Release Notes

Introduction

Express 3.0 is our latest version of the long running and successful Smoothwall Express firewall.

Editions

Polar is available in four editions:

• User edition – 32bit
• Developer edition – 32bit
• User edition – 64bit
• Developer edition – 64bit

The developer editions includes the complete Smoothwall Express functionality, but also contains the needed tools for working on Express itself, including complete builds, check outs and commits. It is therefore possible for interested coders to work on Express from their very own firewall. This marks a turning point for Smoothwall: it is now easier then ever for people to work on the project, make custom modifications and get involved with the Smoothwall team.

Please bear in mind that in order to do full builds of Express, a reasonable spec machine and a fair of amount of patience is required. Typical build times are about 5 hours for a 1Ghz machine.

Please read the build notes for more information on using the Developer Edition edition of Polar, including instructions on how to checkout and build a Polar ISO from scratch.

64bit support

Degu (the version before Sammy, our Release Candidate) was the first ever version of Smoothwall to come in multiple architectures: 32bit, for standard x86 compatibles; and 64bit, for Intel Core 2s (and other Intels with 64bit support) and 64bit Athlon chips. This change to multiple processor types means that updates are specific to the different architectures. We are especially interested to hear from people running Smoothie on 64bit machines.

Please note that there are some small limitations on hardware support when running on a 64bit machine. The BeWAN driver, used in Smoothie for years, is not available on 64bit machines because it uses a binary blob (compiled code) that is not available for 64bit machines. Also, the Connexant driver does not work on 64bit machines.

Headline new features relative to 2.0.

• Supports a 4th NIC for Wireless Access Points.
• 64bit support – additional builds for 64bit Intel and AMD chips.
• Based upon linux 2.6 kernel.
• New realtime traffic graph shows traffic bandwidth usage over time (AJAX).
• Per-IP address traffic statistics collection in all traffic stats pages – you can now view weekly, monthly, etc totals for specific internal IPs, or see which local IP is using the most bandwidth, in real-time.
• IM proxy with logging and filtering abilities (MSN/AIM/ICQ/Yahoo).
• SATA/SCSI support.
• Support for many new gigabit NICs.
• Streamlined installer/setup.
• Quality-of-Service (QoS) support for traffic-shaping and management – nice and easy to use but powerful, can traffic shape Peer-to-Peer traffic.
• SIP proxy support using siproxd, with transparent mode.
• Protection-level profile selector at install time can be used to pre-configure default settings.
• Timed-access feature for allowing or blocking access to a list of IPs or subnets based on time of day and day of the week.
• Outbound filtering.
• Portforward and other networking pages now use the new service list controls.
• New update mechanism which can download and install all pending updates with a single click.
• Brand new even prettier theme. The polar bear is back!
• Devel editions for people interested in hacking on smoothie.

Detailed list of new features and improvements

• Added support for empty hostnames in Dynamic DNS pages.
• Runtime kernel now has DMA support for all supported IDE chipsets. Added bridging module (but no tools) for people who want to work with bridging.
• Added ISC DHCP integration option to dnsmasq, but no UI.
• Added support for setting the NTP servers that the DHCP server will supply to clients. DHCP server now marks itself as “authorative”.
• Hostname can now only contain valid chars to stop the situation where you could set a hostname that would be incompatible to squid.
• Minor fixes to the networking probe setup code.
• Added support for the VT8237A VIA SATA chip.
• Updated autorun HTML page so it looks supercool.
• Swap sized according to the amount of RAM.
• Widened setup password entry from 20 to 25 chars.
• Added support for more gigabit NICs.
• Added Conexant ADSL PCI support.
• UPnP support using miniunpd.
• Online help now has a glossary.
• The “Other” system log viewer has been renamed “System” logs.
• Slashes now allowed in PPP usernames and passwords to fix problems with some ISPs.
• Cleanups of install and setup code. Also changed probing so it will not re-probe from the top of the list after adding a NIC.
• Added EHCI USB, and TUN/TAP modules, but neither are ever loaded at present.
• Smoothd privileged deamon replacing setuid helpers, increasing the speed of the web interface.
• Installer now supports USB keyboards and CDROMS, making it possible to install Smoothie Express on “legacy-free” hardware.
• Now includes a POP3 proxy with support for Anti-Virus using ClamAV.
• Online validation using javascript to show input validity before the Add and Save buttons have been pressed.
• Many core components have been version-bumped to the latest versions for improved security and reliability.
• Tables of data are now sortable.
• Can update snort rules using sourcefire’s “Oink code” mechanism.
• Comments can be included in portforwards and similar listed items.
• Can now DROP bad traffic instead of REJECTing it.
• GREEN is probed with the other NICs now so it is possible to replace GREEN.
• Firewall log viewer looks much nicer and has some AJAX coolness.
• Includes many new NIC drivers that are in 2.6.
• NTP service for the local network.
• Local hosts list that can be served through the DNS proxy.
• Replacement traffic stats page.
• Many internal changes to make the code more organised and easier to work with.
• Jazzed up control page.
• Easier to use log viewers with Google-style pagination.

