Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

SmoothWall Firewall Review

michael posted more than 12 years ago | from the security-in-a-box dept.

Security 495

ray-x sent in a pointer to a review by c't of the Smoothwall firewall product. c't's reviewer described several flaws in the firewall. We asked Smoothwall for their comments on the review, which are posted below.

Daniel Goscomb, one of the lead developers of Smoothwall, responds:

In our opinion this article is extremely badly researched and written. Furthermore it shows a lack of knowledge on the author's part.

The main concern he has is that of people being able to log in to the firewall and read configuration files. This point is irrelevant as there is only a single user that can access the shell, root. This also removes the need of shadow password files, if you have access to the machine to get the passwd file, you are already in as root anyhow.

Secondly he complains of plain text passwords for the ppp passwords. This is not our doing. The passwords are stored in this format as pppd requires them to be in plain text in the two files. He also mentions that the permissions of these files are wrong. If he looked a little more closely he would have seen that they are in fact symlinks to the 2 real files, which do have the proper permissions on them.

He also mentions the same "problem" with the shared keys system in FreeSWAN. Again, they are stored like this as FreeSWAN requires them in this format to read them.

As to the part about user authentification of the CGI scripts. This is completely irrelevant. There is no authentication in the CGI scripts. The authentication is done via .htaccess files, and has no interaction with the CGI at all, other than when you change the passwords.

I also find it disturbing that the author gave us no room for comment in his article, nor did i see anything to suggest he had even asked us about these so called "problems". We would have been happy to answer any questions he had.

Sincerely,

Daniel Goscomb.

Sorry! There are no comments related to the filter you selected.

Firewalls (-1)

I.T.R.A.R.K. (533627) | more than 12 years ago | (#2813309)

Software-based firewalls are for pussies and Mac users.

Re:Firewalls (-1)

cyborg_monkey (150790) | more than 12 years ago | (#2813324)

You are the man! Great fp! As a reward, I have added you to my Friends list.

W00H00! (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2813319)

Posta da firsta

Lack of Testing (1, Informative)

Renraku (518261) | more than 12 years ago | (#2813328)

Chalk it up to lack of testing. A firewall developer should let a team of hackers attack, poke, and prod the firewalls before releasing them to either eliminate or minimize vulnerabilities.

Bad Modding (0, Offtopic)

Renraku (518261) | more than 12 years ago | (#2813572)

This is the 3rd time I've been modded down this week for stupid reasons. Being called a troll because I said I had a 56k modem, being modded 3 times as over-rated when no one has modded it before..and being modded as redundant when my post was near the first. This has got to stop.

Re:Bad Modding -1 offtopic (0)

Anonymous Coward | more than 12 years ago | (#2813635)

stop posting obvious and redundant shit.

Can you imagine... (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2813333)

... a Beowulf cluster of these?

Thank you.

--Patrick Bateman, Esq.

Heh (0, Redundant)

CoCo Buckets (184480) | more than 12 years ago | (#2813337)

I think a reviewer just got an electron slap..:)

Daniel Goscomb seems far too complaintent (0, Troll)

byolinux (535260) | more than 12 years ago | (#2813340)

That doesn't seem to be little more than excuse talk to me.

Re:Daniel Goscomb seems far too complaintent ?? (0, Offtopic)

Knightmare (12112) | more than 12 years ago | (#2813403)

I am assuming you meant complacent, if not then this response will make no sense :) To me it would seem kind of hard to be any other way when you are acting as the glue to pre-existing components. Unless you are planning on re-writing/modifying all of them.
How else do you expect him to respond? Well I don't like the way you comply with this 3rd party product that requires your files to be like this!

Re:Daniel Goscomb seems far too complaintent (1, Offtopic)

Supa Mentat (415750) | more than 12 years ago | (#2813422)

I think you mean "That seems to be little more than than excuse talk to me." Which is still a weak sentence but at least it gets the proper meaning across.

Re:Daniel Goscomb seems far too complaintent (0)

Anonymous Coward | more than 12 years ago | (#2813428)

"That seems to be little more than excuse talk," is a phrase which means that "that" is mainly excuses, and not much else. What you said was "That doesn't seem to be litte more than excuse talk.." which would mean the opposite. Your title ".. seems far to complaintent [sic]" gives the impression that you meant he was just making excuses. If you're going to write one-liners, try to make them clear.

Re:Daniel Goscomb seems far too complacent (2, Insightful)

byolinux (535260) | more than 12 years ago | (#2813517)

Okay, maybe I was a little hasty, but if someone gives you a bad review, and this was a bad review, you should just suck it up.. Imagine Microsoft sending out a press release everytime someone at /. gave them a bad review - they'd have to pay Taco to incorporate random-ms.pl

Re:Daniel Goscomb seems far too complacent (1)

wpanderson (67273) | more than 12 years ago | (#2813543)

well it's the only "bad" review we've had out of a raft of them, so go figure ...

Re:Daniel Goscomb seems far too complacent (1)

byolinux (535260) | more than 12 years ago | (#2813576)

I agreed that it was a bad review... but at the same time, I think he was being overly complacent.

ouch (-1, Redundant)

global_diffusion (540737) | more than 12 years ago | (#2813349)

looks like someone got told.

Smoothwall Firewall (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2813356)

Guys,
SHould I put one of these firewalls to protect my Linus beowulf cluster?

I don['t want any body who is not authorized to play with my cluster.

Smoothwall is Great! (5, Interesting)

beezly (197427) | more than 12 years ago | (#2813364)

I've been using Smoothwall for a while now. I'm extremely satisified with it. I've hand crafted firewalls in the past and I decided to give it a try to ease the burden and it has more than filled the shoes of the things I manually configured before.


It's secure, featurefull and easy to configure - what more could you want?

Re:Smoothwall is Great! (0, Flamebait)

Anonymous Coward | more than 12 years ago | (#2813396)

"I've hand crafted firewalls in the past [...]"

Let me guess: you carved the fucking chassis out of the finest walnut, right?

Re:Smoothwall is Great! (2, Funny)

beezly (197427) | more than 12 years ago | (#2813461)

Walnut - don't be daft what use would a walnut firewall be?

