Smoothwall Question

[ddrueding]

I'm running smoothwall express 2.0 at a client site and need to block all outgoing traffic on port 25 EXCEPT that coming from a specific internal IP (our mail server). Someone somewhere has a virus and I keep ending up on the CBL.

Thanks.

 

[ddrueding]

Wow. So I was told that the Total Firewall Control mod would do what I need. I've downloaded the .tgz file, installed cygwin with ssh and sftp, and even managed to connect to the smoothwall via ssh and sftp. Now all I need to do is transfer the file to the /tmp folder on the smoothie...how do I do this?

I can't figure out where I am on the local machine. lls and lcd are't putting me anywhere I recognise and searching the local machine for the files it's listing comes up blank. typing 'lcd ..' repeatedly puts me in a folder that looks to me like a linux root; but I can't find it in my cygwin folder anywhere.

Help?

 

[time]

You should probably message or email Blakerwry directly. He's pretty switched on with Linux, but doesn't usually frequent the forum until the weekend.

One member who seemed to get into Smoothwall was Tannin, but that was some time ago, and of course I don't know how to contact him - short of a phone call.

One of our old SR cronies, Ian, was a Smoothwall fan ages ago, but I can't remember his nick (he's only ever made a couple of posts here).

I take it that this site is the one with ISDN? I can't think of any other reason why you would want to use Smoothwall over a conventional router.

 

[ddrueding]

I take it that this site is the one with ISDN? I can't think of any other reason why you would want to use Smoothwall over a conventional router.

Kind of. This is a network that includes 5 locations. 3 of them have T-1s one is DSL, one is Cable, and the last has 2 ISDN lines. I'm using the VPN capabilities and they are fantastic. Considering that Fry's is selling new computers with a XP Pro licence for $300, I turn them into smoothwalls and resell XP without issue. $200 can hardly get you a VPN-capable appliance.

 

[blakerwry]

lol, got finals so I probably wont be visiting too much for the next week. You're lucky I was up.


winSCP... awesome windows scp client that will allow you to scp files to the smoothwall.

The rest of the instructions seem like they will go fine. (I assume full cnotrll firewall was what was actually meant?)

4 - HOWTO install Full Firewall Control 1.2.1
	Grab http://sourceforge.net/project/showfiles.php?group_id=114890&package_id=132134 and upload it to your SmoothWall (using sftp
	on SmoothWall's ssh port 222) and place in the /tmp directory. To extract the files, login to your SmoothWall (ssh on
	SmoothWall uses port 222 for those that do not know), change to the /tmp dir and, execute the command:

		tar zxvf ./Full-Firewall-Control-1.2.1.tgz -C /

	Now run the install script by typing the command:

		sh /tmp/install.sh

	*IMPORTANT: The format of the port forwarding file has been changed and the old entries will not work. You need to either
	remove any old port forwards (recommended) or edit/update the rules once this is installed.

On another note, the same thing could probably be done via iptables directly (which is the firewall in use by smoothwall). For example, permit port 25 to the one IP, then deny port 25 to all other IPs.

The default /etc/rc.firewall.up for fixes 6

#!/bin/sh

# Disable ICMP Redirect Acceptance
for FILE in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo 0 > $FILE
done

# Disable Source Routed Packets
for FILE in /proc/sys/net/ipv4/conf/*/accept_source_route; do
        echo 0 > $FILE
done

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for FILE in /proc/sys/net/ipv4/conf/*/log_martians; do
        echo 1 > $FILE
done

# Set timeouts.  2.5 hours for TCP.
#/sbin/ipchains -M -S 9000 0 0

/sbin/iptables -F
/sbin/iptables -X

/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT

# IP blocker
/sbin/iptables -N ipblock
/sbin/iptables -A INPUT -i ppp0 -j ipblock
/sbin/iptables -A INPUT -i ippp0 -j ipblock
if [ "$RED_DEV" != "" ]; then
        /sbin/iptables -A INPUT -i $RED_DEV -j ipblock
fi
/sbin/iptables -A FORWARD -i ppp0 -j ipblock
/sbin/iptables -A FORWARD -i ippp0 -j ipblock
if [ "$RED_DEV" != "" ]; then
        /sbin/iptables -A FORWARD -i $RED_DEV -j ipblock
fi