Installing

The installer will automatically probe for and load SATA and SCSI drivers if no IDE disk is found.

The old “media menu” has gone. While only CDROM installs are supported, it isn’t needed anyway, but in the future it will not be needed anyway because the installer will know what type of install is required.

To speed along the install, the ISDN, ADSL, and DHCP screens are not automatically presented. Instead a menu appears where these features can be configured.

IM proxy

3.0 incorporates an IM (Instant Messenger) proxy called IMSpector that is able to log and filter IM conversations in a variety of protocols including MSN, ICQ, AIM, Yahoo and IRC. This proxy also has an optional swear-word filter with a pre made list of naughty words. The configuration page is under services; log viewer is under logs and is noteworthy because it shows conversations as they happen by using AJAX techniques to update the webpage.

Other notes

We’ve made a small change to the call-home process. It will now send back a dump of “lspci”, “lsmod” and the USB device table. This was done so we could hopefully in the future build a compatibility matrix for smoothie from this data. Such a chart might even be useful to the Linux community as a whole as well.

To enhance the security of the web interface, a password is now required to view the home page whereas previously this page was publicly viewable from the internal network. Any valid username (admin, dial, etc) will be able to view the home page.

The traffic graphs page shows traffic stats for each interface, with current hour, current, day etc totals, as well as “real time” reports of traffic load on each interface. Note that this code was written for the commercial series of Smoothwall products, GPLd, and included in Express. We’d love to see this particular piece of software used in other projects as well.

A new page, bandwidth bars, shows a continually updated representation of the bandwidth usage for each interface which is updated once a second through the use of AJAX and Javascript.

The time server is enabled on the “time” screen under Preferences. The timeserver (based on openntpd) has been tested against linux (ntpd etc) and Windows and works well. The time server will service requests on the GREEN side only.

The update mechanism has been reworked. In addition to the older “refresh updates list”, download, upload and install mechanism, Express 3.0 has a semi automated installer. This will perform the actions of downloading and installing updates (in sequence) by use of a single update button. This should allow for much easier maintenance.

Feedback

Please report all feedback, especially any problems encountered, to the Community forum “Express 3.0 development”.

Introduction

Express 3.0 is our latest version of the long running and successful Smoothwall Express firewall. This is a beta release, code name “Degu”. This means that this build his hopefully feature-complete relative to the released version of 3.0. It does have a couple of known problems (see below). Needless to say, there are probably unknown problems as well.

As the phrase goes …

As we know, there are no known knowns. There are things we know we know. We also know there are known unknowns. That is to say we know there are some things we do not know. But there are also unknown unknowns, the ones we don’t know we don’t know.

This page will be updated as and when new betas are released.

Editions

Degu is available in four editions:

• User edition – 32bit
• Developer edition – 32bit
• User edition – 64bit
• Developer edition – 64bit

The developer editions includes the complete Smoothwall Express functionality, but also contains the needed tools for working on Express itself, including complete builds, check outs and commits. It is therefore possible for interested coders to work on Express from their very own firewall. This marks a turning point for Smoothwall: it is now easier then ever for people to work on the project, make custom modifications and get involved with the Smoothwall team.

Please bear in mind that in order to do full builds of Express, a reasonable spec machine and a fair of amount of patience is required. Typical build times are about 5 hours for a 1Ghz machine.