Re:Smoothwall is Great! (0)

Anonymous Coward | more than 12 years ago | (#2813484)

It would look great in my personal library.

Re:Smoothwall is Great! (4, Interesting)

DaveJay (133437) | more than 12 years ago | (#2813441)

I, too, found it extremely easy to configure. I have been using it, and appreciate the availability of it.

Ultimately, though, this is a very interesting notation by Daniel:

>"...nor did i see anything to suggest he had even asked us about these so called "problems"."

In the review, the reviewer actually states:

>"My concrete indications of security problems within SmoothWall found sheer disinterest with Richard Morrell, developer and project initiator. "That doesn't matter" was about the politest of all comments comment (sic)."

The reviewer apparently did attempt to have a dialogue with one of the developers, and was rebuffed (apparently impolitely.) I have had a similar experience with at least one SmoothWall developer behaving somewhat less than tactfully.

If the reviewer is wrong about the security issues, the development team may feel justified in treating him thusly -- At the same time, I sincerely hope that the development team keeps a reasonably open ear in case a legitimate bug is discovered.

Re:Smoothwall Sucks. (0, Interesting)

Anonymous Coward | more than 12 years ago | (#2813458)

the point is that smoothwall is NOT SECURE. its does stupid things because according to the developers the daemons concerned require it to be that way. thats just STUPID. those daemons are GPLed. how long does it take to add a small encryption routine to a piece of GPLed source ? its trivial and the developers deserve to be bitchslapped HARD for this STUPID RESPONSE to a perfectly valid article.

Re:Smoothwall is GREAT (1)

A.MacGyver (549688) | more than 12 years ago | (#2813604)

Understand that developers REFUSE to let other people's code into the product for security purposes, without it being reviewed and thoroughly tested.

The developers WRITE the code..

MacGyver

The review is full of crap.. (0, Redundant)

ReD-MaN (27321) | more than 12 years ago | (#2813366)

Any moron who doesn't do research before doing a review needs a kick in the a**. Any faults pointed out by the reviewer are not the smoothwall teams fault.

Any real Linux user would know the facts. All it does is make this guy out to be a moron.

Re:The review is full of crap.. (0)

Anonymous Coward | more than 12 years ago | (#2813462)

Yes, i think that was established in the response by the company. Way to go Captain Obvious!

Re:The review is full of crap.. (0, Troll)

Anonymous Coward | more than 12 years ago | (#2813473)

What, chicken to post in anything but anonymous mode? Loser.

Re:The smoothwall team is full of crap.. (0)

Anonymous Coward | more than 12 years ago | (#2813469)

those faults ARE the fault of the smoothwall team. they could easily modify the daemons concerned to be more secure instead of whining about the default configuration and leaving passwords in cleartext.

research (-1, Redundant)

Anonymous Coward | more than 12 years ago | (#2813367)

The author has to do his homework before posting such a review.

Re:research (0, Offtopic)

global_diffusion (540737) | more than 12 years ago | (#2813385)

Here here! (or is it 'hear hear'?)

sharethenet (4, Offtopic)

graveyhead (210996) | more than 12 years ago | (#2813372)

For an affordable, very easy to configure, and speedy (excellent performance on my 386/33 with 8mb ram) firewall/gateway, you just can't beat sharethenet [sharethenet.com] . I had it up and running in 1/2 hour, and there is almost no performance difference when I have my cable modem hooked up directly to my speedy p3 desktop. It "embeds" linux by loading it from a floppy onto a ram disk. If you get hacked, simply restart your machine, and you are back to factory settings. Downside is you need dedicated hardware, but OTOH, that hardware can be very old and still perform.

G.O.A.T.S.E. (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2813433)

Ladies and gentleman, put our hands together for the largest ass on the Internet [goatse.cx]

G to the izz-O, A to the izz-T, S to the izz-E

Welcome ladies and gentlemen to the 8th wonder of the world
The ass of the century, oh it's timeless, GOATSE! [goatse.cx]
Thanks for clicking that link
You coulda been anywhere on the web
But you're here with me
I appreciate that...

G to the izz-O, A to the izz-T, S to the izz-E

Reading drivel on that press release 'bout VA (Linux)
Was wondern' why they changed their names
Dumped that dirt cheap stock, through with them
If I worked there, I'd quit, no way I'd work for them
Wasn't born a coder, I just make fun of em'

G to the izz-O, A to the izz-T, S to the izz-E

Porno for freezy keeps my hard drive so sleasy
Can't leave Everquest alone, the game needs me
Hex editing my name into VB progs, it ain't easy
Slashdot wanna IP block me, I get a proxy
And somehow, I beat the lameness filter like Rocky

G to the izz-O, A to the izz-T, S to the izz-E

Not guilty, he who mods me down is not real to me
Therefore he doesn't exist
So poof... vamoose son of a bitch

[Chorus]
G to the izz-O, A to the izz-T, S to the izz-E
Reading drivel on that press release 'bout VA (Linux)
G to the izz-O, A to the izz-T, S to the izz-E
That's the anthem get'cha damn hands up
G to the izz-O, A to the izz-T, S to the izz-E
Not guilty ya'll got-ta feel me
G to the izz-O, A to the izz-T, S to the izz-E
That's the anthem get'cha damn hands UP!

Holla at me...
I do this for the posters
To let 'em know what enlarged ass look like... when they shoulda looked at that link closer
Show 'em how to avoid a room full 'o taco snot coaxers
Get some good trolls in before the story's over
Posts with redirect goatse links [yahoo.com] even get modded up
I'm dissin JonKatz for those 15-year-old boys he seems to have a crush
Pay for premium Slashdot? You gotta be kidding us
If /. ain't profitable, pimp your boy whores for mo' bucks

[Chorus]
Yeah...
GOATSE [goatse.cx] is back, trollin' parody of rap
Go on, click that link, view the crater in that crack
Like I told you sell boys, no
JonKatz does that so hopefully you won't have to go through that
I was raised on Windows, point and click
If you don't like that, you can suck my dick
Got an X10 [x10.com] camera, focused on my ass
Wanna see the picture? PayPal [paypal.com] me some cash
Threshold under 0, why I got it so low?
Save good trolls on my disk, watchin' all the time for more
So you know I seen it all before
I seen redundant on karma whores when their link post was too late
Crapfloods and mod downs, the two things I hate
A good troll modded up, the two things is great

G to the izz-O, A to the izz-T, S to the izz-E

What else can I say about Slashdot [journ.com] , it'll turn a man gay

[Chorus]
G to the izz-O, A to the izz-T, S to the izz-E
(4x to fade out)

The above has been brought to you by the fine folks of Frost Pist Brewery [geocities.com] . Frost Pist Beer - Always ICE BREWED for a THICK head.

