Professional Documents
Culture Documents
SmoothWall
Technical Training
Version 1.0
Table of Contents
Welcome to the SmoothWall V2008 Course...............................................................................................................7
Figure 1: Smoothwall GPL v0.99.................................................................................................................7
What is new in version 2008.............................................................................................................................8
About this book.................................................................................................................................................8
Glossary:................................................................................................................................................................9
Chapter 1: Network Basics...................................................................................................................................11
MAC Addresses – Media Access Control........................................................................................................11
Figure 2: Example MAC address...............................................................................................................11
Figure 3: Replacing network cards.............................................................................................................11
DNS – Domain Name Server..........................................................................................................................12
Figure 4: WINS and DNS name resolution................................................................................................12
WINS – Windows Internet Name Server.........................................................................................................13
DHCP – Dynamic Host Configuration Protocol...............................................................................................13
Figure 5: Client resolving hostnames.........................................................................................................13
Default Gateway and Routing.........................................................................................................................13
Figure 6: Default gateway illustration.........................................................................................................14
Figure 7: Routing from A to B.....................................................................................................................14
Chapter 2: Hardware.................................................................................................................................................15
Linux and Drivers............................................................................................................................................15
Choosing the Hardware..................................................................................................................................15
SmoothGuard 1000-UTM appliance...............................................................................................................15
Hardware RAID vs Fake Raid vs Software RAID............................................................................................16
Serial Attached SCSI (SAS)............................................................................................................................16
SmoothWall Service Pack CD.........................................................................................................................16
Other Hardware Specific Issues...........................................................................................................................16
Chipsets..........................................................................................................................................................16
64 bit Capable CPUs......................................................................................................................................16
PCI Network Cards.........................................................................................................................................17
Multi NIC cards...............................................................................................................................................17
USB Network adapters ..................................................................................................................................17
Wireless Network Cards ................................................................................................................................17
Figure 8: Wireless access point attached to the SmoothWall....................................................................17
VMWare Drivers..............................................................................................................................................17
USB Devices...................................................................................................................................................17
ADSL Modems................................................................................................................................................18
Figure 9: SmoothWall Firewall/NAT setup examples.................................................................................18
Multiple External Connections........................................................................................................................19
Chapter 3: Installation..........................................................................................................................................20
Figure 10: The SmoothWall install boot screen..........................................................................................20
Activating advanced install options.................................................................................................................21
Figure 11: Swap and RAM disk options.....................................................................................................21
Multiple Ways of Installing...............................................................................................................................21
Installing modules...........................................................................................................................................21
Manuals..........................................................................................................................................................21
Chapter 4: Setup Options...............................................................................................................................23
Figure 12: The setup menu........................................................................................................................23
Restore Configuration.....................................................................................................................................23
Figure 13: Removing the active switch file.................................................................................................24
Keyboard Mapping..........................................................................................................................................24
Hostname.......................................................................................................................................................24
Networking......................................................................................................................................................24
Figure 14: Disconnecting the external connection from the command line................................................24
Network Cards................................................................................................................................................24
Address Settings.............................................................................................................................................25
DNS and Default Gateway .............................................................................................................................25
The project immediately became popular and it was easy to see that the software filled a gap that was not
being adequately filled by existing products like the Internet Connection Sharing in Windows products.
Another “hit” for the SmoothWall style was the interface. SmoothWall tried hard to make the interface as
smooth as possible and SmoothWall also stayed with the TCPIP conventions as much as possible. While
other gateway products from varying companies have a tendency to reinvent all networking terms in order
to be different from their competitors, SmoothWall stays with the TCPIP conventions and terms as much
as possible. A port forward is called a port forward on SmoothWall products – not “One to One NAT”,
“Internet service” or “Preferred Ports” - we try to stay close to the correct terms in order to avoid
confusion and allow anyone with TCPIP knowledge to understand what is going on when configuring the
SmoothWall.
As the versions have passed us by the SmoothWall products have evolved quite a bit. End user and
Glossary:
Version 3 Products: Corporate Server 3, Corporate Guardian 3 and School Guardian 3 and all modules
that can be installed on Version 3 platforms.
Version 4 Products: Corporate Firewall 4, Advanced Firewall, Corporate Guardian 4, School Guardian 4,
Corporate Guardian 5 and all modules that can be installed on Version 4 platforms.
Version 5 Products: Corporate Firewall 5, Advanced Firewall 2, Corporate Guardian 6, School Guardian
5 and all modules that can be installed on Version 5 platforms.
Version 2008 Products: Network Guardian 2008, Advanced Firewall 2008, Corporate Firewall 2008 and
School Guardian 2008 as well as all modules available for the V2008 platform.
SmoothGuard UTM-1000: The SmoothWall appliance. A 7 interfaces, Core 2 Duo based platform with
1 GB RAM.
Primary connection: Primary connections are defined on the SmoothWall as any connection using a
connectivity profile.
Secondary connection: Secondary connections are defined as external connections NOT using a
connectivity profile. Secondary connections are static IP, network card based connections only.
Connection failover: The process of switching between connectivity profiles in case a profile fails.
Hardware failover: The process of switching to another hardware box in case the hardware fails.
Road Warrior: A term used in conjunction with VPN. The term covers any connection profile where the
peer IP address is unknown.
Zone Bridging: A term used to cover setting up access between internal and/or VPN networks or clients.
Internal interface: Any interface configured in the setup program or in the interfaces page in the
networking – interfaces section.
External interface: Any interface configured in the connectivity or secondary connections section.
Default interface: The default interface is the interface all access rules are applied to. This is the only
interface that can be used to access the SmoothWall web interface initially.
Tip: When replacing network cards in existing computers or moving IP addresses to new
network cards, it's always a good idea to power cycle or reset any routers or switches the
As illustrated above, WINS have no domain part, where DNS does. Often Windows network clients will
only use the hostname of a server when it needs to connect to a share, not the full domain name. The
reason this works is because clients will have a default domain set and the name resolver will append the
default domain when searching for hosts without domain part in the name.
DNS is a distributed database system. This means, in theory, that it does not matter what DNS server the
client asks, since all DNS servers, in theory, has access to the same information or know what servers that
do.
Important: However, with the introduction of NAT, internal DNS resolution became a necessity
in many networks, creating a separate DNS zone, as it were, for the internal networks. Internal
DNS servers can be set to override any answer the public DNS system has on record and can also
forward any requests it cannot answer to the public DNS servers. This way, the internal DNS
server can screen all DNS requests and can control internal network resolution without interfering with
the public DNS server systems.
Some facts about the DNS client are less known and they play a big role in setting up the SmoothWall
firewalls and Web filters.
When multiple DNS servers are configured on a client, the following applies:
• A client will randomly select which DNS server to query.
• If a client gets a reply of “host not found” the client will not ask any other DNS server. For this
reason it is unwise to use both internal and external DNS server settings on the same client.
Client with assigned do m ain name m ydo main.lo cal asks fo r “fileserver.mydo main.lo cal”
Note: The DHCP server on the SmoothWall firewall products were meant for small networks
and have been designed as such. Only the most common options are supported so if the full
range of DHCP options needs to be used another DHCP server may be more useful.
Lo cal fileserver respo nds. No packets are reaching the default gateway
The reason for the above figure is to illustrate when the default gateway is NOT in use. As the
SmoothWall system will often be the default gateway in a network, it becomes important to know when
traffic is actually reaching the gateway for troubleshooting purposes.
Note: The default gateway has to be on the same subnet as the client.
Routing is another area with lots of pitfalls. We have always found the following rule, simple as it seems,
good to have in mind when dealing with routing. This works best if said with a Yoda like voice:
“When with routing dealing you are, always remember: It not enough is that A the route to B knows, B
also needs to know the route to A! Remember this, young Padovar!”
Default gateway
Ro uter
Client A kno ws that B is accessed via the ro uter. Client B has no kno wledge o f the client A netwo rk.
Reply go es to the default gateway.
Tip: When troubleshooting network issues always take it step by step and verify where the traffic
is going. Using tcpdump and/or Windump is a good way to verify where the traffic is going so
routes and gateways can be verified and confirmed.
Tip: A new diagnostic tool is available on SmoothWall systems called traffic analysis. Find it in
the system – diagnostics section. With this tool one can listen in on traffic on a network interface
for a set amount of time. This can be useful in many instances when a more detailed
understanding on what packets are reaching the SmoothWall system is required.
Chapter 2: Hardware
Linux and Drivers
The operating system of all current SmoothWall products is Linux. Version 2008 marks the move to the
2.6 series kernel which has been a long awaited change. Using the 2.6 kernel will lessen driver issues for
anything from network cards to harddisk controllers.
As everyone is aware by now, the Linux operating system Open Source and can be distributed freely – all
device drivers are included with the kernel source code so the drivers can be created when the kernel is
compiled again.
The Linux driver model requires drivers to be compiled specifically for a target kernel Version. However,
distributing a driver in the kernel source requires the driver source code to be Open Source as well. Some
vendors do not release official driver code to the Open Source community so the community has to write
them if there is no Linux driver or the official closed source driver will have to be used.
This often requires a specific kernel Version to be run on the target machine. For this reason, SmoothWall
products cannot use vendor released driver disks. They are compiled against the popular Linux
distribution kernels, like SuSE or RedHat Linux and will not work on a SmoothWall product.
Chipsets
When trying to find out if a specific hardware device is supported it's often helpful to find the chipset the
hardware is based on. SCSI cards, network cards and motherboards are all built around a chipset from a
specific manufacturer. The Linux drivers are often marked as drivers for a specific chipset family so
knowing the chipset used on the hardware in question is a good idea, when searching for driver and
support information. Please also include chipset Version to any requests made to support about hardware
compatibility.
Tip: If a network card has been found and configured but no traffic seems to pass, try to disable
APIC in the hardware options in the setup program.
Memory
Guardian is the biggest memory hog of the SmoothWall product line. Both the SmoothGuardian module
and the Network Guardian stand alone web content filter solution can use large amounts of system
memory. When building a Guardian system, always have a look at our hardware calculator on the
www.smoothwall.net and be generous with memory allocation. As a rough guide it can be said that a
Guardian system needs one CPU core and 1 GB of memory for each 1000 users.
VMWare Drivers
VMWare drivers are now included in the SmoothWall product line. They will enable improved
performance and better network speeds when running SmoothWall products on a VMWare based
platform. Furthermore, VMWare server scripts are installed to handle shutdown and reboot commands
issued from the VMWare server console.
USB Devices
USB keyboards and CD-ROM drives are supported if the BIOS on the motherboard supports them.