Please read the HOWTO for more information on using the devel edition of Degu, including instructions on how to checkout and build a Degu ISO from scratch.

64bit support

Degu is the first ever version of Smoothwall to come in multiple architectures: 32bit, for standard x86 compatibles; and 64bit, for Intel Core 2s and 64bit Athlon chips. This change to multiple processor types means that updates are specific to the different architectures. We are especially interested to hear from people running Smoothie on 64bit machines.

Please note that there are some small limitations on hardware support when running on a 64bit machine. The BeWAN driver, used in Smoothie for years, is not available on 64bit machines because it uses a binary blob (compiled code) that is not available for 64bit machines. There may be other little problems as well.

New features relative to the previous Express 3.0 alpha, Koala

• 64bit support – additional builds for 64bit Intel and AMD chips
• New realtime traffic graph shows traffic bandwidth usage over time (AJAX)
• Smoothd fully integrated, increasing the speed of the web interface
• Outbound filtering completed
• Portforward and other networking pages now use the new service list controls
• Installer now supports USB keyboards and CDROMS, making it possible to install Smoothie Express on “legacy-free” hardware.
• Per-IP address traffic statistics collection in all traffic stats pages – you can now view weekly, monthly, etc totals for specific internal IPs, or see which local IP is using the most bandwidth, in real-time.
• The interface page now functions, at least as well as the setup program
• Now includes a POP3 proxy with support for Anti-Virus using ClamAV
• Online validation using javascript to show input validity before the Add and Save buttons have been pressed
• Many core components have been version-bumped to the latest versions for improved security and reliability
• Tables of data are now sortable
• Can update snort rules using sourcefire’s “Oink code” mechanism
• Comments can be included in portforwards and similar listed items
• Quality-of-Service (QoS) support for traffic-shaping and management – nice and easy to use but powerful, can traffic shape Peer-to-Peer traffic
• Can now DROP bad traffic instead of REJECTing it
• OpenSWAN now working reliably
• SIP proxy support using siproxd, with transparent mode
• Protection-level profile selector at install time can be used to pre-configure default settings
• Timed-access feature for allowing or blocking access to a list of IPs or subnets based on time of day and day of the week

New features relative to the previous Express 3.0 alpha, Grizzly

• IM proxy with logging and filtering abilities (MSN/AIM/ICQ/Yahoo)
• SATA/SCSI support
• Streamlined installer/setup
• GREEN is probed with the other NICs now so it is possible to replace GREEN
• Smoothd privileged deamon (although only a few things are utilising it still)
• Firewall log viewer looks much nicer and has some AJAX coolness
• Hopefully working BeWAN and openswan
• Realtime traffic bars
• New update mechanism which can download and install all pending updates with
  a single click.

Other new features relative to Express 2.0

• Based upon the latest (at least at the time of building) 2.6 kernel.
• Brand new even prettier theme. The polar bear is back!
• Includes many new NIC drivers that are in 2.6.
• Brand new update system – updates are downloaded directly onto the smoothie
  itself instead of going via the desktop browser.
• NTP service for the local network.
• Local hosts list that can be served through the DNS proxy.
• Replacement traffic stats page.
• SIP NAT support (experimental!)
• Many internal changes to make the code more organised and easier to work
  with.
• Jazzed up control page.
• Easier to use log viewers with Google-style pagination.

Known Problems

Unfortunately we have a number of problems, all of them related to 2.6, that need to be addressed. We hope that they will not stop people testing.

• USB ISDN support is broken
• PPTP and Quake helpers. PPTP is compiled up but not loaded by default because it is still being tested
• UPnP support is currently missing

Installing

Testers are better off recreating their settings from scratch, though a direct restore of Express 2.0 settings will probably work for now.

The installer will automatically probe for and load SATA and SCSI drivers if no IDE disk is found. We are interested to hear about feedback on this new feature.

The old “media menu” has gone. While only CDROM installs are supported, it isn’t needed anyway, but in the future it will not be needed anyway because the installer will know what type of install is required.

To speed along the install, the ISDN, ADSL, and DHCP screens are not automatically presented. Instead a menu appears where these features can be configured.

