Today a post about the setup and configuration process of SmoothWall.
Smooth wall express is a free firewall based on Linux distribution. It installs on a dedicated machine and provides up and running firewall on your network. This firewall can be used protect your internal network (private network) from the external network (Internet). Not only does Smoothwall gives you the option to set up a DMZ (DeMilitarized Zone) where you can host your Web and FTP servers and these machines will be accessible to external network (via Internet) . Smoothwall express 2.0 also bundles with an IDS (Intrusion Detection System), which protects your internal network and firewall machine from a possible intrusions or attacks. The firewall is also compatible to configure with ISDN and ADSL connections, it automatically sense these connections and configures them for you.
In this article i will explain how to setup a dedicated firewall using smooth wall. All you need is a machine with a CDROM, a small hard disk (can be less then one GB) and three network cards. In the firewall contexts, each network interface is designated by a different names, so that the administrator can identify which network interface is connected where. For example: Network interface connected to the internal network is called Green, interface connecting to the external network is called RED. And the third interface connected to a DMZ is called ORANGE.
Head over to http://www.smoothwall.org/download/ to download the ISO. You need to first create a bootable CD out of this ISO Image, for this open Nero burner and click on Recorder>Burn Image. It will ask you the path of this ISO Image, give the correct path and burn the CD out of it.
Setting up of Network
Physically Setup your network interfaces according to your network settings. However, in our case the network setting were as follows.
Internal/private network is on 192.168.3.x. network
The DMZ is on the network 192.168.2.x network
The external network is on 172.168.1.x network
The Machine was having three network cards; two of them connect to hub/switch in the internal and DMZ network, while the third one was connected via a router to the external network On a DMZ (Orange) we hosted a web server, which is running a demo site (http://192.168.2.51)
Now put the SmoothWall CD on your firewall machine CDROM drive and boot it from the CD. On booting from the CD, press enter to proceed, Smoothwall installation will erase your entire hard disk, and crate a fresh partition. Now, the installation process will prompted to enter the IP address for the GREEN interface, type in 192.168.3.1 and press OK. Then, you will get an ISDN configuration menu; here you can configure your ISDN connections. In this article we assume that you will are connected to an external network via preconfigured router. So, in the ISDN configuration menu, you need to disable the ISDN. Click on ‘Disable’ button if you are not using ISDN or ADSL. Now, you will get ‘Network configuration menu’ screen, select network configuration type. Here, from the list select ‘GREEN+ORANGE+RED’ in the subsequent screen, select ‘Drivers and card assignments’ in the Network configuration menu. Now screen would be shown to you that one of the network cards have been assigned to the GREEN interface, while other network interfaces cards will be still shown UNKNOW. Click OK to change the settings.
You have to bind UNKNON network interfaces to your ORANGE and RED interfaces. For this, from ‘Network configuration menu’ select ‘Address settings’ and select ‘RED’ and click OK. Then from ‘Network configuration menu’ select ‘Card Assignment’ it will automatically probe the UNKNOW card and assign it to RED interface. In the subsequent screen, select Static. We used Static IP address for the RED interface, which is connected to internet via a pre-configured router. Type-in IP address 172.16.1.20 in the text field on the Red Interface screen. To configure ORANGE interface, do the same way as mentioned above.
After this, you need to define the Gateway IP and DNS IP on the firewall, so that the internal interface can resolve name resolution. To do this, on the ‘Network configuration menu’, ‘select DNS and Gateway settings’. For the primary and secondary DNS enter the IP address of the DNS server that can resolve names on the external network. In case the external network is Internet, the IP address of the DNS servers will be provided by your ISP (Internet Service Provider). For the Default gateway, type in 172.16.1.15 IP address (This is the Gateway IP connected to external).
Now, finally click on ‘Done’ on the Network configuration menu. If you want, users connected on an internal network should get IP from this firewall, then you can configure Smooth wall to assign IP address to the internal client’s machines. For this, on subsequent screen, which is for enabling DHCP services, enable it on the DHCP server configuration screen and type in the Start and End IP address for example 192.168.3.60 to 192.168.3.254. Then on subsequent screen will prompt you to assign the password for the root, setup and admin users. Then, you will be prompted for a reboot. Upon a reboot, your firewall should be up and running.
Configure Smooth wall Express 2.0
The default installation of Smoothwall, is meant for protecting the internal network This firewall uses IPTABLES and NETFILTER packages to build a firewall. But off course you can create your own net access rules, according to your requirements.
You can configure this firewall from a client machines using a web browser also. To access it open a web browser and type-in the URL given below.\
http://192.168.3.1:81 or https://192.168.3.1: 445 (for secure SSL based connection). It will ask you the user name and password. Enter Admin and the corresponding password that you specified during the installation.
Now it will open a smoothwall web page, here you will see links such as (Control, About your Smoothie, Services, Networking, VPN, Logs, tools and maintenance). It’s very simple to use for example if you want to create blocking a rule on a firewall the from the firewall webpage select Networking>IP block.
Now on the web page you will get a e Source IP text box enter an IP or Network address to which all access must be denied. It should be a Public IP address on the Internet, not the SmoothWall Express or a local/DMZ IP address. After setting the source IP, you need to set a rule that you want to drop the packet or reject the packets. If you select
Drop Packet radio button, then the packets will be completely ignored. If you selected Reject Packet radio button, then an ICMP Connection Refused message will be sent back
to the (source) IP address but no connection will be possible because of firewall. SmoothWall Express firewall. Now click on Add button to save the Current rule in the firewall database. On the same page you will get Remove and Edit but to edit the created rules or to delete the rules from the smooth wall firewall.
Allow access to internet users to access servers sitting at DMZ
To configure DMZ on this firewall, so that selected Internet users can access the server sitting on your separate internal network (DMZ). It easy to do from its web interface, this is done by allowing external network access to the servers in the DMZ. To do this port forwarding is used Port forwarding is a set up where the request coming to a machine at a specific port and then is mapped to a port on some other machine. On our setup we used request coming at 172.16.1.20 at port 80 was mapped to 192.168.2.1 at port 80. Open Smoothwall browser interface, click on Networking>IP forwarding. Here fill the text box as follows Source Port: 80, Destination IP: 192.168.2.1, Destination Port: 80, Remark: Rules for server in DMZ. Click on Add button to add the created rule in firewall. Install or start a Web server on 192.168.2.1 machine and you should be able to access the web pages hosted on the server from the external network.
As it’s very easy to configure, you can use its other feature like VPN in the same way.
To setup the internal clients, so that they access Internet using the same firewall, you need to change the gateway IP of the all internal machines. Change the Gateway IP by the internal (GREEN) IP address of the firewall.