ADSL Modems
ADSL modems come in many forms and shapes and have varied functionality. There are three classes of
ADSL modems:
• ADSL USB modems:
SmoothWall firewalls support a long list of USB ADSL modems. The support depends on drivers
and firmware being available to the open source community. Again the chipset used on the device
is essential in order to determine support. Supported chipsets can change if drivers and firmware
becomes available.
• ADSL Ethernet modems:
Any ADSL modem that present the internet IP address given by the provider, directly to an
ethernet interface is supported. Sometimes ethernet modems can be set up in bridging mode and a
PPPoE profile can be configured on the SmoothWall to handle the connection. This can be done
with several Linksys and Netgear modems.
• ADSL Firewall/Router modems:
All of these devices are supported.
Subnet 1 Subnet 2
Internet
Lo cal Netwo rk Smo o thWall
Subnet 1
Note: When the SmoothWall is used as a VPN gateway, please avoid any NAT devices in front of
the SmoothWall. NAT and VPN does not always mix and match so to avoid any VPN problems,
please do not NAT a SmoothWall that is to be used as a VPN gateway server.
Note: When setting up a SmoothWall and an ADSL line, please always contact the ISP and ask
for their recommended solution to having the real IP on the SmoothWall. The ISP should have
knowledge about setting up the modem/router hardware to pass the real IP to the SmoothWall
firewall.
Tip: The Advanced Firewall is also capable of load balancing both incoming and outgoing
traffic across multiple external interfaces.
Chapter 3: Installation
SmoothWall product installation is quick and painless if the hardware is supported. A typical installation
from CD only takes about 5 minutes – the real time is spent applying updates and configuring/verifying
settings. The time it takes to apply updates can be reduced by either having the updates prepared locally
or by using the latest installation CD images, as they will have the previously released updates already
applied to them.
The installation procedure only asks a few questions, probes for a network card and asks for an IP address
for the discovered network card. The discovered network card is also set as the “default” interface. That is
all that is required initially. After a reboot, the SmoothWall web interface can be accessed on the default
interface and the rest of the configuration should now be made on the web interface.
If drivers needs to be loaded or any of the default setup choices needs to be modified, the advanced
installation mode should be used. Once the initial blue screen is displayed the space bar can be pressed to
activate the advanced installation mode.
Right before the installation program starts the process of partitioning and formatting the hard disk(s) a
couple of options, that relate to partition and swap size, are shown.
NEW: In version 2008 it is now possible to perform an in place upgrade. The installer will
archive settings to ramdisk from the previous installation and implement them once the new
version has been installed. It is no longer needed to create a backup archive and upload it to the
newly installed system – although that is still possible. All the migrated settings will also be saved in an
archive and listed in the archives section of the web interface of the new version.
Installing modules
Since version 5 modules can be installed directly on the system – modules page. The module has to be
valid on the serial number used when installing the SmoothWall system. Once a module has been
activated just refresh the module list and an install button will become available.
Manuals
Amazingly we often get the question where the manuals are located. They are on the install CD in the
docs directory – the module manuals will be on the installation CD for the module.
Restore Configuration
Restore configuration allows the restoration of settings from a previous system. When restoring from a
Version 3 SmoothWall system, the “Version 3 floppy disk” or “Migration floppy disk” option must used –
The remaining options: “Floppy Disk”, “CD-ROM” or “USB disk” are for Version 4 and 5 archives.
In Version 3, the backup settings were written directly to a floppy disk or a floppy disk image. From
Version 4 onwards, the backup function creates a standard tar.gz file, containing all system settings.
Remember that version 2008 can now perform an in-place upgrade.
TIP: When restoring setting to a new system, with new network cards, do NOT restore Ethernet
settings. The Ethernet settings are the settings detailing the type and drivers needed for
installation of the network cards and are irrelevant if a new system is replacing the old one. If
ethernet settings are restored, reboot the machine immediately. This will start a process where the
TIP: If the Ethernet settings from an old system has been restored to a new system and the
system not rebooted immediately thereafter the SmoothWall system can lock up access to the
setup program network settings, because the SmoothWall thinks the external interface is active. If
that happens, have a look at figure 13 and run the command displayed:
[root@CorporateFirewall root]# rm /modules/firewall/settings/red/active
rm: remove regular empty file `/modules/firewall/settings/red/active'? y
Keyboard Mapping
Sets up the keyboard map used by the system.
Hostname
This sets the hostname on the system. The hostname can be important, depending on the network setup.
The HTTPS server on the SmoothWall uses the hostname configured in this option. To prevent the web
browser from complaining about certificate errors, related to the hostname of the system, the hostname
can be set to a FQDN in the network and the SmoothWall HTTPS interface can be accessed using the
configured hostname.
Networking
Entering the network section of the setup program can only be done if no external connection is currently
active. To disconnect the external connection currently in use, go to the web interface and press
disconnect in the “Main” section.
NOTE: If the web interface is unavailable, the external connection can be closed from the setup
program or directly on the command line using this command:
Figure 14: Disconnecting the external connection from the command line
[root@CorporateFirewall4 root]# smoothcom disconnectexternal
issuing command disconnectexternal [SUCCESS]
Network Cards
The networking setup program probes for all network cards on the system and loads the drivers needed by
the network cards. If a card has been removed and replaced by a new card, the network card probe should
find the new card and discover that the old card has been removed and offer the option to use the new
card to replace the removed one.
NOTE: It is vital that the internal networks attached to the SmoothWall system are private IP
networks. With so many network features and VPN connection possibilities, it has become
necessary to assume that all internal networks are configured using private IP ranges. Using
public IP ranges is not recommended for NATTED networks.
The DNS and Default gateway settings can be used to give the SmoothWall system access to the internet,
so installation of modules and updates can be done without a configured external connection. This way, a
system can be installed and prepared, even when no external connectivity profile has been configured on
the SmoothWall system.
Internal interface
co nfigured. No link to
“Co nnect External”:
External interface
selected and named :
Default interface
The default interface is the interface where full access to the administration services on the SmoothWall
will be set up. Use this option if a new default interface is desired.
VLAN
Used to set up any VLAN interfaces and tag them with the appropriate VLAN tag.
Diagnostics
The diagnostics page can be used to verify that the network cards are up and running. Some network card
TIP: The diagnostics page uses the command “mii-tool” to get diagnostics information. Another
tool is called “ethtool”. If any cards are not showing proper diagnostics information, try leaving
the setup program and run “ethtool eth[X]” where [X] is the interface designation.
Hardware Options
The hardware options menu allows the user to configure various hardware specific options. These
include enabling the SMP kernel for multiple CPU based systems and disabling APIC.
APIC is an acronym for “Advanced Programmable Interrupt Controller” and is a technology used mainly
on multi socketed SMP systems. Some drivers have problems with APIC, so it may be necessary to
disable APIC on the SmoothWall system if network cards or storage controllers are behaving strangely.
If there are problems during installation and the SmoothWall installation program cannot find storage
controllers, it may be a good idea to try to disable APIC during install as well. This can be done by
entering “linux noapic” at the installation boot prompt.
Boot: linux noapic
Serial Console
Enable serial console access.
Web Proxy
If the SmoothWall system is behind a proxy server, it may be needed to enter the proxy server details here
to allow the SmoothWall to register itself. This setting has nothing to do with the proxy server that can be
run on the SmoothWall. This can also be changed from the web interface in the administration –
preferences section on the upstream proxy tab.
ADSL Configuration
This section is used when a USB ADSL modem or a BeWAN PCI ADSL card is installed on the
SmoothWall system. Enter the menu and select the proper modem, VCI and VPI options for the ISP in use
and enable ADSL. After enabling ADSL, the modem will sync and the ADSL modem option will be
available on the “connectivity” tab of the firewall section.
ISDN Configuration
This section is used when an ISDN PCI card or ISDN USB connection is present on the SmoothWall
system. Enter the appropriate values and enable ISDN. After enabling ISDN, an ISDN option should
show up as a connection option in the “connectivity” tab of the firewall section.
TIP: If the admin password has been lost, log on as setup or root and reset
the password. If the root or setup password has been lost, the system needs
to be booted in single user mode.
SmoothWall-up SmoothWall-smp
Single CP U
Boot: SmoothWall-up single
Single user mode starts the system up normally and after the boot process and start-up is done, it does not
ask you for a username and password. Once the system has booted the setup program can be run and the
passwords for the system users can be changed.
Preliminaries
Create backup archive with relevant settings and download it to a safe location. Upgrading to version
2008 can be done without having a backup archive handy as the installer will save settings and re-
implement them once the installation has completed but always have a backup archive ready in case of
unforeseen issues.
Guardian filtering settings are not migrated from a version 5 to version 2008 as the new filter
configuration in Guardian prevents that. Proxy settings are migrated. Before upgrading, make sure any
custom lists of domains have been saved to an available text file.
TIP: When migrating the same hardware to a new software version, it may be prudent to replace
the disk drives so the original drives can be reinserted if there are problems migrating settings.
TIP: Always use the latest release of the software being installed. Often SmoothWall will release
and updated ISO image for all products with the currently released updates pre installed.
NOTE: Remember to leave out ethernet settings if installing the system on new hardware. If
ethernet settings was restored to the new hardware, reboot immediately after restoring settings.
That should cause the startup procedure to replace the old network card information with the
present network cards.
After restoring settings in the setup program the passwords will be cleared and new passwords will need
to be entered. Once settings have been restored, check that the settings have been restored correctly and
reboot the system.
Final Touches
After the reboot, go through the system one last time and confirm that everything is working as it should.
Then go live.
TIP: If new hardware is used but the IP addresses are going to be the same as the previous
system had, it's often a good idea to reset switches and routers connected to the new system. This
will clear the ARP cache on the connected devices, allowing the new systems network cards to be
associated with the IP addresses the old system had.
NOTE: The password for the authentication lookup user needs to be reentered after a restore.
The password is not saved in the backup archive.
Chapter 6: Networking
The networking sections contains all settings relevant to packet handling. Network card setup, internal
access rules and the firewall functionality as well. The networking section has been revamped a bit in
order to accommodate the traffic module and the new port groups function. There is now a settings
section where advanced TCPIP functions can be configured and a port groups section where a list of ports
can be defined for later use in port forward rules. More on that later.
Filtering Section:
Zone Bridging:
Access between internal networks and VPN connections is configured here. All internal interfaces will be
listed in the source and destination drop down lists, along with the VPN interfaces L2TP, OpenVPN and
IPSEC. For any traffic coming through an IPSEC, OpenVPN or L2TP tunnel, access needs to be
configured in the Zone Bridging section, for the traffic to be allowed into the internal networks.
The bidirectional tickbox creates a two way access rule. It is the same as creating two rules, the second
rule with source and destination interfaces reversed. If a rule is not bidirectional, traffic can go to the
destination network, but only replies to that traffic can make it back to the source. Traffic is not NATTED
between internal zones – it is routed.
