First port of call was the PPP configuration. We gave the unit the details for a Tesco.net test account we use, told it to connect and it fired up first time. Visiting the 'software update' page we saw a couple of available patches and figured it was sensible to install them. The firewall doesn't download them; you click a link and it fires up a browser window, which you use to download the file to your hard disk. After that you use the software update page to upload the file to the firewall. It sounds harder than it is. If, like us, your firewall's modem-connected and you have a second, ADSL-based Internet connection that you can use to download stuff quickly, it's a cool feature. Next came module installations. There are two aspects to module installation: first, the SmoothWall software has to have the add-ons you want to use 'authorised'. Second, you need to obtain the add-ons. The SmoothWall reviewed here came with SmoothHost (allows you to have multiple external IP addresses instead of just one) and SmoothRule (controls access to outside on a per-service basis for internal users) turned on. So, in went the CDs and within less than a minute the components were installed. The other options available are SmoothTunnel (a more comprehensive VPN server, including X.509 certificate support among its features), SmoothNode (like SmoothTunnel but limited to one connection - ideal for branch offices) and SmoothGuardian (a URL-blocking package). The management interface, incidentally, is very cleverly done: if you click the 'info' link for a module you don't own, it bounces you straight to the page on SmoothWall's website where you can buy and download it. Configuration rules
Now on to the 'traditional' firewall stuff. Basic configuration of rules for incoming traffic is done via the 'networking' tab. This has the normal port-forwarding rules ('All SMTP traffic from outside destined for my mail server should go to this internal IP address'), DMZ 'pinholes' (rules that let the DMZ, if you have one, access the internal network), IP blocking (dropping all packets from a given address or network), static routing rules (telling the unit about the LAN it lives on) and 'advanced features' (extra VPN dial-in security, multicast traffic blocking and the like). You also do your PPP (dial-up) configuration here. The 'services' tab looks after the general networking services the firewall provides. The unit can be a DHCP, DNS (both static and dynamic) and Web Proxy server. It can also provide some intrusion detection functionality via the inclusion of the Open Source IDS system 'Snort'. VPN connectivity configuration, the next tab along the screen, is one of the more straightforward VPN config systems on the market. This could be seen as a bad thing (if you're not defining nasty, long keys yourself then you don't have control) but for usability it's excellent. 'Remote access' is for those who want to manage the unit from afar. This wasn't needed for the review as an 'internal' network was used, but you have the option of using SSH (secure shell) or defining a list of 'referral URLs' from which remote web connections will be accepted. Logs come next and the detail is very good. It's split into system information (startup, shutdown, config change), web proxy, firewall (traffic the unit has seen/blocked) and IDS. If you have a central logging server running the Syslog protocol, you can use this section to point SmoothWall to it. The logs are interactive to a sensible extent, in that you can ask for more information on an IP address that appears in the firewall log and it'll do a WHOIS lookup (you can also add any address that appears in a log to the 'block' list with a single click - neat). If you've installed any of the optional modules they appear in tab sets of their own. As a result the review system conjured up 'rule' and 'host' menus. It's nice to see that the add-ons aren't just bolt-ons - what you do with the extra bits (e.g. defining additional external IP addresses in SmoothHost) affects the other parts of the system (e.g. by increasing the list of addresses in the basic port forwarding screens). Boot camp
Are there any criticisms of the package? No big ones. The first 'duh' moment came when we rebooted the server. It gives an 'I'm rebooting, please wait' page, which sits there forever. If you absent-mindedly hit 'Refresh', instead of 'Home' that is next to it on your browser, it reboots the unit all over again. The only other real niggle is that when you define new external IP addresses in SmoothHost, you're asked to give each one an alias - a human-readable description. Yet, instead of using this description in the pull-down menus in the various screens, it uses the more cryptic IP address. A final criticism is that it didn't comprehend the built-in Ethernet port on our test server (in reality an 18-month-old Intel 'Desktop Board' that one would think was pretty standard). But that's not really down to SmoothWall, it's more a Linux kernel driver issue. All in all, though, SmoothWall is really likeable. It's a very, very good price, has lots of features as standard and the add-ons are worthwhile and inexpensive. It's easy to use and didn't even miss a beat in tests when, for instance, the cheapest, most anonymous modem from PC World was bolted on and it was told to 'dial'.
The main consideration with software-only firewalls like this is hardware support - you have to make sure you have the kit that the package runs with. Check the hardware compatibility guide to find out. The other consideration when buying a firewall is whether to go software-only (like this one or GNATBox's software offering), hardware-only (Cisco PIX, NetScreen, SonicWall) or for an application that sits on an operating system (Check Point, Symantec).