Re:sharethenet (2, Interesting)

mrpotato (97715) | more than 12 years ago | (#2813459)

[...] but OTOH, that hardware can be very old and still perform.

True. I have a 486/33Mhz acting as a router for 5 computers, and at 250 kb/s download using cable-modem the cpu usage is around 15-20% only.

Using adsl and pppoe though used to get much worse performance, the cpu being used at 95-100% for 100kb/s download.

Re:sharethenet (2, Interesting)

karnal (22275) | more than 12 years ago | (#2813522)

I've recently been using a similar product (except $free as in beer) called BBIagent... or is it BBIagent.net? not sure...

You go to BBIagent.net's page, and then proceed to answer a few questions about the machine you'll be using as the gateway (nic cards for WAN,LAN etc). Also, it has a built in proxy DNS and built in DHCP serving, so it can replace any firewall you have.

The only extra support I'd like to see is a dial-up option (I have a dial-up line I dial into to make sure the links are up etc, and would like to run it on this same box)... But, it has basic QOS, Port Forwarding, and access controls!

What more can you ask for than free? :)

Re:sharethenet (3, Insightful)

shani (1674) | more than 12 years ago | (#2813609)

If you get hacked, simply restart your machine, and you are back to factory settings.

And are hacked again in 15 minutes.

This is why computer forensics [honeynet.org] are important.

Typical Developer Reaction (1, Troll)

tthomas48 (180798) | more than 12 years ago | (#2813373)

Do they teach this response when pursuing a Computer Science degree? "Obivously you can't do it, because I can't think of how to do it." Sheesh.

Response (4, Informative)

wpanderson (67273) | more than 12 years ago | (#2813374)

we have an article taking what dang has said along with our comments on the way the article author behaved when collecting his "evidence" ...

our response [smoothwall.org]

Keep Trollin' Baby (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2813532)

Keep Trollin' Baby

[Hmm, yeah. This just one of them days when yo' ass just wanna chill out and troll and them motherfucking moderators be all in yo' ear and shit, yknowhatI'msayin? Or that naggin bitch, that just like to hear herself talk blowin all yo' troll away. Now that's some fucked up shit, heh but it happens, yknowhatI'msayin?]

Note: to the beat of Limp Bizkit's [limpbizkit.com] "Rollin'" [limpsite.com] .

Chocolate Starfish and the Hot Dog Flavored Water

Trollin' (Crapflood Vehicle)

Alright partner
Keep on trollin' baby
You know what time it is

Throw your hands up
Ladies and gentlement
Chocolate Starfish
Keep on trolling baby

Move in, now move out
Hands up, now hands down
Back up, back up
Tell me what you're gonna do now
Breath in, now breath out
Hands up, now hands down
Back up, back up
Tell me what you're gonna do now

Keep trollin' trollin' trollin' trollin'
What?
Keep trollin' trollin' trollin' trollin'
Come on!
Keep trollin' trollin' trollin' trollin'
Yeah

Now I know y'all be lovin' this post right here
Anonymous Coward is right here
People in the house put them hands in the air
Cuz if you don't care, then we don't care
1 2 3 times two to the six
Jolts in for your fix with the Goatse [goatse.cx] mix
So where the fuck you at?
Punk, shut the fuck up
And back the fuck up
While we fuck this website up

Throw your hands up

Move in, now move out
Hands up, now hands down
Back up, back up
Tell me what you're gonna do now
Breath in, now breath out
Hands up, now hands down
Back up, back up
Tell me what you're gonna do now

Keep trollin' trollin' trollin' trollin'
What?
Keep trollin' trollin' trollin' trollin'
Come on
Keep trollin' trollin' trollin' trollin'
Yeah

You wanna mess with Anonymous Coward? (Yeah)
You cant mess with Anonymous Coward (why?)
Because we get it on (when?)
Troll Tuesday, [donthavelinkyet.com] all day and night (oh)
See this troll thing right here? (uh huh)
Well we're doing it all the time (what?)
So you'd better get some better moderators
And uh, get some better filters (d'oh!)
We got the proxy set
So don't complain yet
24/7 never begging for a raincheck
Old school trollers passing out the crapflood
That annoying shit
And bounce in the timeout pit

Throw your hands up

Move in, now move out
Hands up, now hands down
Back up, back up
Tell me what you're gonna do now
Breath in, now breath out
Hands up, now hands down
Back up, back up
Tell me what you're gonna do now

Keep trollin' trollin' trollin' trollin'
Come on
Keep trollin' trollin' trollin' trollin'
What?
Keep trollin' trollin' trollin' trollin'
Yeah

Hey trolls
Hey flamebaiters
And the people that don't give a fuck
All the WIPOs
All the CmdrTacos
And all the people that call themselves players
Ass reamers
Taco-snotters
And the people rolling up in caddies
Hey crapflooders
Hip offtopicers
And trolls all around the world

Move in, now move out
Hands up, now hands down
Back up, back up
Tell me what you're gonna do now
Breath in, now breath out
Hands up, now hands down
Back up, back up
Tell me what you're gonna do now

Keep trollin' trollin' trollin' trollin'
Yeah
Keep trollin' trollin' trollin' trollin'
What?
Keep trollin' trollin' trollin' trollin'
Come on

Move in, now move out
Hands up, now hands down
Back up, back up
Tell me what you're gonna do now
Breath in, now breath out
Hands up, now hands down
Back up, back up
Tell me what you're gonna do now

Keep trollin' trollin' trollin' trollin'
What?
Keep trollin' trollin' trollin' trollin'
Come on
Keep trollin' trollin' trollin' trollin'
Yeah

this really surprises me... (3, Insightful)

snake_dad (311844) | more than 12 years ago | (#2813376)

as c't is (imho ofcourse) a much respected magazine, and normally I would call it a trustworthy source. I would certainly not expect them to publish such a damaging article without giving the authors of Smoothwall a chance to comment on the findings.