NOTE: A non bidirectional rule will allow traffic to pass and replies to return – this is the same
principle for the external interfaces. Traffic can leave and replies can return.
Group Bridging:
NOTE: OpenVPN users are authenticted by the auth subsystem so they will be logged into the
firewall as soon as they connect.
IP Block:
This section allows configuration of IP's to block or destination IP's to deny access to. There is also an
exception option that can be used to unblock access to single IP addresses within a range that has been
blocked.
Routing Section:
Subnets:
If there are any routers on the internal network, the SmoothWall can be made aware of the subnets that are
connected to those routers here. It is a simple route add command that allows the configuration of custom
routes on the SmoothWall.
TIP: After adding a subnet, it may be needed to restart the Guardian or the proxy module to
allow the newly configured subnet to access the Guardian proxy and web filter.
NOTE: Routes to any VPN connected network are added automatically by the VPN subsystem.
Do not add routes to remotely connected VPN networks in the subnets section.
NOTE: These routes will be brought up BEFORE the external interfaces so this is ONLY for
internally reachable routers.
RIP:
Routing information protocol. If needed, activate it.
Sources:
Here traffic can be directed out through any external interface based on the source IP address. This tab is
not available on the Corporate Firewall and School Guardian products, as they are not capable of having
multiple external interfaces active.
NOTE: If traffic is to be sent out through the primary connection profile, do NOT select the
interface name here, just select the Exception option. Any excepted traffic will be sent out
through the primary connection. The reason all interfaces are shown is that interfaces can be used
both for secondary and primary connections.
NOTE: If traffic is to be sent out through the primary connection, do NOT select the interface
name here, just select the Exception option. Any excepted traffic will be sent out through the
primary connection. The reason all interfaces are shown is that interfaces can be used both for
secondary and primary connections.
NOTE: Once SmoothGuardian is installed there is an option in Guardian to block direct web
access. This option blocks all access to port 80 and 443 with no possibility of exceptions. Often
it is better to use the outgoing rules to manage which IP addresses should be allowed direct web
access rather than enabling the “Block direct web access” option in the Guardian – web proxy
section.
Smo o thWall
DMZ
Outgo ing po rt 338 9 (RDP) redirected traffic.
Specific IP redirected by so urces traffic.
Subnet 2 Web filter traffic by Lo ad Balancing Web
Pro xy traffic.
Interfaces Section:
This section contains all the connectivity and IP address assignment options. Most of the configuration
options available in the setup program is duplicated in the interfaces tab in the interfaces section.
Interfaces:
The interfaces tab in the Interfaces section is used to configure internal interfaces, set DNS and default
gateway settings and adding VLAN interfaces. The only pitfall here is the “settings” section, where
default interface, heartbeat interface (Advanced Firewall only), DNS servers and default gateway can be
set. Here is a quick overview of when those settings should be configured and when they should be left at
the default settings:
Subnet 1
DNS Pro xy
Setting fro m External
co nnectivity pro file
Default Gateway:
Only set this if no external connectivity profile is present or the external connectivity profile cannot be
connected. This setting is meant to be used when installing the SmoothWall product in a situation where
external connectivity cannot be established to register the product and download modules and updates.
The interfaces section lists all available interfaces on the SmoothWall system and allows them to be
configured as internal interfaces or reserved for external connectivity. The default interface is the only
interface that does not have an “internal” tickbox next to it, as the default interface should always be an
internal interface.
If the SmoothWall installation sets the default interface to one that is to be used for an external
connectivity profile, please change the default interface to be an internal interface.
Advanced:
The advanced tab allows customisation of some TCPIP features on the SmoothWall system. In general,
these settings should be left at the default. However, increasing the Connection tracking table size should
be done on firewall systems with more than 1000 users behind it. Also, the SYN backlog queue size
should be increased to 4096 on Guardian systems with more then 500 users behind it. This does consume
a small amount of memory.
Traffic Auditing:
The auditing settings are for logging ALL traffic going to, through or leaving the SmoothWall system.
Internal client Traffic sent thro ugh the Smo o thWall will be allo wed Internet
SmoothWall
External Aliases:
This page will only show up on Corporate Firewall and SchoolGuardian if the SmoothHost module is
installed. SmoothHost is included in Advanced Firewall and the SmoothGuard UTM-1000. Here it's
possible to configure multiple aliases for any external connection, primary or secondary. It is also possible
to set an alias and tie it to a specific connection profile.
Alias 1: 1.2.3.5
Alias 2: 1.2.3.6
Alias 3: 1.2.3.7
External aliases are naturally often used in conjunction with a DMZ setup. A DMZ is a network zone,
where servers that has a direct port forward are placed. A port forward to any server is a potential security
hole so it is prudent to place the accessible servers in an isolated zone.
The following guidelines should be looked at in order to ensure proper usage of a DMZ network:
• Always isolate the DMZ from the local network.
• Always use as few of the SmoothWall services on the DMZ network.
• If any pinholes need to be created, lock them down to IP addresses and ports in order to be as
specific as possible.
Often we see a DMZ with full bidirectional access to the local network and we even get customers
wanting to VPN to the DMZ network. Both conditions completely invalidate the DMZ idea and turns the
DMZ and the LAN into an insecure local area network. If any access is needed to the servers, open access
normally, using a port forward. It's better to use the front door, rather than opening back doors into the
local network. Remember that the servers in the DMZ are not the ones protected by the DMZ – the local
area network is the zone that is protected by the presence of a DMZ because the internet accessible
servers are now on a separate network.
Internal Aliases:
Here aliases can be configured on the internal interfaces. No services normally available on the parent
interface will be running on the internal aliases though.
Connectivity:
Here external connectivity profiles are created for the primary connections. Connectivity profiles are used
by the primary connection. Multiple profiles can be configured and each profile can be set to failover to
another profile in case connection is lost.
In order for failover to be configured, failover IP addresses needs to be entered. These addresses could be
the ISP Mailserver, DNS server or other IP addresses that are known to be reachable and stable. Entering
2 IP addresses decreases the likelihood of a “false” failover.
The “Auto Connect on Boot option” in the connectivity profile allows the connection profile to connect
after a reboot. It does not specify which connection will be brought up after a reboot, so all profiles can
have the option enabled. The connection that will be brought up after a reboot is the profile last selected
on the main page.
On Advanced Firewall and SmoothGuard UTM-1000 there will be an additional 2 tickboxes available for
a connectivity profile as well as for the secondaries configuration. Then enable the Outgoing Load
Balancing and Load Balance Web Proxy Traffic features.
Primary
Internet
Mail server is excluded by Seco ndary 1
IP. No traffic is LB fro m the
excluded IP addresses. Seco ndary 2
Seco ndary 3
The Load Balance Web Proxy Traffic is only a valid option if the proxy is running on the SmoothWall
system. It has no effect otherwise. Also pay attention to the weighting metric set on the interface. The
metric is a way distributing traffic across load balance interfaces – if 2 interfaces had set a weighting of 1
and 3 that means that of 4 outgoing connection, 1 will go out via the interface with a metric of 1 and 3
will go out of the interface with a metric of three.
NOTE: Even if an interface is used for a secondary connection, a primary profile can still be
created using that interface. If the primary connection profile is then activated, the secondary
connection using the same basic configuration, will be deactivated.
PPP Settings:
Fairly self explanatory page where PPP profiles are created for dial-up purposes. Do not enable “Dial on
demand” options AND “persistent connection” at the same time. Also increase the default value of 10 in
the “Maximum retries” field to 100 or more as 10 retries can sometimes finish before the ISP allows
reconnects again.
Secondary Connections:
On SmoothWall Advanced Firewall and SmoothGuard UTM-1000 it is possible to have multiple external
connections. One primary connection and multiple secondary connections. The reason they are divided
into primary and secondary connections is because the secondary connections have some restrictions to
both setup and functionality, as compared to the primary connection.
Restrictions on secondary external connections:
• Secondary connections can only be NIC based with static IP address.
• L2TP connections can not be made to a secondary connection.
The main function of the secondary interfaces is to offload traffic from the primary connection.
SmoothWall
Web Request 2 Seco ndary 1 - Web request 1
In Figure 26 we have 3 external connections. 1 is the primary and 2 are secondary connections. One of the
secondary connection details has also been entered as a failover profile for the primary connection.
To offload web browsing traffic from the primary interface, we are load balancing proxy traffic on the 2
secondary connections. All web traffic will now go trough the 2 secondary connections, relieving the
primary connection from handling web traffic.
Primary – Do wn
Web Request 1
Seco ndary 1 - New Primary
All po rt fo rwards and VPN o n Internet
Smo o thWall
new primary.
Web Request 2
FTP Request 1
In Figure 27, the primary connection has failed and the failover profile for the primary connection has
been activated. Since the failover profile is based on one of the secondary connections, the secondary
connection has been brought down and then activated again as a primary profile.
All web proxy traffic is now handled by the single secondary connection. Since one of the secondaries has
now been removed and reinstated as a primary, the only interface left to load balance proxy traffic is the
remaining secondary connection.
All port forwards that were in place on the primary connection are still active on the failover profile so all
hosted services will still be available albeit on a new IP address. In the case of mail servers, a MX record
can be added for both primary and failover IP addresses, with a low value for the primary connection and
a high value for the failover connection. Mail will then always be delivered to the customer, even if the
primary connection has failed over.
NOTE: Web proxy traffic can be sent out via one interface by simply enabling the load balance
proxy traffic on that interface alone.
Firewall Section:
SmoothWall firewall products are designed to be NAT firewalls. NAT stands for Network Address
Translation and the technology allows multiple computers to access the internet only using one IP
address. The firewall keeps track of outgoing requests, rewrites the source IP and port and returns any
replies to the IP address that originated the request. Traffic between internal interfaces can also be
restricted, making the SmoothWall behave a like a transparent firewall for the internal networks. All
traffic to external networks will be NATTED.
The alternative to a NAT firewall is a transparent firewall. A transparent firewall works like a router and
only allows ports through, as configured by the network administrator.
The main firewall functions can be found in the networking and firewall sections. The firewall section
deals with external connectivity and port forwards, whereas the network section deals with internal access
rule and internal routing.
Internet
Port Forwarding:
Here is where port forwards are configured and where the incoming load balancing is set up. To set up
incoming load balancing, simply forward the same port to 2 or more different internal IP addresses
running the service. The incoming load balancer will then divide incoming requests between the
configured port forwards on a simple round-robin basis.
A new feature in version 2008 is the inclusion of port rules. Look at the list of ports and you can see the
ports list is now divided into sections or groups. One can select a single port from the list or the entire
group. Additional groups and lists can be configured in the networking - advanced – port groups section.
