Please read the Release Announcement before downloading. We welcome all feedback. Please view the forums for information on how you can report issues, post suggestions, etc. Standard edition: Smoothwall Express 3. The Smoothwall Express 3. The administrator guide covers everything else and can be downloaded from my. Smoothwall Express 3. Download Thanks for deciding to download Smoothwall! Looking for corporate Smoothwall Solutions? Home Home Releases User Feedback. About Our Team Screenshots.
Source port or range Specify which port on the source IP address the traffic will be coming from. For example, port 80, the standard HTTP port number, would normally be specified for traffic to be forwarded to a web server. It is not logical or sensible to allow traffic on other ports through to the web server, the less that is allowed through the firewall, the more secure will be the servers and networks behind it.
The rule takes effect immediately. Controlling Outgoing Traffic You can allow, disable or limit access to the Internet based on each internal interface. In addition, you can specify a list of IP address which are not subject to any blocking. Default access is determined when SmoothWall Express is installed and is either Open, all traffic is allowed onto the Internet, Half-open, some traffic is allowed, with the rest being blocked or Closed, all traffic being blocked unless you explicitly add a rule to allow it.
Port Each rule must contain either a single port number, or a port range specified as two port numbers separated by a colon : character. For example, would forward all ports from through to an including Except for the colon separator character, port numbers must be numeric and have a value of less than Note: Forwarding ports to the local green network is not generally recommended — publicly accessible servers should be located in the DMZ if at all possible.
Destination port From the drop-down menu, select the destination port. Or, select User defined. Port If User defined is selected as the destination port, enter a destination port. Normally, this will be the same as the source port; e. However, it is not uncommon to use non-standard port numbers for security reasons. If the Destination Port is left blank then it will be set to the same port or port range as the source port.
Comment Optionally, enter a comment describing this rule. Enabled Select to enable the rule. Setting Description Allowed with exceptions — Allow all traffic originating on the interface except for the exceptions listed in the current exceptions area.
Click Save to save your selection. The rule is added to the list in the Current exceptions area. Always Allow Traffic You can always allow certain clients access to the Internet. The rule is added to the list in the Current always allowed machines area.
Interface To add an exception, select from the following options: GREEN — Select to add an exception for traffic on the green interface.
Application or service s From the drop-down list, select the application, service or user defined option. Port If you select User defined as the application or service, enter the applicable port. Comment Optionally, enter a description of the rule. The standard configuration, without any holes configured, blocks any host in the DMZ from connecting to a host on the local green network. Every hole you open is a potential security risk and the name pinhole implies the size of the hole that should be opened.
There may be good reasons for doing so, for example, where web servers located in the DMZ need to access back-end SQL database servers on the local network. Another example is where external facing mail servers in the DMZ relay messages to internal mail servers on the local network. This will depend, of course, on how you configure outgoing filtering.
The rule is listed in the Current rules area. Application or service s From the drop-down list, select the application, service or user defined port. Destination port If user defined is selected, enter which port on the destination IP address is to receive the traffic.
Comment Optionally, enter a description. Enabled Select to enable the traffic. Ports opened for forwarding are not affected by the settings on this page.
The rule is listed in the Current rules are. We strongly advise that you specify only one known and trusted remote computer to use to administer gain or root access to SmoothWall Express — this will stop anybody else being able to open the port. Destination port Enter the port on SmoothWall Express which will accept data from the specified source address. All other ports will be blocked. The rule is added to the Current rules area. Drop packet Select to drop packet: and completely ignore any request from the specified IP.
Reject packet Select to reject the packet. Log Select to log activity. Comment Optionally, enter a description of what the rule is for. Setting Description Enabled Select to enable the settings.
Mode From the drop-down list, select from the following options: Allow at specified times — Internet access is allowed at the specified times.
Reject at specified times — Internet access is blocked at the specified times. From — To Select from when to when and the days of the week to allow or block Internet access.
Machines Enter one IP address or network with netmask per line. External upload speed From the drop-down list, select the speed of your external upload connection. Download speed From the drop-down list, select the speed of your download connection.
