- By Russ Pavlicek -
In this era, just about every company -- large or small -- has a
permanent connection to the Internet, and many private homes now utilize
"always online" connections such as DSL and cable modems.
When any system connected to the Internet is fair game for
crackers, the need for a simple and secure firewall/gateway is paramount.
For many of us, the need for security must be counterbalanced with the
cost of achieving it. While a Fortune 500 company has little problem
justifying the cost of firewalls, those of us with more modest means need
to achieve the goal of security and adequate throughput without incurring
My personal solution to this quandary was to install a copy of e-smith
Gateway/Firewall v.4.1.1 on an old Pentium-equivalent box. I cobbled together the system from miscellaneous pieces of scrap hardware. A Cyrix
PR166 processor, 32 megabytes of memory, an 800-megabyte disk drive, two
PCI ethernet cards, and an ancient CDROM drive were all that was needed to
construct a functional firewall system to stand guard over the half dozen nodes on my home LAN connected to a cable modem. Truthfully, far less of a system would likely perform adequately for my home LAN, but even so, a shrewd shopper could purchase
an equivalent system today for far less than U.S. $100.
The software I selected to handle the task was the e-smith
Firewall/Gateway. The e-smith software is a Red Hat-based
metadistribution which trims away software unneeded by a firewall (such as
the X Window System and user desktop applications) and adds both Web-based
and character cell administration tools to simplify the installation and
configuration of the core functions. It installs easily and provides even
unskilled administrators an opportunity to get the job done. And, because
there is no need to detect specific sound or video cards, the installation
looks as smooth as butter on a hot afternoon.
You can purchase the e-smith CD from the e-smith company Web site or download your own from the company's developers Web site. Simply pop the bootable CD your machine, and you are ready to go. If your machine does not support booting directly from the CD, instructions for building a bootable floppy can be found in the "Install" file in the top level directory of the CD.
Once you have booted the e-smith distribution, the installation starts
up. Note that because you are installing a firewall, the installation will
automatically use the entire disk. Whatever is
currently on your hard drive will be erased. But, because the needs of
e-smith are quite modest, you can easily utilize an old sub-gigabyte disk
to get the job done. In my case, an 800-megabyte drive left me with far
more free space (over 170 megabytes) than I am likely to use in this
release of the product.
The installation was both quick and painless. Because e-smith is based on
Red Hat 7, it easily recognizes most common PCI ethernet cards. The standard Red Hat drivers for ISA ethernet cards are present, but the automated installation looks for PCI cards only. The reasoning behind this is that PCI cards are better suited than ISA cards for moving large amounts of network data, but an experienced admin can edit the command files after the install if he or she really needs to use ISA cards. In my case,
I did my first install with one ISA and one PCI card because that is what
I happened to have on my shelf at the time. I later took a trip to the
local computer show and picked up a simple PCI card for about U.S. $10. I
reinstalled to see how the installation process would run with a pair of
PCI cards. It was absolutely painless.
The installation dialogue itself was quite simple and self
explanatory. The process allows you to select which ethernet card will
serve your local network and which card (or dialup connection) will
connect to the Internet. This distinction is simple but critical, as
e-smith will install an extensive set of firewall rules meant to provide
appropriate levels of access and security. By default, most services
on the firewall will be inaccessible from the Internet unless the
administrator chooses to allow them by using the Web configuration
Want your e-smith server to be your intranet's DHCP server? Just check
the box during install. Need to get the server's IP address from your
Internet service provider via DHCP? Just select that option. And, if you
subscribe to any of a number of dynamic DNS services (like dyndns.org),
you can even have the server update the DNS service when its IP address
The e-smith software adds a useful Web interface for managing and
configuring the server. While it does not address every possibility, it
does seem to cover most of the basic functions.
With these Web pages,
someone with no experience as a system administrator could conceivably set
up and manage this server. Want secure shell (SSH) access to the server
from your intranet or from the Internet? Just check a box in the
configuration. Want to add user accounts? Fill in the Web form. Want to
allow inbound connections to your network using PPTP? Just specify the
maximum number of connections to allow.
Perhaps one of the more creative additions is the simple ability to define
"Information Bays." These are virtual Web sites which can be allocated in
seconds. All you need to do is FTP your pages into the Information Bay
and you are in business.
Along with the basic firewall and gateway functions, the e-smith product
does contain some strong additional software. One of these is the webmail
service (using IMP). While it can be a bit slow on my old Cyrix PR150
box, it does do a credible job for creating an equivalent to most free
webmail services. This could be quite useful for certain people and
Originally, I needed to find a way to connect my home intranet to the
intranet at work. I wanted to make an outbound PPTP connection to my
employer's PPTP tunnel server, but e-smith did not provide that
functionality. But I quickly found that I could install a PPTP client RPM
kit that worked on Red Hat 7 and I had the functionality I required. The
fact that e-smith leans on Red Hat to do the job means that the large
number of packages that are tested to run on Red Hat can be added simply
if needed. However, because the distribution includes a large array of
functions that are appropriate for a firewall/gateway, you might not need
to ever venture into other software packages.
Very easy installation
Simple Web-based administration for common tasks
Runs well on older hardware for homes and small businesses
Strong firewall rules which leave everything locked down until you
choose to open them up
Support for multiple Web pages and virtual hosting
DHCP server, proxy server, web server, POP & IMAP mail servers
Support for dynamic DNS services
Integrated webmail system
Mail logfile analysis tools built in
Software RAID 1 available at installation
Hardware RAID support included
Automated tape backup system
Virtual network support and inbound PPTP support
Red Hat base means that other packages can be added painlessly if
Web-based administration does not address certain tasks that
experienced system administrators might want to do. Adding
modifications to the system may require the admin to edit the
e-smith scripts thatt generate many of the common config files.
This process has a learning curve.
No PPTP outbound support available out of the box, but it can
be added manually by an experienced system administrator if needed
No direct ISA ethernet card support, but it can be added by an
experienced system administrator
The e-smith firewall/gateway is a useful distribution. It is focused on
doing a specific set of tasks and it does it well. While there are
clearly additions e-smith might want to add to its Web interface,
the system works well and provides a good level of functionality. It is
certainly worth considering as a firewall or gateway solution for the home
or small-to-medium-sized business.