NOTE: Always remember to check that the correct protocol is being forwarded. DNS traffic is
UDP for example, whereas HTTP is TCP.
TIP: All port forward rules can be logged. Enable this on the configured rule and go to the
firewall log section. Select “Port Forwards” in the section drop down list and press update. You
should see all incoming packets that match the port forward rules, that have logging enabled.
TIP: Incoming load balancing can also be done over multiple external interfaces.
TIP: If the port forward uses the same destination port as the source port (i.e. 80 -> 80) it is not
neccesary to enter the destination port. The destination port will default to the same port as
specified in the source port option.
Source Mapping:
NOTE: Replies to incoming requests on an alias, will always be answered with the source
address being the same as the address the request was received on so only services that initiate
internet traffic needs to be source mapped.
Advanced:
This section allows the user to enable some helper application modules, which can assist certain protocols
in traversing NAT. Most of these helpers are obsolete except for the FTP helper.
TIP: We recommend using SCP instead of FTP – a nice SCP GUI for the Windows platform is
WinSCP. SCP only requires one port and traffic is encrypted, so it is a much easier protocol to
handle than FTP. For remote and home workers that need to be able to access or upload files it is
by far the easiest and most secure solution to manage. WinSCP is a freeware application too.
Outgoing section:
This section was previously the SmoothRule module. Here outgoing traffic can be managed by creating
outgoing firewall rules. The section works by creating rule sets and then applying the rule sets to IP
addresses, ranges or networks or applying the rule sets to authenticated groups.
Apart from blocking ports, the outgoing section module will also assist in blocking Peer to Peer data
transfers, This is done by deep packet inspection and by blocking key frames that are used by the various
Peer to Peer applications.
The external services tab is used to allow access to services only on specified servers. Enter the server IP
addresses and the service that the server hosts and that is the only server accessible for that service. For
example if all SMTP traffic should go via an external relay host, the relay host IP and port 25 can be
added to the external service list and no one will then be able to reach port 25 on any other servers than
the one specified in the external services tab.
Co nfigured so urce
rules:
19 2.16 8 .1.10 0 will no t be able to access SSH o r POP3. Peer to Peer traffic will no t be
blo cked.
Traffic Section:
Please refer to the SmoothTraffic chapter later in this book.
Authentication Section:
Please refer to the Authentication chapter later in this book.
Proxies Section:
SIP:
The SIP proxy service. Used for SIP clients – we have not tested this with VoIP PBX servers.
Web Proxy:
The Web Proxy service comes with all SmoothWall firewall products. This section is removed if
SmoothGuardian is installed as that will then have the proxy controls in the Guardian GUI.
IM Proxy:
The new addition to the long list of features in SmoothWall products. The IM proxy works by
transparently intercepting IM messages from IM applications like MSN , ICQ/AIM, Yahoo, and Gadu-
gudu – The IM proxy is limited in functionality and does not support all IM applications yet. Some, like
GoogleTalk, are using SSL traffic which of course prevents logging of conversations. MSN Live
Messenger will use proxy settings set in Internet Explorer so will not be going via the IM proxy. An
update to the IM proxy in FP1 will allow Guardian to distinguish between IM and normal web traffic and
redirect the IM traffic through the IM proxy. Until then, other clients like Pidgin can be used. They will
not automatically use the configured proxy settings and Pidgin is even add free and simple to use!
SNMP Section:
SNMP:
Fairly simple page. Just enable and enter the community string.
DNS Section:
Static DNS:
The static DNS section is basically an interface that allows the user to manipulate the host file on the
SmoothWall system. On the SmoothWall system, the hostfile will be queried first, before asking the DNS
servers for hostnames. This is useful if there are hosted services on the LAN and clients on the same LAN
need to resolve the hostname to an internal IP address.
TIP: The SmoothWall is not a DNS server. If there are more advanced requirements than just a
hostname lookup, MX Records for example, please use a proper internal DNS server.
Dynamic DNS:
Dynamic DNS providers are also supported in the SmoothWall firewall products. Some providers require
a Windows client to be installed. If that is needed, just install the client on a box behind the SmoothWall.
The Update will still be done for the source IP address and that will be the external IP of the SmoothWall
system.
IDS Section:
SmoothWall firewalls also have an intrusion detection system. We were going to offer SmoothWall
packaged rules for the IDS system, but unfortunately our talks with SNORT were put on hold as SNORT
were negotiating to be bought by a competing company. The sale has now been put on hold and
SmoothWall is renegotiating the rights to distribute SNORT IDS rules as a SmoothWall package but no
resolution is in view at the time of writing. Currently, the latest rules will have to be retrieved from the
SNORT website using the Oink code system.
Some customers were under the impression that the IDS actually blocked packets that were recognised by
the IDS system. That is not so. The IDS system does not block any traffic – it analyses and logs.
The latest IDS rules can be downloaded from www.snort.org. A paid subscription allows access to the
latest rules. Registered users can also download the same rules, but with a weeks delay. The SmoothWall
firewalls use snort version 2.6 so make sure the IDS rules are for that particular snort version.
DHCP Section:
The well known DHCP service. Read the help :) The DHCP service has only the most basic options
available for configuration via the web interface. FP1 has a scheduled addition to the DHCP server
settings that allows the user to add any of the many DHCP config options manually.
Chapter 8: Main
The main section only displays two tabs – main and about.
Main Section:
The main page is used to connect and disconnect the primary external connection. That is the only
function that can be accessed from the main page, selecting and connecting the primary external
connection. If there are multiple connection profiles, please remember to select the appropriate profile in
the connection profile drop down list. Also remember that the select button has to be pressed after
choosing an entry in the drop down list.
The rest of the main page is used to display reports and system information – the sections displayed here
can be customised using the settings page in information, which we will be looking at shortly.
Dashboard
The dashboard is a new feature in version 2008 – the dashboard show real time information rather than
the static displays earlier seen. The various sections in the dashboard or the dashboard itself can be
enabled or disabled in information - settings – settings.
NOTE: The various dashboard reports can take a while to generate so do not be alarmed if the
reports are not filled in when the main page Is accessed initially. The reports will show when the
system has finished generating them.
About Section:
This page holds licensing and ownership information. The ownership information is the same that was
entered when first connecting to the system. If this needs to be reset or the serial number needs changing,
connect to the command line and run the following command:
# echo>>/settings/main/ownership
Once that command has been run, connect to the web interface again and the registration screen will pop
up to allow the user to enter new serial number and ownership information.
Chapter 9: Information
The information section is where system information, reports, logs and other information can be gathered.
Alerts and email reports are also configured here.
Reports Section:
Summary:
This page is customisable by creating a report template in the information - reports section and then
setting the system summary page to display that template in information – settings – settings section. The
main page can also be customised using the same process.
Remember that a huge amount of reports will taek a long time to generate so including them on the main
page is probably not a good idea as that is the first page that is accessed when logging in. The system
summary page is a better place for custom reports.
System lo ad graph
Wo rry if co nsistently abo ve
10 . Multiply by number o f
CPU.
TIP: System load average can be seen on the graph pictured. The current value can also be seen
at the bottom of the main page as well as be monitored realtime running the top command.
A value of 1 means everything is handled in a timely fashion. On a dual cpu system, the value would be 2
as there are 2 CPUs. Spikes are normal and should be expected. As a very general rule, if the value
consistently is above 10 (or 20 for a duel CPU system, 40 for a quad CPU system, etc) the system cannot
cope adequately
TIP: The Traffic Statistics report is the more precise of the traffic reports. The graphs can
sometimes give misleading peak reading – the averages should be fairly accurate though.
Customize:
The customize section allows the user to generate a custom report or report templates consisting of the
reports wanted for a specific occasion.
Templates:
Once a template has been created in the Customize section, the template is listed here.
Scheduled:
The scheduled reports allows the configuration of a collection of reports to be generated and mailed to
configured users.
Alerts Section:
Alerts:
Same principle as the scheduled reports section. Select the configured group and then add the alerts to the
configured group. The “Instantaneous alerts” option can require some processing power and is constantly
monitoring the log files. For that reason, it is often not a good idea to enable instantaneous alerts on very
busy systems.
The traffic graphs section is a bit of a loner in this area – a nice experiment in web coding that will show
you the traffic rates as they pass through the various interfaces on the SmoothWall. We are currently
TIP: Traffic graphs can also be seen on the command line using the “iftop” command. The
realtime graphs only show total traffic per interface but if traffic per IP address is needed, then
“iftop” is the tool to use.
Logs Section:
One of the strengths of SmoothWall products is the excellent logging facilities it offers. Everything can be
logged on the SmoothWall. The auditing function, which is enabled in the “network – interfaces –
advanced” section, can be set to record all traffic going to or through the SmoothWall. Logs can be
backed up to an internal or external server using the automatic backup functions in the system section or
SmoothWall can be configured to send logs to a syslog or even send them weekly to an SSH
verver.server.
All logs are saved on the /var/log partition on the SmoothWall. If there is ever the need to look at the raw
logs, they can be found in here or exported from the log viewer web GUI.
System:
The system logs tab shows all system messages. The section drop down list allows the user to select a
specific subsystem to investigate. The messages here are for the various subsystems running on the
SmoothWall – not necessarily logs about what the subsystem does when it runs. For example, the logs
from the Web Filter engine can be seen here, but to see what the web filter itself is logging, you need to
go to the web filter log page.
Ipsec:
The logs showing what the running tunnels are talking about. Later we will have a quick tour of the
IPSEC log messages and what they mean. When using the drop down list to narrow the log display down
to a single tunnel, please bear in mind that sometimes, depending on configuration options and identity
information, the initial first 2-4 messages can be listed under a different tunnel name. This is because the
identity information is not exchanged immediately but a little while into the conversation between the
involved gateways.
Firewall:
All traffic logs are accessed on the “firewall” tab. As on the “system logs” tab, the “firewall” page has a
section drop-down list, where the different types of logs can be accessed. Selecting main in the section
drop down list will display all the traffic that has been blocked by the SmoothWall. Selecting port
forwards in the section drop-down list will display any logs of port forwards. Remember that logging on a
port forward rule needs to be specifically enabled on port forward rules in order for the traffic to show up
in the port forward log. Only the port forwarded traffic will show up in the log, not any replies to a port
forwarded request.
Email:
The processed mails are listed in the maillog viewer.
TIP: When diagnosing SmoothZap issues it may be a good idea to have a quick look at the
/var/log/maillog-[year]-[month]-[day] file, as there is no web interface access to the complete
IDS:
Here all IDS logs are displayed. As stated before, only enable relevant rules in the IDS system or the logs
will become large and subsequently time consuming to look through.
