3.0 "Polar"

Introduction

Express 3.0 is our latest version of the long running and successful Smoothwall Express firewall.

Editions

Polar is available in four editions:

  • User edition – 32bit
  • Developer edition – 32bit
  • User edition – 64bit
  • Developer edition – 64bit

The developer editions includes the complete Smoothwall Express functionality, but also contains the needed tools for working on Express itself, including complete builds, check outs and commits. It is therefore possible for interested coders to work on Express from their very own firewall. This marks a turning point for Smoothwall: it is now easier then ever for people to work on the project, make custom modifications and get involved with the Smoothwall team.

Please bear in mind that in order to do full builds of Express, a reasonable spec machine and a fair of amount of patience is required. Typical build times are about 5 hours for a 1Ghz machine.

Please read the build notes for more information on using the Developer Edition edition of Polar, including instructions on how to checkout and build a Polar ISO from scratch.

64bit support

Degu (the version before Sammy, our Release Candidate) was the first ever version of Smoothwall to come in multiple architectures: 32bit, for standard x86 compatibles; and 64bit, for Intel Core 2s (and other Intels with 64bit support) and 64bit Athlon chips. This change to multiple processor types means that updates are specific to the different architectures. We are especially interested to hear from people running Smoothie on 64bit machines.

Please note that there are some small limitations on hardware support when running on a 64bit machine. The BeWAN driver, used in Smoothie for years, is not available on 64bit machines because it uses a binary blob (compiled code) that is not available for 64bit machines. Also, the Connexant driver does not work on 64bit machines.

Headline new features relative to 2.0.

  • Supports a 4th NIC for Wireless Access Points.
  • 64bit support – additional builds for 64bit Intel and AMD chips.
  • Based upon linux 2.6 kernel.
  • New realtime traffic graph shows traffic bandwidth usage over time (AJAX).
  • Per-IP address traffic statistics collection in all traffic stats pages – you can now view weekly, monthly, etc totals for specific internal IPs, or see which local IP is using the most bandwidth, in real-time.
  • IM proxy with logging and filtering abilities (MSN/AIM/ICQ/Yahoo).
  • SATA/SCSI support.
  • Support for many new gigabit NICs.
  • Streamlined installer/setup.
  • Quality-of-Service (QoS) support for traffic-shaping and management – nice and easy to use but powerful, can traffic shape Peer-to-Peer traffic.
  • SIP proxy support using siproxd, with transparent mode.
  • Protection-level profile selector at install time can be used to pre-configure default settings.
  • Timed-access feature for allowing or blocking access to a list of IPs or subnets based on time of day and day of the week.
  • Outbound filtering.
  • Portforward and other networking pages now use the new service list controls.
  • New update mechanism which can download and install all pending updates with a single click.
  • Brand new even prettier theme. The polar bear is back!
  • Devel editions for people interested in hacking on smoothie.

Detailed list of new features and improvements

  • Added support for empty hostnames in Dynamic DNS pages.
  • Runtime kernel now has DMA support for all supported IDE chipsets. Added bridging module (but no tools) for people who want to work with bridging.
  • Added ISC DHCP integration option to dnsmasq, but no UI.
  • Added support for setting the NTP servers that the DHCP server will supply to clients. DHCP server now marks itself as “authorative”.
  • Hostname can now only contain valid chars to stop the situation where you could set a hostname that would be incompatible to squid.
  • Minor fixes to the networking probe setup code.
  • Added support for the VT8237A VIA SATA chip.
  • Updated autorun HTML page so it looks supercool.
  • Swap sized according to the amount of RAM.
  • Widened setup password entry from 20 to 25 chars.
  • Added support for more gigabit NICs.
  • Added Conexant ADSL PCI support.
  • UPnP support using miniunpd.
  • Online help now has a glossary.
  • The “Other” system log viewer has been renamed “System” logs.
  • Slashes now allowed in PPP usernames and passwords to fix problems with some ISPs.
  • Cleanups of install and setup code. Also changed probing so it will not re-probe from the top of the list after adding a NIC.
  • Added EHCI USB, and TUN/TAP modules, but neither are ever loaded at present.
  • Smoothd privileged deamon replacing setuid helpers, increasing the speed of the web interface.
  • Installer now supports USB keyboards and CDROMS, making it possible to install Smoothie Express on “legacy-free” hardware.
  • Now includes a POP3 proxy with support for Anti-Virus using ClamAV.
  • Online validation using javascript to show input validity before the Add and Save buttons have been pressed.
  • Many core components have been version-bumped to the latest versions for improved security and reliability.
  • Tables of data are now sortable.
  • Can update snort rules using sourcefire’s “Oink code” mechanism.
  • Comments can be included in portforwards and similar listed items.
  • Can now DROP bad traffic instead of REJECTing it.
  • GREEN is probed with the other NICs now so it is possible to replace GREEN.
  • Firewall log viewer looks much nicer and has some AJAX coolness.
  • Includes many new NIC drivers that are in 2.6.
  • NTP service for the local network.
  • Local hosts list that can be served through the DNS proxy.
  • Replacement traffic stats page.
  • Many internal changes to make the code more organised and easier to work with.
  • Jazzed up control page.
  • Easier to use log viewers with Google-style pagination.

Installing

The installer will automatically probe for and load SATA and SCSI drivers if no IDE disk is found.

The old “media menu” has gone. While only CDROM installs are supported, it isn’t needed anyway, but in the future it will not be needed anyway because the installer will know what type of install is required.

To speed along the install, the ISDN, ADSL, and DHCP screens are not automatically presented. Instead a menu appears where these features can be configured.

IM proxy

3.0 incorporates an IM (Instant Messenger) proxy called IMSpector that is able to log and filter IM conversations in a variety of protocols including MSN, ICQ, AIM, Yahoo and IRC. This proxy also has an optional swear-word filter with a pre made list of naughty words. The configuration page is under services; log viewer is under logs and is noteworthy because it shows conversations as they happen by using AJAX techniques to update the webpage.

Other notes

We’ve made a small change to the call-home process. It will now send back a dump of “lspci”, “lsmod” and the USB device table. This was done so we could hopefully in the future build a compatibility matrix for smoothie from this data. Such a chart might even be useful to the Linux community as a whole as well.

To enhance the security of the web interface, a password is now required to view the home page whereas previously this page was publicly viewable from the internal network. Any valid username (admin, dial, etc) will be able to view the home page.

The traffic graphs page shows traffic stats for each interface, with current hour, current, day etc totals, as well as “real time” reports of traffic load on each interface. Note that this code was written for the commercial series of Smoothwall products, GPLd, and included in Express. We’d love to see this particular piece of software used in other projects as well.

A new page, bandwidth bars, shows a continually updated representation of the bandwidth usage for each interface which is updated once a second through the use of AJAX and Javascript.

The time server is enabled on the “time” screen under Preferences. The timeserver (based on openntpd) has been tested against linux (ntpd etc) and Windows and works well. The time server will service requests on the GREEN side only.

The update mechanism has been reworked. In addition to the older “refresh updates list”, download, upload and install mechanism, Express 3.0 has a semi automated installer. This will perform the actions of downloading and installing updates (in sequence) by use of a single update button. This should allow for much easier maintenance.

Feedback

Please report all feedback, especially any problems encountered, to the Community forum “Express 3.0 development”.