SmoothWall Express 2.0 is a free Linux-based firewall, which installs on a dedicated machine. Its interesting features include the ability to set up a DMZ for hosting the Web servers, FTP servers and an IDS (Intrusion Detection System) to protect your internal network. The firewall is also compatible with ISDN and ADSL and automatically senses these connections and configures them for you.
To configure SmoothWall Express, all you need is a machine with a CD-drive, a small hard disk (as SmoothWall requires roughly 40 MB) and three network cards if you want to set up a DMZ (otherwise two cards will do). We used the following IP addresses for the three network cards in our firewall machine.
- Internal/private network is on 192.168.3.x. network
- The DMZ is on 192.168.2.x network
- The external network is on 172.168.1.x network
- You need to assign the IP addresses that are specific to your network. SmoothWall Express tags the three interfaces with color codes-green for internal, red
for external and orange for the DMZ network. We assume that you have a pre-configured router for Internet access.
Copy the ISO image of SmoothWall Express from our this month’s PCQ Essential CD to a machine with a CD-writer, and use a software like Nero for burning this ISO on a CD. If you’re using Nero, then launch it and click on Recorder>Burn Image. Provide the path for the ISO image and burn the image.
Insert this CD into your designated firewall machine and boot from it. Now press Enter on the first prompt to proceed. The installer will erase your entire hard disk and create a fresh partition. You will be prompted to enter the IP address for the green interface. Enter this and click on Ok. You’ll then get an ISDN configuration menu. If you’re not using ISDN, click on Disable otherwise enter your ISDN connection settings. This takes you to the ADSL configuration menu. In case you’ve disabled ISDN and are working with ADSL, then provide your ADSL settings here, else disable it as well. You will now get a ‘Network Configuration Menu’ screen. Here, select network configuration type and from the list select ‘green+orange+red’. Next select ‘Drivers and Card Assignments’ from the subsequent screen. This will bind the network cards with the settings you’ve made. Since we assigned settings for the green interface only, it showed these settings next to the green network card, and displayed ‘Unknown’ in front of the red and orange interfaces.
To bind the unknown network interfaces, from the ‘Network Configuration Menu’ select ‘Address settings’ and ‘red’, and click on Ok. Again from the ‘Network Configuration Menu’ select ‘Card Assignment’. This will automatically assign the unknown card to the red interface. In the subsequent screen, select Static. We used a static IP address for the red interface, which is connected to the Internet via a pre-configured router. Type in its IP address (172.16.1.20) on the red interface screen. Similarly, configure the orange interface.
Now to define the IPs for Gateway and DNS on the firewall so that the internal network can find out Internet names (domains), on the ‘Network Configuration Menu’, select ‘DNS and gateway settings’. For primary and secondary DNS, enter the IP address of your DNS server. Then enter the IP address of your default gateway. Click on Done to finish. After this, you’ll get another screen to set up a DHCP server to assign IPs to machines on your internal network (green interface). You can cancel this if you don’t want to use its DHCP. Now provide passwords for the users, namely root, setup and admin. Finally reboot to start the firewall.
The default installation of SmoothWall protects the internal network by blocking all incoming traffic. You can configure it from any machine on the network using a Web browser. To access its configuration, type any one of the following URLs: http://192.168.3.1:81 or https://192.168.3.1:445 (for secure SSL-based connection).
ere, replace the IP address with what you’ve assigned for the green interface. Now enter Admin for user name and the corresponding password. You will then see a Web page with links as shown in the screenshot on the previous page. If you want to create a blocking rule, select Networking>IP block and enter the IP address of the public site you want to block. Now set a rule on whether you want to drop or reject the packets from this IP. The ‘Drop Packet’ option will completely ignore packets from this IP, while the Reject option will send back an ‘ICMP Connection Refused’ message to the source IP. Now click on the Add button to save the current rule (or Remove or Edit buttons to remove or edit) in the firewall’s database.
Accessing DMZ servers from outside
To allow users from the Internet to access servers sitting in your DMZ, you need to set up port forwarding. This maps the requests coming to a machine on a specific port to a port on another machine. We used requests coming to 172.16.1.20 (red) on port 80 and mapped them to 192.168.2.1 (orange) on port 80. For this, click on Networking>IP Forwarding and enter Source Port: 80, Destination IP: 192.168.2.1, Destination Port: 80.
Click on the Add button to add this rule. Install or start a Web server on the machine with IP 192.168.2.1 to access the Web pages from any machine on an external network.
To set up internal clients to access the Internet from this firewall, you need to change their gateway IP to the green IP of the firewall