Settings section:
Settings:
Here the reports shown on the main page and the information pages are configured. Just tick and save.
The main page is the initial page shown – if the more complicated reports are selected to be shown on the
main page, the main page will take some time to load. The more extensive reports should probably only
be shown on the system summary page in the information section.
Logging Options:
The logging options tab accesses the log settings. On this page, the log system can be set to watch out for
disk space, set retention of the different logs and a syslog server can be configured. One of the options in
the log retention drop down lists are postfixed with the designation “Large” - this option should be used
on busy systems that generate large log files. The option will rotate logs each day, still keeping them for
whatever period is set in the retention options. That should prevent any log from growing to over 2GB in
size as that is the limit where the log subsystem has problems with parsing the log files. Smaller files are
easier for the log viewer pages to display too, so if any slowness is experienced when viewing logs,
setting one of the “Large” options for those logs would also be a good idea.
NOTE: It is a good idea to set the logging options to one of the “Large” options so they rotate
daily, both for Guardian and Zap, in almost all circumstances. It will probably be the default
setting in upcoming versions.
Groups:
This section will allow you to configure the recipients of reports and alert email and SMS messages. To
be able to send SMS messages, access to an SMS gateway provider is needed.
Alert settings:
The alert settings set the values for when the alerts should be generated.
Output settings:
The output settings allows the configuration of smtp servers and sms gateways.
Maintenance Section:
Most pages in the maintenance section are self explanatory and will not be elaborated on in this course. If
there is any doubt as to functionality, please refer to the help page for the section.
Updates:
The updates page is for downloading and installing released updates. This procedures for installing
updates has changed in version 2008. Basically the system will download all available updates and install
them in the correct sequence. No longer do you need to install each update separately as the SmoothWall
will take care of all pending updates in one go and in the correct sequence.
Modules:
The modules page is for installing and removing modules. Version 2008 will install any and all modules
that were installed on the previous version, if an in place upgrade is performed.
Licenses:
The licenses page is for refreshing the system licenses. This page needs to be updated when new licenses
for the system has been purchased.
NOTE: If new Guardian licenses have been added, the Guardian module will need to be
restarted, for the new licenses to take effect.
Archives:
This section allows the configuration of various types of archive profiles. Archives can be created that are
meant for replication, configuration backups or log archiving.
When restoring an archive a list of settings contained in the archive is displayed so areas can be
deselected before the restore occurs. Try to mark an archive and press the restore button.
NOTE: When uploading a backup archive to the archives page, remember to enter a name in the
“archive name” field, before uploading it.
NOTE: When restoring settings to new hardware, especially a system with new network cards,
do not restore the ethernet settings section.
Scheduler:
TIP: The SSH server receiving the backup files does not need to be on the internal networks.
SmoothWall can send these files to an external server if need be. A reseller of ours is backing up
his customers SmoothWall configuration each week to their own SmoothWall system.
NOTE: When replicating settings or archiving logs, do not enter a target IP that is behind a VPN
where the SmoothWall system is an endpoint. When archiving to external systems, the external
IP address needs to be the target IP.
TIP: When creating archives for remote backup or replication do not include the blocklist or the
download cache options. Blocklists are downloaded automatically daily by Guardian itself and
the download cache is not needed. Omitting these two sections keeps the archive size under 1
MB, which is good for speedy transfers to slave systems or remote archival destinations.
Replication:
The replication page allows the configuration of a SmoothWall system as a master or a slave. A master
replicates settings to the configured slave systems. This is NOT the same as hardware failover setup.
Replication is meant to be used when some settings can be shared between two independent systems, like
web filter settings.
Shutdown Page:
Shell:
When this section is opened, a java ssh client applet is run. This allows the user to connect to the
command line of the SmoothWall system. Java needs to be installed an enabled in the browser for this to
function correctly. Once the java applet has loaded, a login box will be displayed. Log in as root or setup
to access the command line.
NOTE: The setup user does not have a password initially and it is not asked for at installation
time anymore. Log on as root and run the setup program by issuing the command “setup” and
then configure a password for the setup user.
Preferences Section
Fairly small section with a couple of important areas.
User interface:
Various options for the web interface. The description field sets the name shown in the browser title bar –
it does NOT change the hostname of the system. The hostname needs to be changed on the hostname tab
in the same section or in the setup program.
Time:
The SmoothWall can also get time from internet time servers and can function as a time server for the
internal networks. A time proxy if you will. The time service is NTP and it runs on port 123. Remember to
enable all the interfaces you want the time service to be running on.
Also remember to enable the “Save time to RTC” feature if the time needs to be saved to the hardware
clock.
NOTE: When setting the hardware clock in the BIOS, please set the time to GMT time. Once
that is done, the OS will adjust the system time and can also adjust the hardware clock if need be.
TIP: Windows servers can be set to use a NTP time server using the setsntp command.
Remember to restart the time service after issuing the setsntp command.
Upstream proxy:
This setting has nothing to do with the proxy or web filtering services that can run on the SmoothWall
system. This settings is used by the SmoothWall itself when the system tries to register with our
registration servers.
Hostname:
This tab allows the user to change the hostname of the system. A reboot is required for the system to
generate a new SSL certificate used by the HTTPS connections.
External access:
The term can be a bit misleading as access on the internal interfaces is configured here as well. The list of
ports that can be opened are:
All available interfaces will be listed in the interface drop down list as well as the L2TP and the IPSEC
interfaces. If access to any of the services in the above list is accessed from a VPN connection, the
appropriate rules will have to be created.
TIP: Contrary to previous versions of SmoothWall software, rule configurations are NOT deleted
when they are edited.
Passwords:
The passwords section allows the setup of multiple users and permissions. The admin user is the default
user and cannot be removed. If other usernames are wanted, enter them and check the areas the user
should be given access to.
NOTE: If two people are logging in using the same username, user 2 will logout user 1 when he
logs in. Use separate usernames for different administrators, This also has the benefit of being
able to see who was logged in when.
Hardware Section:
The hardware section deals with UPS settings, hardware failover (on Advanced Firewall ), modem
settings and firmware upload to the Thomson Speedtouch ADSL modems.
UPS:
Only APC UPS devices are supported by the UPS software on the SmoothWall systems.
Failover:
This allows two Advanced Firewalls to be setup in Active/Passive failover mode. The failover mechanism
is fairly simple – an interface is configured on both systems to connect the two systems. This interface is
named the heartbeat interface. Configuration information and “are you still well?” questions are
transferred over the heartbeat connection.
Once the connection between the heartbeat interfaces is broken, the slave system will go live and send out
ARP broadcasts to the connected networks to make routers and clients forget about the MAC addresses
associated with the IP addresses configured on the SmoothWall.
To setup two systems in a failover mode, the setup routine needs to be followed to the letter.
Now the master should be up with the heartbeat service running. Prepare a transfer medium and put the
slave archive on it. A CD or a USB pendrive is probably the best options as the slave archive probably
will not fit on a floppy disk.
Master
Internal NIC External NIC
Internet
Lo cal Netwo rk
Heartbeat interfaces
Slave
After a reboot of the slave, the failover system should be running. Confirm that the slave is accessible by
accessing it using the url: https://master.ip.address:440
Settings will replicate to the slave system every 5 minutes. The time of the last replication will be
displayed on the slave system, however the replicated settings will not be displayed on the slave system
until the slave is brought live.
Updates will be transferred to the slave system and be applied once they have been applied to the master –
however the slave system will not reboot if any of the updates require it – that will need to be initiated by
an administrator.
Once the slave is up and running and accessible on port 440, try putting the master into standby mode.
After about 1-2 seconds, the slave should have taken over. The Slave can then be told to go into standby
made and after 1-2 seconds, the master should have taken over again.
Diagnostics Section:
The Diagnostics section has a couple of tools and diagnostics utilities which could prove helpful in
troubleshooting network issues.
Configuration tests:
A set of standard diagnostics that the system can run to perform a self check. A green button next to the
specific test means the test passed and all is OK. A yellow button means the test failed in an inconclusive
way – possibly because the value tested has not been configured. Red buttons indicate a condition that
needs to be addressed.
Diagnostics:
The diagnostics page can generate a text file with most of the configuration files on the SmoothWall
system. This file will be asked for often by SmoothWall support. The diagnostics file contains ownership
information and the serial number and configured IP addresses and network but no passwords or other
sensitive information is included.
The diagnostics file also contains the last 50 lines of the various system logs which can be a great help in
diagnosing web interface issues.
IP Tools:
The IP tools contains a web interface to the “ping” and “traceroute” command. Both useful tools when
troubleshooting network issues.
NOTE: Clients behind the SmoothWall system will not be able to ping the external IP address of
the SmoothWall. Allowing that opens a possible security hole so it has been disabled.
Whois:
A whois lookup can also be done directly from the firewall log viewer – mark an IP address and press the
lookup button at then bottom of the firewall log viewer page. That will link to the whois IP tools page and
run a whois on the selected IP address.
Traffic analysis:
While the realtime traffic statistics viewer and the traffic statistics table shows the amount of traffic going
through the various interfaces, this traffic analysis tool will display exactly what type of traffic that has
passed through the selected interface during the time period specified. This is a good way to find IP
addresses consuming a lot of bandwidth or just to get an overview of what type of traffic is passing
through an interface.
Once the analysis has run for the specified amount of time, the results will be collated and displayed in a
report.
All SmoothWall products are designed to be managed and configured from the web interface. In order to
successfully manage a SmoothWall firewall, the command line should not be needed. For troubleshooting
purposes however, the command line can prove invaluable. Here we will go through some of the
commands available and the uses the administrator can put those tools to.
Tools for looking at logs and configuration files
grep: Returns lines matching a specified text string from one or more files.
more: Pauses output after one screen has been filled. Press space to advance.
Examples:
#> grep my_word access.log | more
#> grep my_word access.log > newlog.txt
The last example uses the “>” sign to send the output of the command to a text file instead of the monitor.
The “>” sign overwrites the named file with the output of the command.
Using “>>” will append the output to the text file.
Can be used in a real-time mode to watch log entries as they are written. Just like the realtime log viewer
in the web interface.
Examples:
#> head –n50 access.log
Displays the first 50 lines of the access.log file.
Examples:
#> tcpdump -nqi ethB port 80
Displays all traffic reaching ethB on port 80.
#> tcpdump -nqi ethB host 1.1.1.1 and not port 222
Displays all traffic reaching ethB with 1.1.1.1 as either destination or source and does not display any
packets for port 222 – this can be useful when remotely connected using ssh.
Examples:
#> iftop -ni ethB
Displays all traffic going through ethB.
#> TERM=linux
#> trafficmon
Show the SmoothTraffic realtime statistics in color.
