3.0 Beta "Degu"

Introduction

Express 3.0 is our latest version of the long running and successful Smoothwall Express firewall. This is a beta release, code name “Degu”. This means that this build his hopefully feature-complete relative to the released version of 3.0. It does have a couple of known problems (see below). Needless to say, there are probably unknown problems as well.

As the phrase goes …

As we know, there are no known knowns. There are things we know we know. We also know there are known unknowns. That is to say we know there are some things we do not know. But there are also unknown unknowns, the ones we don’t know we don’t know.

This page will be updated as and when new betas are released.

Editions

Degu is available in four editions:

  • User edition – 32bit
  • Developer edition – 32bit
  • User edition – 64bit
  • Developer edition – 64bit

The developer editions includes the complete Smoothwall Express functionality, but also contains the needed tools for working on Express itself, including complete builds, check outs and commits. It is therefore possible for interested coders to work on Express from their very own firewall. This marks a turning point for Smoothwall: it is now easier then ever for people to work on the project, make custom modifications and get involved with the Smoothwall team.

Please bear in mind that in order to do full builds of Express, a reasonable spec machine and a fair of amount of patience is required. Typical build times are about 5 hours for a 1Ghz machine.

Please read the HOWTO for more information on using the devel edition of Degu, including instructions on how to checkout and build a Degu ISO from scratch.

64bit support

Degu is the first ever version of Smoothwall to come in multiple architectures: 32bit, for standard x86 compatibles; and 64bit, for Intel Core 2s and 64bit Athlon chips. This change to multiple processor types means that updates are specific to the different architectures. We are especially interested to hear from people running Smoothie on 64bit machines.

Please note that there are some small limitations on hardware support when running on a 64bit machine. The BeWAN driver, used in Smoothie for years, is not available on 64bit machines because it uses a binary blob (compiled code) that is not available for 64bit machines. There may be other little problems as well.

New features relative to the previous Express 3.0 alpha, Koala

  • 64bit support – additional builds for 64bit Intel and AMD chips
  • New realtime traffic graph shows traffic bandwidth usage over time (AJAX)
  • Smoothd fully integrated, increasing the speed of the web interface
  • Outbound filtering completed
  • Portforward and other networking pages now use the new service list controls
  • Installer now supports USB keyboards and CDROMS, making it possible to install Smoothie Express on “legacy-free” hardware.
  • Per-IP address traffic statistics collection in all traffic stats pages – you can now view weekly, monthly, etc totals for specific internal IPs, or see which local IP is using the most bandwidth, in real-time.
  • The interface page now functions, at least as well as the setup program
  • Now includes a POP3 proxy with support for Anti-Virus using ClamAV
  • Online validation using javascript to show input validity before the Add and Save buttons have been pressed
  • Many core components have been version-bumped to the latest versions for improved security and reliability
  • Tables of data are now sortable
  • Can update snort rules using sourcefire’s “Oink code” mechanism
  • Comments can be included in portforwards and similar listed items
  • Quality-of-Service (QoS) support for traffic-shaping and management – nice and easy to use but powerful, can traffic shape Peer-to-Peer traffic
  • Can now DROP bad traffic instead of REJECTing it
  • OpenSWAN now working reliably
  • SIP proxy support using siproxd, with transparent mode
  • Protection-level profile selector at install time can be used to pre-configure default settings
  • Timed-access feature for allowing or blocking access to a list of IPs or subnets based on time of day and day of the week

New features relative to the previous Express 3.0 alpha, Grizzly

  • IM proxy with logging and filtering abilities (MSN/AIM/ICQ/Yahoo)
  • SATA/SCSI support
  • Streamlined installer/setup
  • GREEN is probed with the other NICs now so it is possible to replace GREEN
  • Smoothd privileged deamon (although only a few things are utilising it still)
  • Firewall log viewer looks much nicer and has some AJAX coolness
  • Hopefully working BeWAN and openswan
  • Realtime traffic bars
  • New update mechanism which can download and install all pending updates with
    a single click.

Other new features relative to Express 2.0

  • Based upon the latest (at least at the time of building) 2.6 kernel.
  • Brand new even prettier theme. The polar bear is back!
  • Includes many new NIC drivers that are in 2.6.
  • Brand new update system – updates are downloaded directly onto the smoothie
    itself instead of going via the desktop browser.
  • NTP service for the local network.
  • Local hosts list that can be served through the DNS proxy.
  • Replacement traffic stats page.
  • SIP NAT support (experimental!)
  • Many internal changes to make the code more organised and easier to work
    with.
  • Jazzed up control page.
  • Easier to use log viewers with Google-style pagination.

Known Problems

Unfortunately we have a number of problems, all of them related to 2.6, that need to be addressed. We hope that they will not stop people testing.

  • USB ISDN support is broken
  • PPTP and Quake helpers. PPTP is compiled up but not loaded by default because it is still being tested
  • UPnP support is currently missing

Installing

Testers are better off recreating their settings from scratch, though a direct restore of Express 2.0 settings will probably work for now.

The installer will automatically probe for and load SATA and SCSI drivers if no IDE disk is found. We are interested to hear about feedback on this new feature.

The old “media menu” has gone. While only CDROM installs are supported, it isn’t needed anyway, but in the future it will not be needed anyway because the installer will know what type of install is required.

To speed along the install, the ISDN, ADSL, and DHCP screens are not automatically presented. Instead a menu appears where these features can be configured.

IM proxy

Degu incorporates an IM (Instant Messenger) proxy called IMSpector that is able to log and filter IM conversations in a variety of protocols including MSN, ICQ, AIM, Yahoo and IRC. This proxy also has an optional swear-word filter with a premade list of naughty words. The configuration page is under services; log viewer is under logs and is noteworthy because it shows conversations as they happen by using AJAX techniques to update the webpage.

Other notes

We’ve made a small change to the call-home process. It will now send back a dump of “lspci”, “lsmod” and the USB device table. This was done so we could hopefully in the future build a compatibility matrix for smoothie from this data. Such a chart might even be useful to the Linux community as a whole as well.

To enhance the security of the web interface, a password is now required to view the home page whereas previously this page was publicly viewable from the internal network. Any valid username (admin, dial, etc) will be able to view the home page.

The traffic graphs page shows traffic stats for each interface, with current hour, current, day etc totals, as well as “real time” reports of traffic load on each interface. Note that this code was written for the commercial series of Smoothwall products, GPLd, and included in Express. We’d love to see this particular piece of software used in other projects as well.

A new page, bandwidth bars, shows a continually updated representation of the bandwidth usage for each interface which is updated once a second through the use of AJAX and Javascript.

The time server is enabled on the “time” screen under Preferences. The timeserver (based on openntpd) has been tested against linux (ntpd etc) and Windows and works well. The time server will service requests on the GREEN side only.

The update mechanism has been reworked. In addition to the older “refresh updates list”, download, upload and install mechanism, Express 3.0 has a semi automated installer. This will perform the actions of downloading and installing updates (in sequence) by use of a single update button. This should allow for much easier maintenance.

Feedback

Please report all feedback, especially any problems encountered, to the Community forum “Express 3.0 development”.