# For IGMP and multicast
/sbin/iptables -N advnet
/sbin/iptables -A INPUT -i ppp0 -j advnet
/sbin/iptables -A INPUT -i ippp0 -j advnet
if [ "$RED_DEV" != "" ]; then
        /sbin/iptables -A INPUT -i $RED_DEV -j advnet
fi

# Spoof protection for RED (rp_filter does not work with FreeS/WAN)
/sbin/iptables -N spoof
/sbin/iptables -A spoof -s $GREEN_NETADDRESS/$GREEN_NETMASK -j DROP
if [ "$ORANGE_DEV" != "" ]; then
        /sbin/iptables -A spoof -s $ORANGE_NETADDRESS/$ORANGE_NETMASK -j DROP
fi

/sbin/iptables -A INPUT -i ppp0 -j spoof
/sbin/iptables -A INPUT -i ippp0 -j spoof
if [ "$RED_DEV" != "" ]; then
        /sbin/iptables -A INPUT -i $RED_DEV -j spoof
fi


# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT

# IPSEC
/sbin/iptables -N secin
/sbin/iptables -A secin -i ipsec0 -j ACCEPT
/sbin/iptables -A INPUT -j secin

/sbin/iptables -N secout
/sbin/iptables -A secout -i ipsec0 -j ACCEPT
/sbin/iptables -A FORWARD -j secout

/sbin/iptables -N block

# Let em through.
/sbin/iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A block -i $GREEN_DEV -j ACCEPT

# External access.  Rule set with setxtaccess setuid
/sbin/iptables -N xtaccess
/sbin/iptables -A block -j xtaccess

# IPSEC
/sbin/iptables -N ipsec
/sbin/iptables -A ipsec -p udp --destination-port 500 -j ACCEPT
/sbin/iptables -A ipsec -p 47 -j ACCEPT
/sbin/iptables -A ipsec -p 50 -j ACCEPT
/sbin/iptables -A block -i ppp0 -j ipsec
/sbin/iptables -A block -i ippp0 -j ipsec
if [ "$RED_DEV" != "" ]; then
        /sbin/iptables -A block -i $RED_DEV -j ipsec
fi

# DHCP
if [ "$RED_DEV" != "" -a "$RED_TYPE" = "DHCP" ]; then
        /sbin/iptables -A block -p tcp --source-port 67 --destination-port 68 \
                -i $RED_DEV -j ACCEPT
        /sbin/iptables -A block -p tcp --source-port 68 --destination-port 67 \
                -i $RED_DEV -j ACCEPT
        /sbin/iptables -A block -p udp --source-port 67 --destination-port 68 \
                -i $RED_DEV -j ACCEPT
        /sbin/iptables -A block -p udp --source-port 68 --destination-port 67 \
                -i $RED_DEV -j ACCEPT
fi

# All ICMP on ppp too.
/sbin/iptables -A block -p icmp -i ppp0 -j ACCEPT
/sbin/iptables -A block -p icmp -i ippp0 -j ACCEPT
if [ "$RED_DEV" != "" ]; then
        /sbin/iptables -A block -p icmp -i $RED_DEV -d $RED_NETADDRESS/$RED_NETMASK -j ACCEPT
fi

/sbin/iptables -A INPUT -j block

# last rule in INPUT chain is for logging.
/sbin/iptables -A INPUT -j LOG
/sbin/iptables -A INPUT -j REJECT

# Allow packets that we know about through.
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -o ppp0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i ppp0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state NEW -o ppp0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -o ippp0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i ippp0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state NEW -o ippp0 -j ACCEPT
if [ "$RED_DEV" != "" ]; then
        /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -o $RED_DEV -j ACCEPT
        /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i $RED_DEV -j ACCEPT
        /sbin/iptables -A FORWARD -m state --state NEW -o $RED_DEV -j ACCEPT
fi