Smoothwall & GPL (5, Insightful)

johnburton (21870) | more than 12 years ago | (#2813380)

I used smoothwall for a short time to evaluate it and technically it looked like quite a nice product, but then I started reading about the attitude of it's creator to the GPL.

Now I'm happy for people to write GPL software if they like, and I'm happy for people to write commecial software if they like, but smoothwall seems to want to get the benifits of both.

They seem to want to get make free use of other peoples work through the GPL, but to feel free to only release parts of their software commercialy. I'm not claiming they are breaking the GPL or anything, but there seems something very unfair about their approach.

Also if you get the GPL edition, there are all kinds of requests on the web site that you donate money to them "SmoothWall developers have kids and families too, and it's all about giving back to the people who helped you.
". And yet I would guess that about 90% of what they are giving out was written by other people and they don't suggest they are going to give 90% of their donations to them.

Again, nothing wrong with that, I just don't much like it.

Basically I suggest that people look at their web site, and search the internet for comments about the creators of this software and how unhappy some people are with them before they go and use it.

Re:Smoothwall & GPL (1)

ReD-MaN (27321) | more than 12 years ago | (#2813408)

Well how would you feel if you spent all your money to fund a project? And then, when you lost your normal full-time job, and decided to make a business out of what had been your hobby, how would you go about doing it?

I see nothing wrong with the way they play their cards, and I do not blame Richard Morrell for his anger at times.

Re:Smoothwall & GPL (2)

johnburton (21870) | more than 12 years ago | (#2813451)

Yeah well I didn't say he'd done anything *wrong*, I just wanted to warn people that he's attracted an awful lot of negative publicity in the past for his comments on the gpl, the ownership of his software and on people changing it as they like (as the GPL allows - as he was relying on to allow him to make some money this way).

Re:Smoothwall & GPL (0, Flamebait)

hellcore (549684) | more than 12 years ago | (#2813501)

Most of the opinions of Richard get twisted somewhat, he has no problem with the enthusiast tinkering with Smoothwall. He does have a problem when people come in waving the GPL flag demanding support to fix the box THEY broke. They are not customers, they are not entitled to anything and they should have at least the decency to read the availible documentation. If you have experienced first hand the rudeness of certain users then you might understand his frustrations.

Re:Smoothwall & GPL (2)

johnburton (21870) | more than 12 years ago | (#2813556)

Yeah I understand that.

And in case my comments came over as too negative earlier, this *is* a good piece of software which is certainly worth of consideration if you have an old PC to use as a firewall.

Re:Smoothwall & GPL (-1, Flamebait)

Anonymous Coward | more than 12 years ago | (#2813492)

i would feel like an IDIOT if i did that. if you make a business out of it you should be SHOT. youre a disgrace to the friggin gene pool.

Re:Smoothwall & GPL (0)

luckykaa (134517) | more than 12 years ago | (#2813614)

To be fair, its only Richard Morrell who is the pain. The other people involved are just obliged to stick up for their friend. Some of the team have been very helpful and diplomatic on uk.comp.os.linux, even after some quite nasty hostility towards them.

Sexist behaviour @ SmoothWall (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2813381)

This photo [smoothwall.info] of a woman's chest is highly inappropriate for a commercial firm.

Re:Sexist behaviour @ SmoothWall (-1, Offtopic)

wpanderson (67273) | more than 12 years ago | (#2813388)

LOL ;)

Old debate...? (5, Insightful)

mwalker (66677) | more than 12 years ago | (#2813406)

This debate seems to be over whether Smoothwall was designed to secure against attack from outside your DSL dialup or against attack from the inside. Shadow passwords are meant to provide a safeguard against dictionary attacks from logged-in users on a multiuser system. c't's complaint that there is no shadow password on a single-user system is valid; if you're worried about people in your own house trying to hack into your firewall.

It is true that internal security against logged in users can help defeat attackers who can only partially penetrate external defenses. If, for instance, you can only use a CGI bug to get ahold of the passwd file, you can leverage this with a dictionary attack if shadowing isn't installed. Provided you can disable the packet filter and attempt to login as root externally once you have the password... or even use an su type exploit from your original CGI bug. Either way, there are a lot of large corporations with bigger security holes than this.

However to claim that his review "shattered the illusion" of Smoothwall being a complete solution for home users is complete hyperbole. A home user who is trying to secure himself from internal attack from other logged in users in his house is probably pretty savvy in the first place and also has bigger problems. If the purpose of this product is have a CD you can ship to your parents to secure their DSL line against script Kiddiez and Hotmail's Traceroute function, then Smoothwall sounds to me like an outstanding effort.

c't': Two demerits.

Re:Old debate...? (1)

sirsnork (530512) | more than 12 years ago | (#2813499)

To address your first point. It seems to me that there is only 1 user defined in /etc/passwd and that user is root. So the comment was correct. Assuming the only 2 ways to get into this box are by hacking one of the services or logging in as root. In either case the hacker will have root access and so either has the password (if they logged in), or have no need for it (if for example they added a /bin/bash line to inetd.conf)

Re:Old debate...? (4, Informative)

strags (209606) | more than 12 years ago | (#2813509)

This debate seems to be over whether Smoothwall was designed to secure against attack from outside your DSL dialup or against attack from the inside. Shadow passwords are meant to provide a safeguard against dictionary attacks from logged-in users on a multiuser system. c't's complaint that there is no shadow password on a single-user system is valid; if you're worried about people in your own house trying to hack into your firewall.

From what I understand, even a user in your own house wouldn't be able to get at the password file, since only the root account (which one would assume is password protected) has access to a shell. This isn't a multiuser system that people log into.