IM proxy

Degu incorporates an IM (Instant Messenger) proxy called IMSpector that is able to log and filter IM conversations in a variety of protocols including MSN, ICQ, AIM, Yahoo and IRC. This proxy also has an optional swear-word filter with a premade list of naughty words. The configuration page is under services; log viewer is under logs and is noteworthy because it shows conversations as they happen by using AJAX techniques to update the webpage.

Other notes

We’ve made a small change to the call-home process. It will now send back a dump of “lspci”, “lsmod” and the USB device table. This was done so we could hopefully in the future build a compatibility matrix for smoothie from this data. Such a chart might even be useful to the Linux community as a whole as well.

To enhance the security of the web interface, a password is now required to view the home page whereas previously this page was publicly viewable from the internal network. Any valid username (admin, dial, etc) will be able to view the home page.

The traffic graphs page shows traffic stats for each interface, with current hour, current, day etc totals, as well as “real time” reports of traffic load on each interface. Note that this code was written for the commercial series of Smoothwall products, GPLd, and included in Express. We’d love to see this particular piece of software used in other projects as well.

A new page, bandwidth bars, shows a continually updated representation of the bandwidth usage for each interface which is updated once a second through the use of AJAX and Javascript.

The time server is enabled on the “time” screen under Preferences. The timeserver (based on openntpd) has been tested against linux (ntpd etc) and Windows and works well. The time server will service requests on the GREEN side only.

The update mechanism has been reworked. In addition to the older “refresh updates list”, download, upload and install mechanism, Express 3.0 has a semi automated installer. This will perform the actions of downloading and installing updates (in sequence) by use of a single update button. This should allow for much easier maintenance.

Feedback

Please report all feedback, especially any problems encountered, to the Community forum “Express 3.0 development”.

No release notes available

Introduction

Express 3.0 is our latest version of the long running and successful Smoothwall Express firewall. This is an alpha release, code name “koala”. This means that although this build is working and useable, it is not feature-complete. It also has a couple of known problems (see below). Needless to say, there are probably unknown problems as well.

As the phrase goes …

As we know, there are no known knowns. There are things we know we know. We also know there are known unknowns. That is to say we know there are some things we do not know. But there are also unknown unknowns, the ones we don’t know we don’t know.

The main reason for releasing a feature-incomplete alpha smoothie is because we are very interested in how 2.6 performs and to make sure we have a stable base before adding a few more features.

This page will be updated as and when alphas and betas are released.

Devel edition

Koala is available in two versions:

• User edition
• Developer edition

The developer edition includes the complete Smoothwall Express functionality, but also contains the needed tools for working on Express itself, including complete builds, check outs and commits. It is therefore possible for interested coders to work on Express from their very own firewall. This marks a turning point for Smoothwall: it is now easier then ever for people to work on the project, make custom modifications and get involved with the Smoothwall team.

Please bare in mind that in order to do full builds of Express, a reasonable spec machine and a fair of amount of patience is required. Typical build times are about 5 hours for a 1Ghz machine.

Please read the HOWTO for more information on using the devel edition of Koala, including instructions on how to checkout and build a koala ISO from scratch.

New features relative to the previous Express 3.0 alpha, Grizzly

• IM proxy with logging and filtering abilities (MSN/AIM/ICQ/Yahoo)
• SATA/SCSI support
• Streamlined installer/setup
• GREEN is probed with the other NICs now so it is possible to replace GREEN
• Smoothd privileged deamon (although only a few things are utilising it still)
• Firewall log viewer looks much nicer and has some AJAX coolness
• Hopefully working BeWAN and openswan
• Realtime traffic bars
• New update mechanism which can download and install all pending updates with
  a single click.

Other new features relative to Express 2.0

• Based upon the latest (at least at the time of building) 2.6 kernel.
• Brand new even prettier theme. The polar bear is back!
• Includes many new NIC drivers that are in 2.6.
• Brand new update system – updates are downloaded directly onto the smoothie
  itself instead of going via the desktop browser.
• NTP service for the local network.
• Extension “home-brew” system.
• Local hosts list that can be served through the DNS proxy.
• Replacement traffic stats page.
• SIP NAT support (experimental!)
• Many internal changes to make the code more organised and easier to work
  with.
• Jazzed up control page.
• Easier to use log viewers with “Smooooth” pagination.

