Fog Creek Software
Discussion Board




Smoothwall for web servers

We're going to be colocating a couple of web servers and I was looking at Smoothwall for a firewall. Anyone have any experiences or advice?

We'll buy new hardware - I would go for Checkpoint if budget permitted.

Danny
Monday, August 25, 2003

Why not buy the cheapest (but most reliable) box you can find and install OpenBSD?

dsf
Monday, August 25, 2003

Because then I would have to learn how to use that operating system and thus spend a lot of time which can be used a lot more profitably elsewhere, such as studying Microsoft .NET, C#, etc.

Krave
Monday, August 25, 2003

I do .NET development AND I know how to run an OpenBSD server. I must be worth my weight in gold!

dsf
Monday, August 25, 2003

I used it.  It was good.  Not as good as a carefully configured and optimised router install of your favorite nix, but 98% there and a whole lot easier.  If you have a box for it laying around give it a shot.  It only takes a couple hours to set up. 

D
Monday, August 25, 2003

"It only takes a couple hours to set up."

If it's like Linux (or anything else, for that matter), then that's *if* you know what you're doing and *if* things go right the first time around.

But if you have one oddball NIC or graphics card that reacts just a little funny, or you want to do something that's a 10%ile action, then be prepared to waste a week. :-)

Philo

Philo
Monday, August 25, 2003

A Smoothwall or IPCop box doesn't care of the graphic card, there is no X server installed. After the NICs and modem setup, everything is configured through a web interface. Installation takes around 15 minutes with a PnP NIC and not too exotic modem.
I've it (more precisely IPCop by now) for around 2 years, with 3 clients on a PII 300MHz, 32MB RAM, 4GB HD (network used around 20h per day). It can run on less without noticeable effect on the network speed, having some space is good if you activate the transparent proxy for caching web content.

If everything goes well (and that should be the case if you invest in new hardware), you don't need any Linux knowledge at all.

Damien Bonvillain
Monday, August 25, 2003

I like smoothwal alright, but keep in mind the following:

1) The creator of smoothwall has pretty strange understanding of "Open Source."  I would go with the for http://www.ipcop.org/ which has a much more open development process.

2) Unlike most hardware firewalls it requires a hard drive.  Hard drives are prone to failure, and the firewall represents a single point of failure in your network. 

3) As far as I know setting up an HA solution with Smoothwall/IPcop isn't a simple option.  Maybe that has changed recently.

4) It is difficult to setup rules between the DMZ and trusted networks.  I usually keep my database and application servers in the trusted network, and put in the most restrictive rules possible between the DMZ and trusted networks.  I've been using Watchguard fireboxes for this.  They are quirky but flexible once you get used to them.

5) It used to be the open source version of Smoothwall and IPCop didn't support SCSI.  This sucked as I wanted to set it up on a RAID to up my availablity.  I'm not sure if this has changed in more recent releases.

christopher baus
Monday, August 25, 2003

Christopher

It seems Richard Morrell has had a change of heart since leaving Smoothwall.

http://www.dickmorrell.com/diary/archives/000305.php

Damian
Monday, August 25, 2003

I would go with OpenBSD. It really does take a short period of time to get comfortable if you are familiar with computers. openbsd.org's FAQ pretty much walks you through everything and PF (the firewall) can adjust bandwidth and now passively filter on operating systems.

Tom Vu
Monday, August 25, 2003

"which can be used a lot more profitably elsewhere" such as learning a single vendors technologies that will totally be revamped forcing me to learn a whole new paradigm in 3 years.  Learn computers and programming, not Microsoft

Think
Monday, August 25, 2003

"A Smoothwall or IPCop box doesn't care of the graphic card, there is no X server installed."

For chrissakes stop it man.  You'll scare all of the Joelites that believe that without a gui there is no computing.

THink
Monday, August 25, 2003

I agree with Tom - Openbsd.  Although:
d a
d b
d c
d e
a a
Might through them off. 

Think
Monday, August 25, 2003

Most webservers should have only application-oriented 3 ports open inbound protected by a stateful firewall:

HTTP
HTTPS
VPN

Unless it's a hobbiest server as well (in which case you'll be very interested in installing other goodies and letting other ports open) this is something most firewalls can handle with ease.

Li-fan Chen
Tuesday, August 26, 2003

The creator of smoothwall has a pretty strange understanding of sanity in my experience.

IpCop is the easiest - "I don't really know what I'm doing" install. It is very easy to install and setup out of the box.

It does however automatically wipe and partition the disk so you need to start with a dedicated machine, although a firewall should really be a dedicated machine anyway.

We have used IPCOP for the last 2 compaines I worked with.

If you understand networking it is possible to setup a typical RedHat box to do exactly the same thing.

Martin Beckett
Tuesday, August 26, 2003

Philo,

Sure.  How about this?

It only took me two hours despite having to replace an unsupported NIC.  I think it's worth two hours of your time to see if it will suit your needs. 

D
Tuesday, August 26, 2003

Thanks for all the replies so far. I was wondering about experiences in the field.

We put smoothwall onto a new box and it installed no problems (definitely less than an hour). As Li-fan said - we only need it to let in HTTP and something to remote control the server. I want to get it load tested for several hundred simultaneous connections (P4/512Mb), although a hard disk failure... I have to think about that. But if you've got a Nokia box (or some other dedicated firewall), you're at the same risk are you not?

Thanks again.

Danny
Tuesday, August 26, 2003

Some of the comments Morrell made while he was at Smoothwall were so moronic, I couldn't care less what he says now.  The truth of the matter is he was hoping to abuse the OpenSource community by trying to get them to develop commercial software for him for free.  He got all bent out of shape when the developers realized this, and LEGALLY forked the code and started their own project. 

christopher baus
Tuesday, August 26, 2003

*  Recent Topics

*  Fog Creek Home