]

Some good ideas; thanks.

Apart from the number of users, why is my home network any different from a small office network ?  I have two teenagers downloading who knows what from who knows where, and a Windoze wife who doesn't know one end of a virus from another !

[hordeusr]

No different from a small office network, except maybe the OS on the workstations.  Or at least it doesn't have to be different.  I use that same router in our main office and some branch offices.  They run non-stop without fail.

[Quail_Linux]

Hi All,

I have used Smoothwall and it was OK for what it done, but my biggest problem with it was that out of the box install for some reason the UDP ports were not stealthed.  So I changed to IPCop and now i have not looked back, and the UDP ports are stealthed in IPCop.


And the way I have my SME server setup with IPCop:

IPCop has 3 NIC's in it (RED, ORANGE and GREEN).
SME server has 2 NIC's one to the ORANGE NIC on IPCop and the 2nd NIC is plugged into my switch on the local network.

And there is some good mods for Smoothwall and IPCop that can help protect your children from horrors of the web, look for Dans Guardian.


PS Last minute edit: IPCop can take a 4th NIC that is called a BLUE zone for wireless networking

HTH

[dickmorrell]

As the cofounder and inventor of SmoothWall (born upstairs in my back bedroom) and also as an SME user going back too many years you need to not confuse the two types of legacy development trees and aims of projects.

SmoothWall (and IPCop that until recently was SW just with a skin until the very nice Mr Alan Hourihane aided by some talented and intelligent developers released 1.4.x tree) are bastion hosts pure and simple with the ability unlike almost any other firewall of supporting a lot of hardware SME can just not support out the box without pain (ISDN cards, ADSL PCI and USB devices from multiple providers, connection methods from the likes of Telstra Bigpond etc etc etc). However its fair to say that SW has long since had it's day -   it was a time and a place and it was enjoyable but it's a shadow of where we were purely down to evolution of broadband and also cost effective wireless routers and broadband routers.

When I came up with SmoothWall it was because I couldn't afford to buy a Pix, boxes that I was deploying on the Sourceforge architecture that we were building at VA. It's roots were actually in ideas I'd discussed with Dave Sifry pre Linuxcare's conception in 1998/9 with a secure vpn application he was building. The concept was always one where it would be a hardened Linux OS with no Samba, no NFS, no LPD support, support only for perl libraries, Apache, originally ipchains and netmasq and the ability to serve DHCP for dial up and ISDN modems only (we'd never seen cable or ethernet and ADSL wasn't something even available). Around the same time I'd worked with Dan York at Linxcare who ended up with the SME team at Mitel. Dan had 4.1.2 which was the first SME we'd ever seen.

Both projects shared common ground and SME even influenced ideas in the 0.9.x tree of SmoothWall (blade updates shaping how Dan Goscomb conceived the webupdate that is standard in SmoothWall and IPCop). Both projects had the dual nic approach except I wanted the ability for multiple interfaces that were more secure and more easier to understand (e.g multiple colours red orange and green) and Lawrence and a talented young Belgian programmer working with Dan Cuthbert (the guy currently on trial for the supposed DEC hack in the UK that never happened..). I'd have loved for SME to have taken this idea of having multiple NIC supports (e.g pointing DMZ to a unique ethernet presence rather than simple portfw rules).

Every time anyone requested SW supported CUPS or LPD or to have more than Squid (which should never ever sit on a firewall but you have to as a maintainer allow people to influence and do so securely) I'd cringe. The source is there... Just like SME you won't find gcc - if you want it go forth and multiply and do it yourself with our blessing etc etc...

Lawrence and I deliberately from day one wanted to distance SW to lead the market - which it has. Even Mandrake who met with us then copied SmoothWall for Linux Mandrake Firewall screwed up - IPCop are doing a much better job now.

Personally I don't use either product. Both are too vulnerable on the internal interface, both share common security flaws and both have limited lifespans now.

If - when I'd started SW - I could have gone out and bought a hardware firewall / router for $30 would I have invented a concept or seen a gap in the market for a box that costs me $90 a year in electricity to run - even a Soekris embedded box costs more per year to run than a dedicated box.

For me I've never ever ever used SW as a proxy server. I have always - even when we started putting squid on SW - used SME on the inside on port 3128.

Now I use dedicated hardware routers, or when the requirement arises I use M0n0wall which I also sponsor in the form of bursaries and which is a far more efficient, secure and intelligent web managed firewall than either SW and IPcop - you can find details of it at http://www.m0n0.ch/wall/

However... if you have sense - whatever firewall you use (and for hardware router firewalls check out the dudes at Edimax who I use predominantly and who exceed every single pen test and soak hack test I throw at them - stick with SME on the inside and if you require - a seperate hardware firewall on the outside. With the likes of Charlie Brady around you don't need to be that concerned about your security. I've got good vibes about the future of SME and combining that with a decent external gateway is my way of keeping my LANs happy.

So for web based firewalls move on - M0n0wall or use a hardware device. Far cheaper and more sensible (just less logging).

Richard

[p-jones]

If you are going to adopt a puristic approach then your firewall should only be a firewall and it should be a standalone, dedicated appliance. The rational is simple really. If "intruders" break you firewall they break access to you network at the perimeter only.

Whether that border appliance is Smoothwall, IPCop (my own preference), a smart ADSL router or whatever depends on a lot of factors such as required outcome, budget etc etc etc

Having said that, SME (and I guess the SME means Small-Medium Enterprise)cannot always justify the cost of appliances, skill. Maybe the overall value of the server and data is just not that great. There are many valid reasons. Here the SME Server-Gateway fills that gap.

I have successfully deployed several SME Servers in the server gateway configuration. The firewall works very very well but yes, as far as I know, there is no one regularly maintaining and updating the firewall rules. There is no DMZ nor is there a "blue" interface like ipcop has for wireless.

In contrast, IPCop does have firewall rules updated, maybe not as often as they ould be but more often than SME. I dont know about Smoothwall - I think they are only available for the paid version or the ultimate nerd who has the skills to hack around with Snort. I might be wrong on this point too. I really didnt stay around with Smoothwall for long because most extra things seemed to require a commercial licence. In contrast I was able to get HEAPS of help from a large and friendly IPCop list.

I have also deployed several SME Server only - IPCop configurations.  

Each has its place. I have a lot of evidence to prove that the SME firewall does provide a very high level of immunity.

Guess at the end of the day, do you want (and have the resources) to adopt the puristic approach or a practical approach.

And one last question - are you really a kiwi !!

Rgds
Peter

[berdie]

This is a very interesting thread, i think.
Following the discussion, I have the idea to bring the two worlds together, but on one physical machine.
Wouldn't it be nice to have the IPCop as a virtual machine within a user mode linux on the SME-Server?
This could be the solution when the power consumption and the noise problems are also very important aspects.
What do you think about this?

Rgds.
Dietmar

[p-jones]

It would always be my preference to dedicate my firewall. If you want to add ipcop as a virtual machine, why not just develop the existing firewall a bit more ?? Already there are good instructions how to add SNORT Guardian to SME and its not too hard to update the rules to include other threats.

I assume you are thinking a long the lines of VMWare. To my mind, it just adds an unnecessary level of complexity to the system.

Given ipcop will run on a PI-100MHz, 32Mb and 1Gb (or less) and very happily support maybe six users for basic surfing, I prefer to keep my perimeter security seperate and have a hot swap on hand. Machines like this can be aquire for a dime a dozen and where ever possible I believe it should be the first choice.

I guess I am trying to politely say I dont like that idea and justify that comment with sound technical argument.

I wonder how long it will take for the lions to pounce on me.

Peter