Examples:
#> scp -P 222 file.txt root@smoothwall.ip.address:/tmp
TIP: All the above commands have multiple options that can be used. Search on Google for the
commands to learn more, or issue the command “man command-name” on a standard Linux
system.
All the modules are run in a chrooted environment. This means that the process only has access to a
limited filesystem, containing only the libraries and files the module needs to run.
This means that if any subsystem is hacked, then other areas on the firewall are still unaccessible to the
hacker, as the hacked process is unaware and unable to access the rest of the system.
Web Pro xy ro o t:
/mo dules/pro xy/
Advanced Firewall
Directory integration Authentication can connect to a directory server
Group Bridging Internal access rules can be applied based on logged in users.
Outgoing Rules Can apply rule sets based on logged in users.
SmoothGuardian Can set web browsing permissions based on logged in users.
Corporate Firewall
Outgoing Rules Can apply rule sets based on logged in users.
SmoothGuardian Can set web browsing permissions based on logged in users.
School Guardian
Directory integration Authentication can connect to a directory server.
Group Bridging internal access rules can be applied based on logged in users.
Outgoing Rules Can apply rule sets based on logged in users.
SmoothGuardian Can set web browsing permissions based on logged in users.
Network Guardian
Directory integration Authentication can connect to a directory server.
Guardian Can set web browsing permissions based on logged in users.
If The AD DNS structure is co rrectly set up, just enable the auto matic realm disco very o ptio n:
It m ay be needed to narro w the gro up search path, as listing m o re than a co uple o f hundred gro ups in
the web gui will be to o cumberso m e.
Use the fields belo w IF the abo ve o ptio n do es no t give the desired result OR the number o f retrieved
gro ups needs to be limited. Disable the o ptio n abo ve if entering data in the fields belo w.
Additional organisational units and other branches in the directory can be specified in the advanced fields
– all branches has to be part of the same ldap root.
It is recommended to use TLS for authentication as most directories will not authenticate passwords for
users is the requestor has not authenticated himself in some way.
As with the Novell eDirectory, the advanced settings covers the same options and the notes for them are
It m ay be needed to narro w the gro up search path, as listing m o re than a co uple o f hundred
gro ups in the web gui will be to o cumberso me.
Use the fields if the number o f retrieved gro ups needs to be lim ited o r extra
o rganisatio nal units needs to be included.
This affects most customers when they are using Guardian with any form of authentication. NTLM
authentication will just transmit the username (Not the domain) so NTLM cannot be used in multi domain
environments.
NTLM is also a Windows proprietary protocol and will not work with eDirectory or OpenLDAP. NTLM
About NAT
The introduction of NAT introduced some problems to IPSEC as the protocols used for transmitting the
encrypted data have no ports. With no ports to assign, NAT has a hard time keeping track of what packets
belong to where. In order to allow IPSEC to succeed in connecting through a NAT device, a NAT
application helper was concocted, like the FTP helper and the IRC helper. Helper application would
identify and tag the IPSEC traffic, so the IPSEC protocols could pass through the NAT without any errors.
That solution was not sufficient however. NAT was becoming more and more widespread and often the
IPSEC client would have no way of influencing the NAT device if the VPN connection did not work. A
client trying to connect from a hotel room, for example, would not be able to get the hotel IT staff to
troubleshoot their NAT device, in case of connection problems.
NAT-Traversal
A solution that did not rely on the NAT device was needed and a fairly simple solution was found. Instead
of using the standard IPSEC protocol directly they would become embedded in UDP packets, solving the
issue of the IPSEC protocols being portless and allowing NAT to correctly map connections. This solution
was called NAT-Traversal. Both the client and the gateway need to support it, but nothing needs to be
configured on any NAT device the traffic is passing. This is now the preferred method of passing through
NAT devices for all major vendors of IPSEC software and devices.
IPSEC Helpers
However, the old IPSEC/VPN application helpers were not removed from most black box devices – most
manufacturers apparently felt it would be removing a feature and would make their products less
competitive – which is kind of a paradox: “IPSEC Helpers break VPN connections that rely on NAT
Traversal, but we can’t remove it, because our competitors also break VPN connections.”
Fairly typical example of how sales and marketing completely disregards reality sometimes :)
In fairness the NAT Traversal technology took a little time to become universally adopted so keeping the
OpenVPN ports: TCP 443: The HTTPS port can be used by OpenVPN clients.
UDP 1194: Second option for OpenVPN client port.
Other ports: TCP 1701: L2TP port. Encapsulated in ESP or UDP 4500
when using L2TP over IPSEC.
TCP 1723: PPTP port. Not used by IPSEC but can be seen
hitting the firewall when L2TP clients first connect as the
connection will try PPTP first, unless specifically configured
not to.
GRE: Protocol 47 is the data transfer protocol of PPTP.
SmoothWall VPN
The SmoothWall VPN module comes as standard on the Advanced Firewall with 20 configuration
licenses. On Corporate Firewall and SchoolGuardian the tunnel module have 1 connection license as
standard. The tunnel licensing is for the number of configured tunnels – not concurrent users.
The OpenVPN licensing is included – the amount of IP's given out by the OpenVPN subsystem to
connected clients will also be limited by the number of tunnel licenses but here one can have more
configured clients than licenses.
NOTE: The OpenVPN requires a license pack to work. OpenVPN will not be functional using
only the built in single license that comes with Corporate Firewall or SchoolGuardian.
TIP: It will probably be a good idea to have a worksheet where tunnel information can be noted
down. A Tunnel Worksheet for every configured tunnel could be distributed to remote site
administrators and for local storage, in case tunnels need to be restored.
Certificates Examined
Digital certificates are becoming more and more common, but not a lot of people know what they are and
how they work. Hopefully, this section will shed some light on what they are and how they are used.
Certificate Authorities
A Certificate Authority can be loosely compared to a passport issuing authority. A country will issue a
passport to a citizen. To verify that the passport is genuine and that the holder is the same person that is
Certificates
As previously stated, a certificate has ownership information and 2 keys: a public and a private key. Any
information encrypted with the public key can only be decrypted using the private key - it is therefore
important to keep the private key private and inaccessible to others. The public key, on the other hand,
can be published widely.
Apart from the encryption keys, the certificate also has text information about the holder of the certificate.
That information is called the certificate subject and the certificate alternative subject. When creating a
certificate a number of fields need to be filled. The fields will be name, email, country, state, location,
department and so on. All meant to be used as identity information. The certificate subject consists of all
those values concatenated on a single line like this:
Certificate Subject:
C=UK/ST=Hampshire/L=Soton/O=SmoothWall Ltd/OU=Support/
CN=Soton SmoothWall/emailAddress=support@smoothwall.net
Specifying the alternative subject is easier than using the whole certificate subject, especially since the
formatting of the full certificate subject can vary from implementation to implementation.
Using the passport analogy, the certificate subject and certificate alternative subject can be compared to
all the text information in the passport, which serves to identify the holder. The authenticity of the
passport is verified by the physical passport itself and the picture of the holder. The picture can in some
ways be compared to the public and private key. Anyone can see the picture but only the holder looks like
the picture.
NOTE: Sometimes a warning will be seen in the IPSEC logs, stating that “No CRL list found”
or other reference to CRL. CRL stands for Certificate Revocation List. This error is not fatal it
only means that the IPSEC system tries to check validity of the installed certificates, but is
unable to, as the SmoothTunnel is not a certificate server and does not keep revocation lists.
Hopefully this section will have explained a bit about certificates and what they are. Using certificates is
not hard - it just takes time to learn the terminology and the relationships between CA and certificates.
NOTE: In previous versions, Certificate Subject Alternate Name was referred to in the local ID
type drop down list. This has now been changed to “Default local Certificate ID”.
NOTE: The drop down list “Authenticate by” has an option to authenticate by “Any locally
signed certificate” - That phrasing is somewhat confusing as the certificates do not have to be
signed locally for that option to be valid. The phrasing should be “Certificate provided by peer” -
this will get changed in an upcoming update.
Setting up Tunnels
The manual, setup guide, course slide and on-line help have very detailed walkthroughs of setting up
tunnels, so we will not be detailing the procedure here. Instead, we will be looking at common errors and
pitfalls, as well as best practises, when setting up IPSEC tunnel connections. We will also be explaining
the inner workings of the IPSEC protocols briefly.
NOTE: Most IPSEC capable devices does not support certificate authentication, so when
interoperating with those devices, PSK will have to be used.
NOTE: When using L2TP over IPSEC connections, the certificate the client is using has to be
created by the same CA that created the certificate used on the SmoothTunnel. This is the reason
for the “Local Certificate” field on the L2TP configuration screen.
Then examine the connection methods of the involved SmoothTunnels. Are any of the SmoothWall
devices behind a NAT device? NAT and IPSEC do not always coexist peacefully, so it's essential to know
if there is a NAT device in play.
A good look at the subnets that are to be connected is also a priority. This part of the planning stage is not
so much IPSEC related, technology wise. Routing is the issue to be examined here, so during this phase,
try to stay away from IPSEC specific technologies, as they have no impact on routing. When a tunnel is
up, it is transparent to the network and works just like a network cable connecting the two networks.
Adding a tunnel is basically just adding a route so try to isolate routing issues from IPSEC configuration,
as those two often gets mixed up and tend to confuse troubleshooting and planning at times.
Example: Creating a subnet tunnel between two locations that each use the same subnet will not
work. This is fairly evident when the problem is looked at as a routing issue, but not if the
problem is looked at from an IPSEC point of view.
Implementation
When the circumstances surrounding the IPSEC setup has been investigated, it's time to plan
implementing the tunnels. Some situations require special considerations when configuring the tunnel –
we will look at the most common scenarios here:
Dynamic IP addresses
Some obvious measures have to be taken when connecting to a SmoothTunnel that is using a dynamic IP
address. For the most stable solution, at least one of the SmoothTunnels should have a static IP address.
1 dynamic IP address
Set the SmoothTunnel with the dynamic IP address to initiate the tunnel. On the SmoothTunnel with a
static IP address, do not specify remote IP or hostname, just leave that field blank.
2 dynamic IP addresses
When dealing with 2 dynamic IP addresses, dynamic DNS hostnames needs to be used. The snag here is
that the SmoothTunnel only looks up hostnames when the IPSEC subsystem is restarted. This creates an
obvious problem, if one of the SmoothTunnels has been disconnected and then connects again on a new
IP. The reconnected SmoothTunnel will try to contact the peer, but the peer will try to send its response to
the IP address it last found when looking up the hostname.
Peer reco nnects with new IP address, lo o ks up peer IP and initiates co nnectio n
There is no easy solution to this issue currently. One way of handling this is to set up the most stable
connection as the “static” peer and let the remaining SmoothTunnels initiate the connection. When set up
this way, the only step needed to bring up a failed tunnel, would be to restart the VPN on the peer
SmoothTunnels that receive the connection.