Planned New Features

Post alpha, we plan to add the following features, at a minimum:

• Settings upgrade from Express 2.0.
• Other things that come along!
• Egress blocking

Known Problems

Unfortunately we have a number of problems, all of them related to 2.6, that need to be addressed. We hope that they will not stop people testing.

• USB ISDN support is broken.
• PPTP and Quake helpers. We hoped to introduce PPTP pass through support, but this is currently broken due to kernel incompatibly.
• UPnP support is currently missing.
• The Interface page, for configuration the NICs from the web GUI is incomplete.

Installing

Testers are better off recreating their settings from scratch, though a direct restore of Express 2.0 settings will probably work for now.

The installer will automatically probe for and load SATA and SCSI drivers if no IDE disk is found. We are interested to hear about feedback on this new feature. At a point in the future we hope to add USB keyboard and CDROM support, for installing on IDE CDROM-less machines.

The old “media menu” has gone. While only CDROM installs are supported, it isn’t needed anyway, but in the future it will not be needed anyway because the installer will know what type of install is required.

To speed along the install, the ISDN, ADSL, and DHCP screens are not automatically presented. Instead a menu appears where these features can be configured.

IM proxy

Koala incorporates an IM (Instant Messenger) proxy called IMSpector that is able to log and filter IM conversations in a variety of protocols including MSN, ICQ, AIM, Yahoo and IRC. This proxy also has an optional swear-word filter with a pre made list of naughty words. The configuration page is under services; log viewer is under logs and is noteworthy because it shows conversations as they happen by using AJAX techniques to update the webpage.

Other notes

We’ve made a small change to the call-home process. It will now send back a dump of “lspci”, “lsmod” and the USB device table. This was done so we could hopefully in the future build a compatibility matrix for smoothie from this data. Such a chart might even be useful to the Linux community as a whole as well.

To enhance the security of the web interface, a password is now required to view the home page whereas previously this page was publicly viewable from the internal network. Any valid username (admin, dial, etc) will be able to view the home page.

The traffic graphs page shows traffic stats for each interface, with current hour, current, day etc totals, as well as “real time” reports of traffic load on each interface. Note that this code was written for the commercial series of Smoothwall products, GPLd, and included in Express. We’d love to see this particular piece of software used in other projects as well.

A new page, bandwidth bars, shows a continually updated representation of the bandwidth usage for each interface which is updated once a second through the use of AJAX and Javascript.

The time server is enabled on the “time” screen under Preferences. The timeserver (based on openntpd) has been tested against linux (ntpd etc) and Windows and works well. The time server will service requests on the GREEN side only.

The update mechanism has been reworked. In addition to the older “refresh updates list”, download, upload and install mechanism, Express 3.0 has a semi automated installer. This will perform the actions of downloading and installing updates (in sequence) by use of a single update button. This should allow for much easier maintenance.

The new “extensions” system is partially in place. This will allow some of the “homebrew” mods to be installed via the web interface. This is not a replacement for the homebrew system, more a supplement to it. Various aspects of the underlying design (menus etc) have been reworked so that they can be added to without fear of future updates overwriting any “extensions”. Currently there is only one extension available, which neither installs nor does it do anything particularly useful.

Feedback

Please report all feedback, especially any problems encountered, to the Community forum “Express 3.0 development”.

smoothwall

http://www.smoothwall.org/

** Please see http://smoothwall.org/ for the latest release
** information, downloads and updates!

———————————————————————
Smoothwall Express 2.0 Release Notes
———————————————————————

** Please note that the https web access port has moved from
** TCP/445 to TCP/441! Use https://x.x.x.x:441/ from now on!