(This is my understanding from what I've read - I've never used SmoothWall - please correct me if I'm mistaken).

Re:Old debate...? (0)

Anonymous Coward | more than 12 years ago | (#2813523)

NO. a firewall should BE AS SECURE AS POSSIBLE. it doesnt matter if its a multiuser system or it has only 1 account -- DESIGN SECURITY INTO EVERY LEVEL OF THE SYSTEM.
just because corporates might have less security than this is not an excuse. acting like an idiot in front of other bigger idiots doesnt make you smart.
you have to secure every component of a system in order to have a secure system.

Re:Old debate...? (1)

jonestor (443666) | more than 12 years ago | (#2813535)

> If the purpose of this product is have a CD you can ship to your parents to secure their DSL line against script Kiddiez and Hotmail's Traceroute function, then Smoothwall sounds to me like an outstanding effort.

Excuse my dumbassity, but what's "Hotmail's Traceroute function"?

Re:Old debate...? (4, Insightful)

RC514 (546181) | more than 12 years ago | (#2813537)

A false sense of security is worse than no security.

Even if no users other than root should ever be able to log in to the firewall, there is a reason to carefully set file permissions: Just like on a server, the services running should do so under their private username. That is to prevent a security related bug (aka vulnerability) from compromising the whole system. This is obviously less important on a router/firewall where services are only provided to the inside, but the attitude shown by the authors of Smoothwall certainly destroys my confidence in their general ability to provide a secure system.

Then there is the false discrimination between inside and outside: Especially when you deal with "non-techie" users you have to expect their systems to become infected by the latest worms and viruses. This opens the possibility of attacks from the inside which really are attacks from the outside. Granted, that is a remote possibility and if it happens, you have bigger problems than firewall file permissions, but it is still not understandable how an easy to fix thing like this is completely ignored. The german review makes it quite clear that the attitude of the firewall authors played a big part in the thumbs-down.

Re:Old debate...? (0)

Anonymous Coward | more than 12 years ago | (#2813558)

If there is only one user, root, what does it matter if there are shadow passwords or not? If you can leverage the passwd file, you can leverage the shadow file, and run a dictionary against it.

running CGI's as root ? great idea huh (3, Interesting)

zzzeek (43830) | more than 12 years ago | (#2813412)

He says shadow files are irrelvant as the box has only one account, root. Whatever happened to rule # 1 of having your web server and CGI's run as a different user ?

Re:running CGI's as root ? great idea huh (0)

Anonymous Coward | more than 12 years ago | (#2813440)

They run as user nobody... it says 1 user with access to the shell.

Re:running CGI's as root ? great idea huh (2, Insightful)

zzzeek (43830) | more than 12 years ago | (#2813478)

if a cgi script running as "nobody" is compromised, then it is possible that the user "nobody" can gain shell access as well. A shell is simply another executeable, just like the CGI script itself.

Re:running CGI's as root ? great idea huh (1)

Caradoc (15903) | more than 12 years ago | (#2813448)

I don't recall that the smoothwall runs any web services, does it?

Your rule #1 of having the webserver and CGIs run as a non-root user should be backed up with a rule #0 of not running a firewall *on* the webserver...

Re:running CGI's as root ? great idea huh (1)

zzzeek (43830) | more than 12 years ago | (#2813457)

it has cgi-based configuration scripts which would imply a webserver as well.

Re:running CGI's as root ? great idea huh (2)

Wolfstar (131012) | more than 12 years ago | (#2813518)

He actually stated that the only shell-access account on the box is root. This means that the only way you can get a command prompt is if you're logged in as root. Theoretically, if you can exploit a CGI bug, you could execute /bin/sh and have a shell, but they've probably disallowed that.

The Dachstein images from the LEAF Project are set up similarly. Root is the only shell access, CGI/Web runs from another user.

Re:running CGI's as root ? great idea huh (0)

Anonymous Coward | more than 12 years ago | (#2813583)

You can disallow buffer overflows so they can't run a shell? How?

Re:running CGI's as root ? great idea huh (1)

zzzeek (43830) | more than 12 years ago | (#2813622)

to repeat my other post, a shell is an executeable, just like a CGI. If "nobody" can execute a CGI, it can also execute a shell, or even more simply "echo 'Content-type: text/plain'; echo; cat /etc/passwd; cat /etc/ppp/pap-secrets" . Since the files are admittedly world readable anyway.

This is like super-basic security, folks.

Re:running CGI's as root ? great idea huh (0)

Anonymous Coward | more than 12 years ago | (#2813534)

As long you as use a strong root password things should still be secure. Although it is a pretty dumb move to not use shadow passwords. C'mon... how much room/cpu do they really take up?

Re:running CGI's as root ? great idea huh (0)

Anonymous Coward | more than 12 years ago | (#2813566)

I'm assuming that apache is run a nobody. I can't see how any would be dumb enough to run it as root.

What? (0)

Anonymous Coward | more than 12 years ago | (#2813426)

So the firewall doesn't have security holes? I think they'll have to add some if they want to make a version for Windows XP...

Journalistic integrity? (5, Interesting)

chrysrobyn (106763) | more than 12 years ago | (#2813427)

I hope it is on-subject enough to point out that I believe this is an excellent job Slashdot has done, going out and getting the rebuttal for the review. Although it is not quite perfect -- it acts partially to discredit the link source -- it is much closer to what I think Slashdot could be, a first-run news source with original articles -- for [nerds|geeks]. Until then, while the editors post their comments after a link, it's little more than the second-run movie theatres (which have their place, don't get me wrong). Thanks, Slashdot.

No room for comments? (1)

I_am_Rambi (536614) | more than 12 years ago | (#2813429)

I also find it disturbing that the author gave us no room for comment in his article, nor did i see anything to suggest he had even asked us about these so called "problems".

Ok, so he didn't quote you in his article. Big deal. He saw the program and wrote what he thought. Does he have to say that he asked you personally about a problem? Maybe he asked someone else. Is there a lack of communication in your business?

Passwords should be shadowed even if you are the only user. Anyone can look over a shoulder, or even view the security tapes.