NOTE: This applies to IPSEC subnet tunnels but only partially to IPSEC Road Warriors and
L2TP connections. When setting up a SmoothTunnel to accept Road Warrior connections,
NEVER use a NAT device in front of the SmoothWall.
L2TP client 1
As with the IKE phase, the IPSEC phase is concluded successfully with the message of “IPSEC SA
Established”.
L2TP logging
The L2TP connections are actually first using IPSEC and then, once the IPSEC tunnel is established,
L2TP inside the IPSEC tunnel. For this reason, there are 2 places to check logs for the L2TP connections.
The first part will be seen in the IPSEC logs section and the second part can be found in information –
logs – system. Select L2TP PPP in the section drop down list and press update to see the latest L2TP PPP
logs.
Other considerations:
One consideration that often surprises clients is that the Windows Network Neighbourhood is not
populated when using IPSEC or L2TP connections. The Windows Network Neighbourhood relies on
broadcasts, which are not sent over the VPN.
There are various means available, depending on the client software, to resolve this. When using the
L2TP connections, make sure the global settings on the SmoothTunnel specifies internal DNS and/or
WINS servers to use. Third party IPSEC clients will often have a setting to use a different DNS server
when connected – search for these settings when setting up a third party client. If there is no such setting
OpenVPN Setup
As mentioned in the introduction, OpenVPN has been included in the VPN functionality on SmoothWall
firewall products. OpenVPN provides another way of supplying road warrior connectivity to the networks
behind the SmoothWall. The setup differs a bit from both L2TP and IPSEC road warrior setups in that the
OpenVPN clients will connect and get an IP address on a “virtual” network. The network address is set in
the global options page in the VPN section and this network needs to on a different subnet than any other
networks attached to the SmoothWall system.
A zone bridging rule still needs to be configured to allow access to the LAN networks for the connected
OpenVPN users.
The options to “Force clients to use SSL VPN as gateway:” is used to make sure all traffic leaving the
clients local network is passed down the OpenVPN tunnel – this is analogous to the option to “Use
gateway on remote network” that can be found in the advanced tcpip settings on the Windows L2TP
client.
The option “SSL VPN client gateway:” is there to supply the client configuration with a hostname or a
different IP than the external one to connect to.
Client setup
Installing the client on a Windows PC is fairly easy. Just supply the clients with the install archive that
can be generated from the SmoothWall system, ask them to unpack and install the client using the setup
program.
Once installed, an OpenVPN icon will show up in the notification area. Click on that icon to start the
connection.
OpenVPN logging
The OpenVPN logs can be found in the information – logs – system section. Select OpenVPN is the
system drop down list to see the OpenVPN logs.
For example:
● Blacklisting and Whitelisting only works on incoming SMTP.
● POP Mails are NOT counted in the mail reports.
● A Greylisted mail counts as an RBL block in the reports.
● The “Processed by SmoothZap” message cannot be removed via the interface.
To remove the Zap message, clear the text from:
/modules/zap/settings/filter/simpledisclaimer.txt
and
/modules/zap/settings/filter/simpledisclaimer.html
● Without a mailshell license, none of the content filtering spam features are functional.
• Remember to configure a full hostname in the setup program. The hostname configured is the
hostname the MTA will use when sending mails to other mail servers. Often mail servers require a
full hostname from the server delivering the mails or the mails will be rejected. However, do not
configure the SmoothWall with the same hostname used for the mail servers domain in the DNS
servers MX record as that will confuse the SmoothZap system into thinking it should be
forwarding mails to itself.
The receiving mail servers will look up the mx record for the domain and get the IP address the
mail is coming from, so the hostname of the SmoothWall can be different from the MX record
hostname with no issues.
• Avoid using more than 2 RBL servers. Both as a courtesy and because RBL lookups could then
TIP:If a single mail needs to be deleted, run this command on the command line:
#/modules/zap/usr/sbin/postsuper -d emailID
The email ID will be shown in the queue viewer.
SMTP Logging
The SMTP logs can be found in the information section – both in realtime and in logs. The web gui log
viewer is concentrating more on email messages than actual engine messages so for troubleshooting it
may be needed to have a quick look at the entries in the actual maillog file on the SmoothWall system.
The maillog file is found in /var/log and is called mail-year-month-day.
Troubleshooting tips
Mail is also one of the areas we get relatively many support questions regarding. In many cases we are
asked about simple SMTP error messages that has been received or sent by a client or server – as said
earlier, SMTP and other error codes are easily looked up to get a head start on the troubleshooting process
and this should be attempted every time an error code is seen.
One other questions that pops up quite a lot is one of connectivity – is the SmoothWall open to incoming
mail requests for example. One easy way of checking this is to simply telnet on port 25 to the
SmoothWall external IP address – this can actually be done to any mail server and you should see a
connected message and a hello from the mailserver, which will prove that the connection is open and
available.
Telnet can be used like this to check access to other services as well and can be a useful tool for quickly
deciding if a port or service is open.
Chapter 15 – Guardian
Now it is time to sink our teeth into configuring the Guardian part of the SmoothWall system.
Configuring Guardian is quite a task – not so much because it is difficult, more because there are a lot of
things to remember and even more things to be aware of. In the following we are assuming that the
SmoothWall base system is up and running and that networking options have been configured correctly.
Often the initial configuration of Guardian gets a bit messy because an attempt has been made to
configure everything at once. A slow , steady approach is better, at least initially, until the software is
understood better. Separating the various configuration areas and preparing them one at a time will allow
a slow build up and also allow for much better troubleshooting options, as only one area is being worked
on. The sequence should be like this:
Following this sequence should minimise any configuration issues and get the SmoothWall system up and
running in record time. This chapter deals with the initial Guardian related tasks – we will move to new
chapters once we reach the third item in the above list.
Service Section
Proxy port:
The port setting here sets the port the clients should connect to. The port setting is actually the filter port –
the proxy port will be port 801. This becomes important if an IP address needs to be bypassing the filter
but not the proxy. If an IP tries to access the proxy port directly, the IP will get rejected unless the IP has
been added to the “Exception Local IP Addresses” list.
Transparent:
Transparent proxying will redirect any normal HTTP requests to the proxy. This method of proxying
somewhat negates the need to configure proxy settings on the client but has a large number of drawbacks.
In general, SmoothWall does not recommend the use of transparent proxying – we will discuss why later,
when we are investigating how to setup the client browsers.
There is also a couple of excellent articles available on support.smoothwall.net about transparent
proxying and about Guardian in general. Please have a look at the support.smoothwall.net site as there are
a good number of resources available both for firewall and filtering products.
Remote proxy:
When configuring the remote proxy option, use the format:
ip.address.of.proxy:port
This is the proxy the Guardian web filter needs to go through and may be the same setting as the proxy
settings found in system – preferences – upstream proxy.
Cache size:
The default value of 1500 MB for cache should be sufficient enough in most cases. Most web pages are
dynamically create these days and will not be cached anyhow, so the cache is really only useful for
images and other web resources.
If there are daily web downloads of large files, the cache will also be able to help there, provided the
object size is set large enough to allow large files in the cache.
Memory is used by the cache to store the map of the cached object and it goes without saying that a lot of
spacer gifs can be held in a couple of GB of cache, eating up memory for every single reference to a
cached object.
Banned and Exception IP addresses:
These two fields are proxy related. Exception IP addresses will be allowed to access the proxy directly on
the port 801, so they can completely bypass the filtering software. Only IP addresses listed in the
exception IP field will be allowed to access the proxy port directly this way.
The banned IP list is a list of IP addresses that will be rejected when they try to use the proxy – this will
happen even if a previous authentication method allows filter access.
NOTE: When using proxy.pac or wpad.dat files with Internet Explorer please be aware that
Internet Explorer has a setting that caches proxy settings and stops using the proxy if it thinks
the proxy is not working correctly any more. Because Guardian sometimes blocks pages,
Internet Explorer may start thinking that the proxy is not working any more. The symptom is
that Internet Explorer will browse happily until a block page is encountered – after that, Internet Explorer
will throw up the “Page cannot be displayed” error and will keep giving that error until Internet Explorer
decides to try the proxy again. The SmoothWall support site features an article with links to the Microsoft
knowledge base articles that details this issue and also shows what registry key is needed to change this
behaviour.
Also have a look in the information-logs section. The system logs page has a section drop down list.
Select the web proxy option from the section drop down list and press update.
If the proxy is running, try configuring a browser manually to go through the proxy and verify that the
proxy is accepting connections and browsing is possible. If proxy logging has been enabled, have a look
at the web filter log page in the information-logs section. Remember to select web proxy logs in the
dropdown list.
Preparing Guardian
Before we go into creating the filters we need to update the blocklist. Go to the Guardian – blocklist page
and check for blocklist updates. Download and install them if any are available.
The blocklist page hides another major update from previous versions. Blocklists are now updated
incrementally and automatically daily – previous versions required a complete manual download of the
blocklist whenever an update was available.
Understanding filters
Guardian 2008 comes with a set of predefined filters which can be used immediately – the default values
will serve as a good starting point for most organisations. Here however, we are going to delete all the
NOTE: Before we delete any filters, go to the system – maintenance – archives page and create
a backup of the existing Guardian configuration. That way we can reinstate the default filters if
need be.
Filter types
There are three different filter types in Guardian – each have their special meaning and function.
If a catego ry called sweets had been enabled, the fo llo wing wo rds co uld be co unted:
Assuming the phrase list value fo r tho se wo rds is 6 0 , the accumulated value o f the page wo uld be
18 0 (6 0 +6 0 +6 0 ) and assuming the blo ck phrase value was set to 150 , the page wo uld get blo cked.
No w we enable the catego ry “go o dphrases”, in o rder to prevent o verblo cking. The fo llo wing wo rds
then gets picked up by the filter:
Again assuming all the wo rd values are 6 0 and Diabetes is in the “go o dphrases” catego ry, the
accum ulated value wo uld no w be 120 (6 0 +6 0 +6 0 -6 0 ) and the page wo uld be allo wed.
File security
Fairly straightforward filter type of file types. File types can be specified by extension or mime type –
custom extensions and mime types can be added too. Other settings, such as maximum allowed size and
others are available too.
Content Security
This filter type is for web exploits and other tricks. Just like the content filtering system investigates the
text on the web site, the security content filter can examine the HTML code and remove known exploits
found in the code. Example of unwanted code could be address bar spoofing and pop-up windows.
NOTE: Each category has a short description that can be seen when hovering over the category
name with the mouse. Please read the description before enabling any category.