Changes from Smoothwall GPL 1.0:

• Smoothwall GPL is now Smoothwall Express! http://community.smoothwall.org/topic/1086
• Stateful packet inspection using Linux 2.4 kernel with iptables and netfilter.
• Improved installer:
  • Network card skip.
  • Displays MAC address of detected cards.
  • Prefilled IP addresses.
  • Configure upstream web proxy for fetching update list.
  • when a direct connection cannot be made or is not allowed.
• Improved web user interface; more user friendly, better error reporting, more orange
• Improved connectivity device support:
  • More USB ADSL modems; ECI chipset, USR SureConnect. http://smoothwall.org/beta/eci.html
  • BeWAN PCI ADSL.
  • BT Home Highway USB TA.
• Universal Plug-n-Play support for Microsoft Windows XP users.
• Improved network usage graphs with RRDtool.
• Improved proxy performance through diskd and other squid tweaks.
• Static assignments in DHCP server options based on MAC address.
• Smoothwall time sync with internal or external NTP server. Can sync from a built-in list of servers. (Does not provide ntpd service to Green or Orange network however)
• Configuration backup to floppy disk for quick install on another machine, or re-install on same machine (compatible with backup floppies from Express 2.0 RC1, timesync server list bug when using backup floppy from Express 2.0 beta7 “pendolino” – see http://community.smoothwall.org/topic/2180 for more info)
• Simpler port forwarding; no need to open ports with external access page, the port (or ports – port ranges are allowed now) is opened and forwarded on one page.
• IP Blocking feature; block any given external IP address or subnet from accessing your Smoothwall or any port forwarded hosts. Additionally, blocking rules can be added from the firewall log interface.
• Advanced networking features; block ICMP ping, block multicast traffic and enable SYN cookies.
• Improved VPN; no need for “next hop” setting, optionally enable compression on the tunnel, still possible to connect to a Smoothwall GPL 1.0 VPN.
• Perform network diagnostic (ping, traceroute) from web interface.
• New Java SSH client (replaced due to licence conflict).
• Added clear cache option to web proxy.
• Updates list location changed http://updates.smoothwall.org/express/2.0

Thanks to those on the team and the forums for their hard work on mods and patches

———————————————————————
Rebooting
———————————————————————

During the reboot, notice the nice boot screens.

You will notice differences if you use either the ECI or the USR SureConnect USB ADSL modems.

For all USR ADSL modems, have the unit plugged in prior to booting. If you are using an ECI-chipset driver (generic of FDX310), you will see your screen fill with diagnostics as the firmware is uploaded and the line synced. Occasionally this can appear to hang part way through, but it should not stall for more then 30 seconds at a time. The line should be synced when this process is complete.

The USR SureConnect will behave in a similar fashion, but with less diagnostics.

———————————————————————
In Use
———————————————————————

After rebooting, point your browser at the Smoothwall IP and either 441 (for https) or 81 (for http). When designing the new interface, we have tried to make things easier to find and more “friendly”. The online help has been moved into a popup window for easier use. The most often used page, for PPP profiles, has been moved into a new “networking” section, which also has the port forwarding and external access pages within. Other pages have been collected into a new maintenance section, which has the all-important update page.

The webproxy page has been improved to allow you to specify a username and password for the upstream proxy. The DHCP server has been enhanced by allowing you to create static entries based on the MAC address of the client. Note that to activate the changes, you have to press the Save button after adding each one. Dynamic DNS has been improved by adding support for a couple more providers of this service.

Because of the change from ipchains to iptables, the way the external access and port forward page operates has changed slightly. The external service page now only operates on connections directly to the Smoothwall external IP address which *won’t* be forwarded on. This means that the port forward page has an additional control for setting what external address is allowed to use this port forward, combining the functionality of the external service page and the port forward page from 0.9.9. This means that in 2.0, the external service access page is limited to being used for opening up local ports, such as 222 (ssh) and 441 (https).

VPN functionality has been enhanced by removing the requirement to enter the “next hop” information, and also by making compression of VPN traffic an option. Note that the value of the compression flag must match at both ends of the tunnel. For verification, you must now enter the shared secret twice.

The IP whois resolver has been improved so it should be possible to lookup any IP address, not just European ones. You can also use this page as a generic whois interface, and lookup domain names as well as IP addresses.

———————————————————————
Feedback
———————————————————————
Please send feedback, both positive and negative, to submissions@smoothwall.org or more preferably, use the Known Issues thread at http://community.smoothwall.org/topic/2636 on the community forum site.

We are especially keen to hear from people who have success (or failure) in using the BeWAN PCI ADSL modems, or the USR SureConnect, or one of the ECI-based USB ADSL modems.