Re:No room for comments? (2, Interesting)

DaveJay (133437) | more than 12 years ago | (#2813471)

Actually, the reviewer seems to have contacted the developer. Daniel said:

>"...nor did i see anything to suggest he had even asked us about these so called "problems"."

In the review, the reviewer actually states:

>"My concrete indications of security problems within SmoothWall found sheer disinterest with Richard Morrell, developer and project initiator. "That doesn't matter" was about the politest of all comments comment (sic)."

The reviewer apparently did attempt to have a dialogue with one of the developers, and was rebuffed (apparently impolitely.) I have had a similar experience with at least one SmoothWall developer behaving somewhat less than tactfully.

Re:No room for comments? (3, Funny)

snake_dad (311844) | more than 12 years ago | (#2813494)

And how exactly would shadowing help against over-the-shoulder-lookers? Oh wait, I get it, you create a shadow over the keyboard so it can't be seen.... Better pray that there is no IR filter on that security camera.

I know... I know, don't feed... oh well.

Re:No room for comments? (1)

viper66 (412839) | more than 12 years ago | (#2813585)

>Passwords should be shadowed even if you are the only user. Anyone can look over a shoulder, or even view the security tapes.

shadowing has nothing to do with passwords showing up on the screen
it means the passwords are encoded before being stored in the /etc/passwd file

Reveiwers have to listen... (4, Insightful)

hellcore (549684) | more than 12 years ago | (#2813446)

I was in the Smoothwall IRC channel on several occasions when this reporter came in. First of all he didn't conduct himself like any other reporter I have ever met. He was elusive regarding his motives (ie he wouldn't say he was from the press), he was beligerent beyond belief and gave the impression he already knew what he was going to write. Refusing to even listen to the dev team's answers, the sticking the fingers in the ears behaviour he exhibited was most flattering. I just hope c't are more exclusive in future with regards to the staff they employ. This guy was nothing but underhanded and stubborn.

Re:Reveiwers have to listen... (0)

Anonymous Coward | more than 12 years ago | (#2813510)

Do you have a log file of the conversation?

IOW, I think you're full of shit.

Re:Reveiwers have to listen... (1, Troll)

HiltonT (549696) | more than 12 years ago | (#2813630)

Hi, I was in #smoothwall at that time too. I agree with Hellcore's comments - the "reviewer" came on and refused to admit he was writing an article, had an obvious agenda, and failed to listen to anything that anyone said. The fact that SmoothWall is designed to protect your LAN **from** the Internet was ignored. SmoothWall was not designed to protect your LAN **from** internal users. Regardless of this, there is only a single account that has a shell - "root" - and shadowing passwords and hiding passwords from this user is next to useless. If someone manages to gain shell access to the SmoothWall machine, they already have root access. Your box is gone. Just remember that this has not happened. There have been no known successful hacks on an un-modified SmoothWall. Secure? Yes, it is. Regards, HiltonT

Poorly writen reviews are bad for everyone. (1)

dperkins (63220) | more than 12 years ago | (#2813460)

Whenever I go to purchase any kind of consumer electronic whatever, I scope it out on Shopper.cnet.com [cnet.com] . I get pretty dang good information from them, and usually decent feedback from the users also.
However, if a vendor is aware that a review is going to be done of their product, it is obviously in their best interest to make sure that the reviewer has all the information they need.
When that is offered, and the reviewer doesn't take advantage, what recourse does the vendor have?

Another firewall distro... (1)

hereward_Cooper (520836) | more than 12 years ago | (#2813463)

I'm running gibraltar [gibraltar.at] -- does anyone else, what do you think? It's cd based and creates a ram disk for all the config, saving them to floppy on shutdown. I got it running in 1/2 an hour, no trouble.

Smoothwall is Great (0)

Anonymous Coward | more than 12 years ago | (#2813464)

Any firewall; in fact any system you care to mention, that a hacker has shell or cmd line access with Admin rights is history.

There is a single user on SmoothWall.

This is by necessity root.

The fact you HAVE to be on as root to get to these files in the first place makes the reviewers comments irrelevent.

Product reveiwers should take note to do some research before submitting such rubbish.

MacGyver

Re:Smoothwall is Shit (0)

Anonymous Coward | more than 12 years ago | (#2813575)

if you are running CGI's you can exploit a bug and login as nobody. since nobody can run /bin/sh as well as root there are TWO users on the system, nobody and root. in other words youre full of shit just like smoothwall.

Excuses (4, Insightful)

Antity (214405) | more than 12 years ago | (#2813474)

Secondly he complains of plain text passwords for the ppp passwords. This is not our doing. The passwords are stored in this format as pppd requires them to be in plain text in the two files. He also mentions that the permissions of these files are wrong. If he looked a little more closely he would have seen that they are in fact symlinks to the 2 real files, which do have the proper permissions on them."

Tsstss.. Look at this excerpt from the article that this SmoothWall guy is complaining about:

The PPP-Daemon complains in the log file, every start, about the permissive reading rights to its password file, hard to imagine that the developers missed this one.

I also have a strange feeling about other "security" options that they choose. For example: Not using shadowed password files. They say it wouldn't be neccessary since the only user available is root anyway. But what is the _sense_ of not using shadowed password files? (And what is the sense to require the user to be root to configure the system? Even Apache is supposed to be quite secure, but nobody will run it as root because there still might be holes. Impossible in a hacked-together firewall distribution?) The bytes in length on the harddisk they would have saved would be a joke.

All in all, I believe there are some truth- and insightful bits in the c't review, even if the reviewer did a mistake.

btw: To complain that the passwords had to be plaintext because PPPd and FreeSWAN required it is complete nonsense for a Firewall! Sources are available, so why not add a patch to have the passwords encrypted if this is supposed to become a Firewall?

(Sorry, had to emphasize this, since this is not some desktop distribution but supposed to be a Firewall.)

Re:Excuses (0)

Anonymous Coward | more than 12 years ago | (#2813617)

exactly. the smoothwall team is full of shite. firewalls should be set up to be as SECURE AS POSSIBLE. there is no excuse for any security problems on firewalls.

