In its basic form, SmoothWall is a Linux-based firewall that costs nothing. It's licensed under the GNU public licence and you can use it without charge. As with many products available in this way, the makers have decided to produce a second, commercial version with extra features; in this guise it becomes SmoothWall Corporate Server 3.0. Installation of the system is via a bootable CD. You insert the disk, switch on and you're straight into the installer screens (which look just like Red Hat's traditional grey-on-blue user interface, for those familiar with them). The setup application asks for basic information, such as the product serial number and company name. Aside from the fact that it assumes a US keyboard layout (can you remember how to do an '@' symbol?) the initial process is very simple. Once you've given it the basics it copies the files then reboots from the internal hard disk. Next step is to log in via the command line and run the setup program. This allows you to define the various administrator passwords, re-map your keyboard and define the interfaces used on the system. Our server had a pair of network adaptors but only one (a NetGear 100Mbit/s card) was recognised. So, we decided instead to stuff a modem on the back and use this for the Internet connection. Unlike some firewall packages, SmoothWall found this perfectly acceptable and in fact has a standard configuration option for it. Once the passwords are defined, the system is managed via a web browser. There's an HTTP interface on port 81, or a secure HTTP interface on port 441 if you're that way inclined. The web interface is very friendly. As well as navigating around using tabs for sections and sub-sections, there's a pull-down menu in the corner that lets you go straight to any page if you've forgotten which tab it lives under. Tesco home delivery
First port of call was the PPP configuration. We gave the unit the details for a test account we use, told it to connect and it fired up first time. Visiting the 'software update' page we saw a couple of available patches and figured it was sensible to install them. The firewall doesn't download them; you click a link and it fires up a browser window, which you use to download the file to your hard disk. After that you use the software update page to upload the file to the firewall. It sounds harder than it is. If, like us, your firewall's modem-connected and you have a second, ADSL-based Internet connection that you can use to download stuff quickly, it's a cool feature. Next came module installations. There are two aspects to module installation: first, the SmoothWall software has to have the add-ons you want to use 'authorised'. Second, you need to obtain the add-ons. The SmoothWall reviewed here came with SmoothHost (allows you to have multiple external IP addresses instead of just one) and SmoothRule (controls access to outside on a per-service basis for internal users) turned on. So, in went the CDs and within less than a minute the components were installed. The other options available are SmoothTunnel (a more comprehensive VPN server, including X.509 certificate support among its features), SmoothNode (like SmoothTunnel but limited to one connection - ideal for branch offices) and SmoothGuardian (a URL-blocking package). The management interface, incidentally, is very cleverly done: if you click the 'info' link for a module you don't own, it bounces you straight to the page on SmoothWall's website where you can buy and download it. Configuration rules
Now on to the 'traditional' firewall stuff. Basic configuration of rules for incoming traffic is done via the 'networking' tab. This has the normal port-forwarding rules ('All SMTP traffic from outside destined for my mail server should go to this internal IP address'), DMZ 'pinholes' (rules that let the DMZ, if you have one, access the internal network), IP blocking (dropping all packets from a given address or network), static routing rules (telling the unit about the LAN it lives on) and 'advanced features' (extra VPN dial-in security, multicast traffic blocking and the like). You also do your PPP (dial-up) configuration here. The 'services' tab looks after the general networking services the firewall provides. The unit can be a DHCP, DNS (both static and dynamic) and Web Proxy server. It can also provide some intrusion detection functionality via the inclusion of the Open Source IDS system 'Snort'. VPN connectivity configuration, the next tab along the screen, is one of the more straightforward VPN config systems on the market. This could be seen as a bad thing (if you're not defining nasty, long keys yourself then you don't have control) but for usability it's excellent. 'Remote access' is for those who want to manage the unit from afar. This wasn't needed for the review as an 'internal' network was used, but you have the option of using SSH (secure shell) or defining a list of 'referral URLs' from which remote web connections will be accepted. Logs come next and the detail is very good. It's split into system information (startup, shutdown, config change), web proxy, firewall (traffic the unit has seen/blocked) and IDS. If you have a central logging server running the Syslog protocol, you can use this section to point SmoothWall to it. The logs are interactive to a sensible extent, in that you can ask for more information on an IP address that appears in the firewall log and it'll do a WHOIS lookup (you can also add any address that appears in a log to the 'block' list with a single click - neat). If you've installed any of the optional modules they appear in tab sets of their own. As a result the review system conjured up 'rule' and 'host' menus. It's nice to see that the add-ons aren't just bolt-ons - what you do with the extra bits (e.g. defining additional external IP addresses in SmoothHost) affects the other parts of the system (e.g. by increasing the list of addresses in the basic port forwarding screens). Boot camp
Are there any criticisms of the package? No big ones. The first 'duh' moment came when we rebooted the server. It gives an 'I'm rebooting, please wait' page, which sits there forever. If you absent-mindedly hit 'Refresh', instead of 'Home' that is next to it on your browser, it reboots the unit all over again. The only other real niggle is that when you define new external IP addresses in SmoothHost, you're asked to give each one an alias - a human-readable description. Yet, instead of using this description in the pull-down menus in the various screens, it uses the more cryptic IP address. A final criticism is that it didn't comprehend the built-in Ethernet port on our test server (in reality an 18-month-old Intel 'Desktop Board' that one would think was pretty standard). But that's not really down to SmoothWall, it's more a Linux kernel driver issue. All in all, though, SmoothWall is really likeable. It's a very, very good price, has lots of features as standard and the add-ons are worthwhile and inexpensive. It's easy to use and didn't even miss a beat in tests when, for instance, the cheapest, most anonymous modem from PC World was bolted on and it was told to 'dial'.


The main consideration with software-only firewalls like this is hardware support - you have to make sure you have the kit that the package runs with. Check the hardware compatibility guide to find out. The other consideration when buying a firewall is whether to go software-only (like this one or GNATBox's software offering), hardware-only (Cisco PIX, NetScreen, SonicWall) or for an application that sits on an operating system (Check Point, Symantec).