TIP: Do not enable the “Foreign language pornography” categories if the filter is NOT used in a
country that speaks the language. Enabling those categories can result in overblocking as there
are words in say Turkish that are naughty in Turkish but not in English.
All of the above categories can probably be blocked in most organisations. We did not add the
“pornography keywords” category as it contains phrases in non-english languages. In general the
pornography phrase categories should only be enabled in a country that speaks the language to avoid
overblocking. Most pornographic websites will use English words in the meta tags of the page anyway in
order to get as many search hits as possible so just using the English phrases will block most pornograhy
sites regardless of language.
Once the categories have been selected, press add and the filter is done. Note the user defined categories
at the end of the category list – this is where the categories defined in the “user defined categories” are
added.
Just creating a filter has no effect in itself, the filter needs to be applied in a policy for the filter to take
effect.
Next up is a security content filter. Select the “Content security” filter type and press the update button.
Enter a name of “Generic content rules” and add the following categories:
Search engines
"firefoxurl:" cross-browser exploit
Escaped shell code
Firefox cookie stealing
The last three categories can be found in the “Recommended security rules” category. Enable any others
that you may want and press the add button.
Lastly a file security filter is needed. Select “File security” in the filter type drop down list and press
update as usual. Enter a name of “Banned files” and add the following categories:
In-page executables
Bandwith wasting
Video
Whenever a web site has the phrase “Paris Hilton” in the text, it will get replaced with the specified
phrase.
Time rules
Before we move on to creating the policies, just a short note about time rules. Time rules are created by
defining the time period and then applying filters for that period in the policy list. Any and all type of
filters can be applied in a time based rule.
During this process, the test persons should also be given the unblock username and password, so they
can unblock sites without having to disturb the network administrator. The password can of course be
changed after the test run, but it is probably a good idea to give a senior employee the ability to unblock
sites during the first 2-4 months of having the filter in operation. This way, any filter problems can be
addressed in a timely fashion and then followed up later by the network administrators.
Guardian 2008 also has a softblock option that allows users to continue to a page that would otherwise be
blocked. The access is logged of course. This option allows everyone to continue at their own discretion
without having to bother an administrator to unblock the site first.
During this first test run, most of the kinks can be straightened out of the configuration. New URLs will
be blocked or allowed, and any problems can be identified without the entire network being affected.
Authentication Methods
Guardian supports a wide array of authentication methods. Setting up the authentication connection is
described in the authentication chapter so we will only deal with the types of authentication that the
Guardian system can use here.
As a rule, only one method of authentication can be used at any given time. There are exceptions of
course. On the SmoothWall support website the support knowledge base will have an article called “User
Authentication Options for Networks Comprising Mixed Computers and Browsers” - there all possible
combinations, restrictions and other considerations are listed.
Each authentication method has its own advantages and special considerations, which we will try to go
through here.
No User Authentication.
No authentication is required. Using this setting, all users are placed in the Unauthenticated IPs group.
Proxy authentication.
The standard proxy authentication pops up a dialogue when the proxy is accessed. Username and
passwords are entered and can be saved. Cannot be used if the proxy is set to transparent mode.
Proxy authentication (Terminal Services compatibility mode).
Same as above, but allows multiple different users to log in from the same IP address. Cannot be used if
the proxy is set to transparent mode.
NTLM identification.
Windows integrated identification. Outdated identification method that is still popular, even though it's
insecure and even Microsoft does not recommend using it. Main compatibility issues with NTLM are that
it's Windows specific and there is no guarantee that non Microsoft clients and browsers can support it. It
is also not capable of being used in a Windows 2000 multi domain setup, as the protocol was designed for
the flat NT4 server domain structure.
NTLM identification (Terminal Services compatibility mode).
Same as above, but will allow multiple users to log in from the same IP address.
NTLM authentication.
Same as NTLM identification but this method also checks the password – the identification only checks
the username.
NTLM authentication (Terminal Services compatibility mode).
Same as above, but will allow multiple users to log in from the same IP address.
Redirect users to SSL login page.
Selecting this option will redirect the browser to the SmoothWall SSL login page. Once there, the users
enter username and passwords to log in. The login page will need to be kept open for the login to stick –
if the page is closed, the login will time out according to the setting in the “services - authentication -
NOTE: A lot of customer use NTLM rather than the SSL Login page because entering username
and password is seen as a big problem (the same username and password the user just entered
when they logging into their workstation). Remember that credentials can be saved on the SSL
login page so the username and password will only have to be entered once.
Troubleshooting
As easy as it is to configure the filter policies on SmoothWall Guardian the results can sometimes be
different from what is expected. When that happens we need to bring out our troubleshooting tools and
find out why.
Troubleshooting the Guardian filter is mostly an issue when overblocking is occurring. If users are not
placed in the expected group, it's an authentication issue and cannot be solved by reconfiguring filter
settings.
When correcting overblocking it is very important to know why the page or domain was blocked. The
blockpage can be configured to show the reason the page was blocked and this information should always
If the block reason is given as banned domain, the domain will need to be added to the custom allowed
settings.
If the block reason is that the page exceeded the weighted phrase limit, check the web filter logs to see
what the score of the page is before raising the limit or allowing the domain/site.
If the block reason is given as Banned Regular Expression URL then a phrase has been found in the URL
that caused the page to be blocked. The site or domain can be added to the allowed content or the phrase
can be removed or exempted from the URL checks.
In case of errors in the configuration files, try to edit and resave the filter and policy settings for the
relevant group(s) and of course, do a sanity check and see if any categories have been enabled that are
mutually exclusive. The interface should warn you if such configurations are made but validation coding
is not a match for a properly tuned brain and a pair of eyes.
A few tips
Save the policy configuration regularly – while this is a fairly obvious piece of advice, the benefits are
major. Once you have the base configuration of the filtering policies save that as a backup and use it as a
template. In the downloads section of the SmoothWall support site a set of predefined policies can be
found which can be used in a pinch to reset filters and policies and start from a known good
configuration.
All Guardian filter logs will be found in the dansguardian directory and the proxy logs will be in the squid
directory.
Setting up the proxy settings manually is not an option in most cases as that would require setup on every
single PC in the organization. While configuring the browsers is not really a SmoothWall support issue,
we will give a couple of ideas and recommendations here as how to go about propagating the proxy
settings on your network.
Transparent proxy
Initially a lot of first time web filter/proxy users will look at the transparent setting and start to salivate.
With no configuration needed anywhere but a simple tickmark on the proxy page in the Guardian section,
the allure is powerful but watch out. There are a couple of fairly serious limitations to using transparent
proxying.
● No proxy for HTTPS. Transparent proxying works by redirecting any port 80 traffic to the proxy.
If HTTPS traffic is redirected, the connection will fail as a secure connection cannot be redirected
without the browser knowledge, as it were. Proxying HTTPS requires specific proxy setting so the
browser knows it's supposed to be proxied and a tag is attached to the http header to allow this.
● Applications are unaware they are being proxied. This can cause applications using the web ports
to fail. As more and more applications are using the web protocols, the risk of breaking
functionality is fairly big when using transparent proxying.
When telling new users that transparent is not an option they often become quite irate because they
believe they now have to manually configure all workstation at the location – but nothing could be further
from the truth. There are lots of ways to propagate proxy settings.
DHCP: Internet Explorer can get proxy settings from a DHCP server.
Automatic discovery: Most browsers support the automatic proxy discovery feature too.
Security Policies: Proxy settings can be set in an Active Directory security policy.
Those are just three ways. Logon scripts, ini files for Firefox. Customised IE or Firefox packages are
other options.
The articles above details how to resolve this issue using a group policy. On the SmoothWall support site
we have a downloadable .reg file that can be used to set those settings on a single workstation, so the
solution can be tested before applying it globally.
Traffic Schemes
The included schemes should be sufficient in most cases – some schemes have a configuration option
attached to them which needs to be set – please read the on-line help for the schemes to get detailed
information on each of the provided schemes.
New in SmoothTraffic
The new version of SmoothTraffic contains many improvements. While ADSL bandwidth is slowly going
up some management of bandwidth is often still required. Slowing down unidentified traffic is a great and
harmless way of discouraging unsanctioned use of company bandwidth.
This version now supports internal management as well as external. All interface speed values should be
filled in as precisely as possible to give the traffic engine the best conditions to prioritise the bandwidth.
Some ADSL connections vary a great deal in the actual speed available, which makes it hard for
SmoothTraffic – try the lowest reasonable estimate if using SmoothTraffic seems to generate erratic
results.
Another new feature are diffserv marks. Basically, packets can be tagged with a marker, which receiving
SmoothTraffics will recognise. Those packets can then be handled by SmoothTraffic which means that
traffic sent INSIDE the VPN can be prioritised as well as normal external traffic.
Instead o f co nfiguring an address rule to match the tagged traffic, we just apply the rule glo bally,
happily assuming all AF12 tagged traffic is heading fo r the PBX.
Two locations have IP-PBX systems, sending VOIP traffic via VPN.
Location 1 marks outgoing traffic from the PBX IP address with the AF11 tag.
Location 2 marks outgoing traffic from the PBX IP address with the AF12 tag.
Lastly, there is now a peer to peer tab that is capable of handling the most popular peer to peer protocols
by protocol – port numbers are not needed.
smoothadmin
smoothadmin is a built-in traffic rule that prioritises all the management ports and protocols, making sure
the SmoothWall can be accessed even when traffic is high.
webcache
webcache ensures that Proxy traffic has a min 5% of the line for its return traffic.
Localtraffic
This rule excludes local traffic from being restricted.
TIP: Try to run the program trafficmon from the command line. Issue this command first to
get nice colours on the display: TERM=linux. The trafficmon program displays real time traffic
staticstics according to SmoothTraffic Rule and Class definitions on every interface connected to
the SmoothWall. Use SHIFT+PAGEUP and SHIFT+PAGEDN to browse the list.
User portal
A lot of configuration options, reports and other functions could be handled by end users, rather than
network admins. SmoothWall is creating a user portal to allow end users to access various functions on
the SmoothWall system. Generating reports, viewing active users and logs and blocking users from web
access are but a few of the features that will be configurable from the SmoothWall portal.
IMSpector enhancements
The IM proxy has become popular but in it's current state it is a bit unpolished. New features are planned,
including the option to redirect IM traffic that is trying to go through the web proxy to the IM proxy
instead.
Ajax
No, we are not cleaning up in the offices, we are cleaning up the SmoothWall interface. Making the
SmoothWall interface easier and more manageable is an ongoing goal and the new Ajax web coding
standards makes it possible for us to turn the web GUI into a much more responsive GUI than was
previously possible. We already have a few ajax examples in our current product and we will be adding a
lot more in the future.