Attitude Problems with Smoothwall Developers (5, Interesting)

mathrawka (549683) | more than 12 years ago | (#2813475)

I have noticed that the founder of Smoothwall, Richard Morrell has some issues to deal with. He has a huge ego and does not like users that do not pay for his "open source software." He enjoys complaining about how much money he has spent on making CDs and giving them away for free and how people don't donate to him. I have a few quotes that I have collected that he has said on the mailing lists for smoothwall. "i have contacts with people at the kernel team that none of you have... i know people who can get this fixed and i'm on top of it... so stop complaining because you don't know what you're talking about" "i used to work for microsoft, i know how they work" (he worked in the sales dept selling licenses) "You're also not a paying customer - I'll email DIRECTLY my friend who WROTE the official driver. Friendships help. Thats why I'm richard@linux.com" "this is fuck all to do with SmoothWall its hardware level" Also, Mr. Morrell decided to turn it into closed source "enterprise version" that isn't free with extra features. So he's not allowing open source developers to add new features to the open source project because it will compete with his private closed source project.

Re:Attitude Problems with Smoothwall Developers (1, Interesting)

Anonymous Coward | more than 12 years ago | (#2813605)

I agree, i had issues getting a smoothwall box up and running (turned out to be a duff network card in the end.) so I logged on the smoothwall irc server to get some advice, Richard Morrell was in the channel and I asked if anyone could give me some advice, his attitude was "have you paid any money to us?" straight off, not the most warm and welcoming of attitudes. I told him straight that I wanted to get it working before I parted with any of my hard earned cash. I have got to say that other people on the channel were more helpful, but the guys attitude put me off using his product to the point where I binned the installation and started using freesco instead...

Not a real firewall review (4, Insightful)

Lumpy (12016) | more than 12 years ago | (#2813477)

First off reviewing a firewall like that is just whining by a non-techie. you want to review a firewall? crack it... Show me times it took and what kiddie tools took it down or circumvented it because of a flaw in the firewall. bitching about how the scripts are written is clutching at straws and trying to add content to an already empty review.

Why is it that we all will not listen to a SQL review without stats and figures but a firewall review get's any attention at all if it isnt even tested properly by the reviewer?

This review was like a review about ram and bitching about the color and shape.

Re:Not a real firewall review (1)

Antity (214405) | more than 12 years ago | (#2813592)

you want to review a firewall? crack it... Show me times it took and what kiddie tools took it down or circumvented it because of a flaw in the firewall. bitching about how the scripts are written is clutching at straws and trying to add content to an already empty review.

Sometimes even on BugTraq it doesn't need an actual exploit to be published to show people that there might be serious security risks in a product, just by showing flaws in the actual implementation of that product.

Remember: Some companies even claim that it's better not to publish an actual exploit..

Re:Not a real firewall review (0)

Anonymous Coward | more than 12 years ago | (#2813599)

oh yeah ? i cracked smoothwall in 10 minutes with a CGI buffer overflow, grab of the passwords when i was logged in as nobody and logged in as root 0wning the firewall. does that help ?

Re:Not a real firewall review (0)

Anonymous Coward | more than 12 years ago | (#2813613)

where's the proof you goatse.cx'oring troll?

Re:Not a real firewall review (0)

Anonymous Coward | more than 12 years ago | (#2813620)

yes it does... post the logs. and proof that you did this...

oh wait, you cant because it was in your dreams and made up.....

if not... gimmie proof.

korbensux (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2813481)

korbensux

Smoothwall (2, Informative)

futuresheep (531366) | more than 12 years ago | (#2813489)

After trying several different Firewall products, I found smoothwall to be the easiest to setup and maintain. As far as the reviewers points, most are irrelavant, since the only access to the web interface and to SSH is from INSIDE your network. Unless you go out of your way to activate these things exterally, they're simply not seen to attackers. But then again, if you changed the way the product is shipped, then it's really working like it was intended anyway.

you assume complete security from the inside (1)

zzzeek (43830) | more than 12 years ago | (#2813580)

A very common configuration of a firewall is to let some incoming ports translate themselves to other boxes inside the network via NAT - this is to allow things like email services, web services, etc. be accessed. Even with all ports turned off to the outside world, Windows boxes receive email/word/AOL/etc viruses and trojans all the time. Therefore, the boxes *inside* a firewall are also never 100% safe from attack, meaning that a good firewall's security on the internal network interface is nearly, or in a large organization equally, important as that of the external interface.

Re:you assume complete security from the inside (0)

Anonymous Coward | more than 12 years ago | (#2813603)

hence smoothwall supports a seperate DMZ for servers with no access to the firewall ports or the green (safe) network.

Their business model (1, Offtopic)

RainbowSix (105550) | more than 12 years ago | (#2813497)

A paypal link on the front page, and a brief explaination as to why you should donate next to the download link

For paypal users, helping the company has a nearly zero transaction cost. I think it is a good idea that more freeware projects should embrace.

It's great for my network at home (1)

twos (83031) | more than 12 years ago | (#2813504)

But I wouldn't use it for my business network.

SmoothWall is nice and easy way to isolate my home network from the Internet. It took me about 20 minutes to install and configure it. It does exactly what I need it to do.

Important Question: Read this right now (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2813551)

What is the address of the "Troll Tuesday 2001" website? It includes a picture of CmdrTaco and one of the other editors involved in anal sex.

Thank you

No more comments on Morrell, please! Try IPCop! (5, Informative)

BitMan (15055) | more than 12 years ago | (#2813567)

As your momma always said: 'If you don't have anything good to say about someone, don't say it' or 'if you someone keeps "bothering" you, just stay away from them.' It's as simple as that.

So if you don't like Richard Morrell, head of the SmoothWall project, consider:

  • ignoring him
  • the fact that SmoothWall is free software and freely supported (regardless of the "requests" for monetary support made)
  • disregarding SmoothWall altogether, if it really "bothers" you that much (see below)

Personally, I'm sick of the "one-sided" reporting on Mr. Morrell. I've seen way too many people "complain" about him, but never comment on various personal details that are partially the cause of this -- let alone the daily on-slaught of Windows users who've barely heard of Linux, who don't bother reading the FAQ, let alone demand that SmoothWall automagically support every little, crappy-designed Windows application and their proprietary protocols that don't work well with firewalls anyway. After a week of being on the SmoothWall lists, I'd kill some very rude and ungrateful users well before Morrell. If you feel Morrell is "really bad for the project," then that's his problem, not yours!