# Port forwarding
/sbin/iptables -N portfwf
/sbin/iptables -A FORWARD -j portfwf

/sbin/iptables -N dmzholes

# Allow GREEN to talk to ORANGE.
if [ "$ORANGE_DEV" != "" ]; then
        /sbin/iptables -A FORWARD -i $ORANGE_DEV -o $GREEN_DEV -m state \
                --state ESTABLISHED,RELATED -j ACCEPT
        /sbin/iptables -A FORWARD -i $GREEN_DEV -o $ORANGE_DEV -m state \
                --state NEW,ESTABLISHED,RELATED -j ACCEPT
        # dmz pinhole chain.  setdmzholes setuid prog adds rules here to allow
        # ORANGE to talk to GREEN.
        /sbin/iptables -A FORWARD -i $ORANGE_DEV -o $GREEN_DEV -j dmzholes
fi

# VPN
/sbin/iptables -A FORWARD -i $GREEN_DEV -o ipsec0 -j ACCEPT
/sbin/iptables -A FORWARD -i ipsec0 -o $GREEN_DEV -j ACCEPT

/sbin/iptables -A FORWARD -j LOG
/sbin/iptables -A FORWARD -j REJECT

# NAT table
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X

# squid
/sbin/iptables -t nat -N squid
/sbin/iptables -t nat -N jmpsquid
/sbin/iptables -t nat -A jmpsquid -d 10.0.0.0/8 -j RETURN
/sbin/iptables -t nat -A jmpsquid -d 172.16.0.0/12 -j RETURN
/sbin/iptables -t nat -A jmpsquid -d 192.168.0.0/16 -j RETURN
/sbin/iptables -t nat -A jmpsquid -d 169.254.0.0/16 -j RETURN
/sbin/iptables -t nat -A jmpsquid -j squid
/sbin/iptables -t nat -A PREROUTING -i $GREEN_DEV -j jmpsquid

# Masqurade
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o ippp0 -j MASQUERADE
if [ "$RED_DEV" != "" ]; then
        /sbin/iptables -t nat -A POSTROUTING -o $RED_DEV -j MASQUERADE
fi

# Port forwarding
/sbin/iptables -t nat -N portfw
/sbin/iptables -t nat -A PREROUTING -j portfw

Adding the following before the port forwarding section:

/sbin/iptables -A INPUT -p tcp -s 192.168.1.10/32 -d 192.168.1.1/32 --dport 25 --syn -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --syn --dport 25 -j DROP
/sbin/iptables -A INPUT -i eth1 -p tcp --syn --dport 25 -j ACCEPT

This tells the smoothwall to accept connections to port 25 from the smtp server on it's LAN interface (assuming 192.168.1.x ip scheme where server is .10 and smoothy is .1), then denies all other SMTP traffic on the LAN (eth0). I also implicitly state that outside SMTP traffic is allowed... this probably isn't necessary with the way we configured blocking on a per interface level.

 

[blakerwry]

bah, I'm not having much luck with my iptables mods on the smoothy I ahve here ;-)

btw, the file was actually /etc/rc.d/rc.firewall.up

Better go with the mod, easier to maintain and edit later too.

-Blake

 

[time]

$200 can hardly get you a VPN-capable appliance.

This is how it's done on an $80 Vigor 2500:

It can do PPTP, IPSec and L2TP in both LAN-to-LAN and dial-in VPN. The firmware limits it to 2 concurrent VPN channels, but the Australian firmware expands this to 4. The VPN capability works well - I've had one at one end of a permanent VPN for the last eighteen months.

It is true that this tunnel went off the air a few weeks ago and I had to drop it to force a reconnection, something that hasn't been a problem with the more upmarket Vigors I've used. But many VPN users would kill for that kind of reliability.

