Clear as mud? Here's a diagram of the final lashup:
I know you're all waiting in BREATHLESS anticipation to hear how you too can have a killer linux based intrusion detection system/ firewall/ router out of that old otherwise ready-to-toss computer. The wait is now over! Welcome The Mighty Smoothwall box!
I asked Nigel for his recommendation for home firewall systems as I'm becoming increasingly paranoid about computer security (a perfectly natural outgrowth of working at an ISP), and Smoothwall was his emphatic recommendation. So I did some poking around on their website and discovered it was a slick little number. Smoothwall is it's own operating system built on a stripped-down version of linux, and in addition to firewall functions it's bundled with routing capabilities and some implementation of the open source intrusion detection system Snort. Nigel also showed me some logs from his "Smoothie" as well as it's basic setup. And I DO mean basic- it's a remarkably simple beast to install, maintain, and use. The system requirements are ridiculously low, ideal for some old crappy box collecting dust in the closet.
So Smoothwall is powerful, it's simple, and best of all: it's FREE to download. And I had an ancient Compaq that a friend rehomed with me when he moved with a 3.2G hard drive and 128Mb of RAM. All that remained was ordering a couple network cards, a small switch, and a few spare network cables and I was ready to get started!
Step 1: downloading the ISO and burning it on a CD. This is obviously pretty straightforward on a high speed connection. However, XP's CD burning routine doesn't do ISOs so you may have to find software that will handle it properly. I dug up some free CD burning software from download.com that I can't remember the name of right now. Sourceforge.net would be another good place to look.
Step 2: probing your current network settings. I'm going to assume you already know some dirt-basic stuff about networking if you lust for a 'killer firewall'. :) You'll want to see what your current network and DNS settings are from your DSL modem or whatever connects you to the innernets. The easiest way to see all this on a windoze box is to go to a DOS prompt (XP: Start/Run/"CMD" *enter*) and type IPCONFIG /ALL.
Step 3: installing the network cards on the Smoothwall box. You must have 2 network cards on the Smoothie, one for hooking up to the unsafe outside world (what Smoothwall calls the "red" interface) and one for hooking up to the safely firewalled inside network (the "green" interface). Nigel knocked in both cards while I was at lunch, but it's a simple enough procedure.
Step 4: installing the Smoothwall software. Just stick the CD in the box and fire it up. Instant install right there! Note that ALL stuff on the hard drive will be completely overwritten, so obviously don't plan on using it to back up all those pictures of your glamorous honeymoon in the Bronx.
There is a pdf outlining the installation on the Smoothwall website. Beyond the usual "yes" and "next", there are a few install things to note:
- Smoothwall has some ISDN/ADSL options that for us normal folks should be turned off and/or ignored.
- Allow it to probe for your network interfaces. As long as they're standard vanilla cards, it will just find both and just work.
- I used the "red + green" setup. This is all most of us mere mortals would need.
- Keep track of those passwords. You'll need them.
- If you really screw up the install, just re-do it. The process is short and painless.
- Once you're done with the installation the Smoothie doesn't need a keyboard, mouse, or monitor hooked to it any more. All further configuration can be handled through the web interface from the inside (green) network as we will see next.
Step 5: post-install stuff You'll now have to hook up the green interface on the Smoothie to your 'puter's network card, bring up a browser window, and go to your gateway IP address plus :81 at the end. Example: 192.168.1.1:81.This will open up the web interface for your brand-spanking-new firewall... IF you're plugged into the right network card on the Smoothie of course. :) Once Nigel figured which was red and which was green, I labeled the appropriate outside plate of the card with a red R so I wouldn't have to go hunting later. Note that you may also have to reboot the Smoothie (listen for the 3 beeps when it's fully booted) and then possibly your windoze box to get the routing et al fired up and working correctly.
From there you can set up the date/time, turn on Snort, etc. I turned on SSH so I can log into the linux command line and poke around if I need to, but this certainly isn't required. For the most part you should be ready to roll.
Step 6: getting all the networking doo-dads hooked up correctly. In our case I set up my Smoothie to dish out IP addresses with DHCP on my inside (green) network. But since I'm likely to have more than one computer in the future, I have the Smoothie hooked to a switch and from there to my computer. When I get another computer I can just plug it into the switch and the Smoothie will handle IP address assignment as well as providing a firewall for both boxes.
Clear as mud? Here's a diagram of the final lashup:
If I'd had the required hardware already at home this all could have easily taken about an hour to set up at most. I still need to poke around at possible Snort settings to see what if anything is configurable there, but as it stands for $50 worth of odds and sods from Newegg.com, a free old computer, and very minimal effort I've now got a nicely protected home network plus room to build out.