Now if you still want something like SmoothWall without the SmoothWall(TM), take notice that others have forked the project into a new one called IPCop [ipcop.org] . Version 0.1.0 features SmoothWall 0.9.9, all the major post-0.9.9 patches and various enhancements. A final 0.1.1 release is to follow shortly before the team starts to work on version 0.2.0, an Linux 2.4/Netfilter implementation.

For all I care, you can think of IPCop as "SmoothWall without Morrell." Just don't say it outloud since many of us are all sick of hearing it!

Replying to the reply (4, Insightful)

OeLeWaPpErKe (412765) | more than 12 years ago | (#2813581)

Daniel Goscomb, one of the lead developers of Smoothwall, responds:

In our opinion this article is extremely badly researched and written. Furthermore it shows a lack of knowledge on the author's part.

sjah ... reading on

The main concern he has is that of people being able to log in to the firewall and read configuration files. This point is irrelevant as there is only a single user that can access the shell, root. This also removes the need of shadow password files, if you have access to the machine to get the passwd file, you are already in as root anyhow.

so you only have one layer of security ? The inability of any attacker to get a shell ? That's it ? I must admit I have not checked if you do that or not but ...

In my opinion you should at least take a number of these precautions ...

-> no shell access for nobody but root (of course this is enforced by putting a check in the main loop of bash, which mails "murder" if anybody tries differently)
-> all binaries --x--x--x, on a single partition which is the only one mounted without the "noexec" and with "ro" flag
-> *all* daemons chrooted, none have anything in their /bin or /sbin directory that even remotely resembles a shell or mount program (ie do not use perl, use mod_perl, do not use php, use mod_php, etc)
-> *all* programs compiled from source
-> there is no such thing as an irrelevant permission

Secondly he complains of plain text passwords for the ppp passwords. This is not our doing. The passwords are stored in this format as pppd requires them to be in plain text in the two files. He also mentions that the permissions of these files are wrong. If he looked a little more closely he would have seen that they are in fact symlinks to the 2 real files, which do have the proper permissions on them.

plain text ? wrong permissions ? why would you take a chance ?

He also mentions the same "problem" with the shared keys system in FreeSWAN. Again, they are stored like this as FreeSWAN requires them in this format to read them.

again ... why take the chance ?

As to the part about user authentification of the CGI scripts. This is completely irrelevant. There is no authentication in the CGI scripts. The authentication is done via .htaccess files, and has no interaction with the CGI at all, other than when you change the passwords.

user authentication is only irrelevant until a hacker gets by the first layer of security (which apparently on your system is the *only* layer of security)

I also find it disturbing that the author gave us no room for comment in his article, nor did i see anything to suggest he had even asked us about these so called "problems". We would have been happy to answer any questions he had.

to quote the other article :
When a group of developers- more than ever one active in the spirit of GPL-want to successfully distribute a good product, they are usually interested in feedback, in order to improve their product. My concrete indications of security problems within SmoothWall found sheer disinterest with Richard Morrell, developer and project initiator. "That doesn't matter" was about the politest of all comments comment. Trust in the developer's competence and integrity is a basic pre-requisite for the usage of security relevant software. Morell has thoroughly destroyed mine."

this suggests he has contacted you ... wether or not he did I cannot verify, but if he quotes answers from you ("That doesn't matter"), he probably did contact you, and you certainly confirmed that comment with the above reply, I politely wonder about the next part of that sentence ( ... was about the politest of all comments comment.)

Anyone recommend a good IPTABLE's based fw? (1)

prisoner-of-enigma (535770) | more than 12 years ago | (#2813594)

My company has used Checkpoint FW-1 in practically everything we've deployed up to this point, but I'm itching to experiment with a much cheaper IPTABLE's based approach. Of course, it has to be SECURE first and easy to use second -- a leaky firewall is worse than none at all as it gives a false sense of security.

I've hand crafted a few firewalls myself and run them on custom-built Linux kernels and stripped down distro's. Still, I'm not quite certain I trust myself on this, and I'd like to hear from anyone who's had experience with a good, free, IPTABLE's based fw script in a production environment. My goal is something that can displace a Nokia IP330. It has to do NAT, port forwarding, and allow logging of suspicious packets. Floppy-based stuff is highly preferred if possible to lower hardware requirements.

Recommendations, anyone?

Another firewall product: Astaro (3, Informative)

Jacco de Leeuw (4646) | more than 12 years ago | (#2813600)

Astaro [astaro.com] seems like an interesting product. It too is based on Linux (GPL) and sports a firewall, IPSEC, PPTP etc. I have downloaded the ISO but haven't installed it yet since it insists on whiping the harddisk. Seems reasonable but I'll have to find a test machine first ;-).

There's also a support community [astaro.org] .

Some companies such as Pyramid [pyramid.de] are reselling [astaro.com] Astaro with hardware and support.

Its bad, really it is... (1)

boris_the_hacker (125310) | more than 12 years ago | (#2813607)

I mean where do opensource develoepers get off writing a secure firewall distributiont thats easy install, has a good configuration front end and can be up and running in less than 20 minutes?

I mean seriously, come on? Where is the l33tness? How can I possibly claim to be cool when I use this product, it's just too easy to use. Damn them and damn their software ethics. Even my friends using Windows have started mocking me because I use something with a clear and concise configuration system.

I demand hard configuration, bad and broken installation, no updates for at least 6 months, I mean, with this software I have no excuse but to work. Damn them.

OT - Test from christd (0, Offtopic)

jpmkm (160526) | more than 12 years ago | (#2813608)

I'm sorry this is extremely o/t. I just opened up slashdot and saw a story called Test from Christd. I was going to another website just as I noticed it and by the time I opened slashdot again it was gone. Anybody know what this was?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?