The 2500 has a built-in DSL modem, as does the more powerful 2600+. The 2100V is a straight router with VOIP ports, but the main one I like is the 2900G, a US$200 router that includes VPN-secured 802.11g (with twin 5dBi antennae), 32 concurrent VPN channels, QOS, etc.

I've worked with several different brands of SOHO router and found DrayTek to be the only one with reliable VPN functionality, including interoperability with other brands. Very highly recommended.

 

[blakerwry]

Those options are so close to iptables I wonder if that thing isn't actually running embeded linux like the Linksys WRT54G series.

 

[time]

Well, it has to run something, but the code is a hell of a lot more efficient than the WRT54G. Mind you, they haven't bloated the firmware with artistic pictures or elegantly formatted help - for that you need the 247 page manual, the 9 page CLI guide, or the numerous online application notes (the UK site has some good tips as well).

 

[ddrueding]

WinSCP - Brilliant. That made it so easy. It's up, running, and so powerfull I can't believe it.

 

[ddrueding]

Yes Time, that looks like it would do it. But I have to admit, I've had nothing but problems with all the appliance routers I've used. They seem to all need a reset every few months or to have their values re-entered to ot have the VPN reset. I'm really sold on the smoothwall way of doing things, they're the most stable and powerfull tools for the job IMHO. On top of that they have features that I haven't seen on the others; the biggest being web caching, that speeds up common tasks tremendously. At one client, there were 50 users on a single ISDN to the net. I installed a smoothwall and enables a 20GB internet cache, then later upgraded to a full T-1. I got more compliments after the cache was in place than after they went T-1!

 

[time]

Proxies - bleh. You can get much the same effect by installing Opera or Mozilla.

I just can't agree that a $300 PC - even running Linux - can ever be as reliable as a good appliance. And you can hardly mount it on the wall to keep it safe and out of the way. :-?

I can understand if you're scarred by your Linksys experiences. Please believe me when I tell you that you shouldn't have to re-enter VPN settings or any other such rubbish.

But you're not alone. Most pros feel SOHO appliances are crap - that's because they are. It hurts when vendors get away with selling broken products and manage to make us look like amateurs.

 

[blakerwry]

I've had nothing but good experiences with either of my soho routers(D-Link 704 and Netgear 814) However, i've never had any problems with Coyote linux firewall (a floppy based distro) or Smoothwall.

I have wished smoothwall had a bit more docs regarding how the thing is setup, but that is not the project's aim so it is not to be expected.

I'm running Smoothwall on a Sony Vaio PII 350 w/ 64MB RAM & 2GB HDD. Someone gave me the machine and the HDD and CD were spares I had on hand. The box works and runs very well. The main advantage to this over the Dlink was the flexibility. Both have been 100% reliable (except for when the cat shutoff my smoothy once)

 

[ddrueding]

"good appliance"

I completely agree thaty if such a thing existed there would be a million reasons why it's superior to a smoothie.

Re: Proxies - proxies work even when not using the browser; product and windows updates as well as software downloads work brilliantly if it's configured correctly.

 

[time]

"good appliance" ... I completely agree thaty if such a thing existed there would be a million reasons why it's superior to a smoothie.

I have been trying to point out that such a thing does exist. :-?

In the case of the Vigor 2900, complete with ICSA Labs certification. As an aside, I found it entertaining to work out how many tries Netgear needed to gain the Small Business compliance.

 

[ddrueding]

Vigor 2900

I believe you when you say that this device works...but I guess I'll never have the pleasure as long as I live in the US.

 

[Buck]

Granted, I've never purchased a Draytek product before, and they seem difficult to find in the U.S., however, I found a company in Colorado that sells their stuff.

 

[time]

Marketing is completely non-existent in the US, but then I guess they're not really in the same space as consumer-oriented brands like Netgear.

Here are the resller links from the US website:

http://www.bestsystemsdirect.com

http://www.guideband.com

http://www.cssa.net

http://www.dsl-warehouse.com

As I said, the entry level 2500 DSL router has a fair percentage of the features, if anyone wants to tentatively try one.