Headroom Accept the default or, from the drop-down list, select the amount of headroom required for SmoothWall Express to handle fluctuating traffic levels. Traffic that does not matchbelowgetstreated as From the drop-down list, select how to handle traffic types that are not listed in the Rule selection area. Traffic prioritised as high has first call on any spare capacity. This reduces spurious messages in your log files.
Block and ignore multicast traffic Select to block multi-cast messages and stop them being logged. Action to perform on bad external traffic From the drop-down list, select how to handle traffic that is not forwarded. Note: This will make it easier for an attacker to determine what ports SmoothWall Express has open.
Drop — Do not reply. The attacker will have a harder time finding open ports on SmoothWall Express. Number Enter your ISP's dial-in access modem number. Modem speaker on Select to turn on the modem speaker, if it has one. Dialing mode From the drop-down list, select the dialling mode used by your telephone exchange. Maximum retries Accept the default number or enter a different number of failed dial attempts before SmoothWall Express stops trying to connect. Note: This number applies even if the Persistent connection option is enabled.
Idletimeout mins; 0 to disable Determines the length of inactivity before SmoothWall Express drops the connection when used in non-persistent connections. The default is 15 minutes. Set this option to zero 0 , to disable it.
Note: When disabled, you will have to disconnect and hang-up manually. Persistent connection Select to enable SmoothWall Express to keep the link to your ISP up and available for use all of the time — if the connection drops, it will automatically be re-dialled. Dial on Demand Select to configure SmoothWall Express to automatically connect to the ISP detailed in the current profile whenever a user on the network initiates a connection to the Internet.
Note: If dial on demand is enabled and your Internet connection is charged on a per minute basis, you may get an unpleasant surprise when the next telephone bill arrives! Note: If not selected, SmoothWall Express will not dialup to the Internet each time a DNS request is made, but only when a specific connection is requested. This is one simple way to help reduce telephone charges when the ISP connection is one that is paid for on a per minute basis.
Setting Information Controlling Network Traffic Configuring Dial-up Connections 28 Version 1 Automatic reboot if connection down for 5 minutes Select to configure SmoothWall Express to automatically reboot if the red interface is detected as being down for 5 minutes.
Note: This option cannot be used in conjunction with Dial on Demand. Keep second channel up For ISDN connections, select this option to control the action of the second data channel for high-speed, Kbit access. If the data throughput keeps changing, this may cause the ISDN channel to go up and down. Selecting this option will force the second channel to remain up, instead of automatically closing once the data-rate decreases below a threshold where the second channel is of no benefit.
Minimum time to keep second channel up sec For ISDN connections, select this option to stop the second channel repeatedly going up and down due to the threshold being exceeded for short periods of time. You can enter a higher value to force the second channel to stay up for longer, so a momentary lull in the data traffic will not cause the second channel to go down.
Username Enter the username supplied by your ISP. Password Enter the password supplied by your ISP. Type Here you determine DNS details. Netmask For an internal interface, accept the default or enter a new netmask.
Connection method: To configure an external ethernet connection, you can select from the following connection methods: Static — Select this method if you want SmoothWall Express to use a static IP address that has been assigned by your Internet Service Provider ISP.
IP address If you are using the Static connection method, enter the IP address for the external interface. Netmask If you are using the Static connection method, enter the netmask for the external interface.
The following sections explain how to configure a connection between a local SmoothWall Express and a remote SmoothWall Express. Configuring the Local SmoothWall Express The following section explains how to configure the settings for the local SmoothWall Express and how to export the settings for use when configuring the remote SmoothWall Express.
SmoothWall Express creates the file vpnconfig. When prompted by your browser, save the file to a secure location. Setting Description Name Enter a name for the connection. Compression Select to enable data compression in the connection. This must be the public IP address of the Internet red interface. Left subnet Enter the network address of the subnet from which the VPN connection originates.
Normally, this will be the local green network. For example, Note: Left and right subnets must have different network addresses. Right subnet Enter the network address of the subnet to which the VPN connection goes.
Secret Enter a secret string to exchange between the two SmoothWall Express systems to authenticate the connection. This secret should be at least twenty characters long and contain a mixture of lower and upper case letters and numerics. Again Re-enter the string to confirm it.
Comment Optionally, enter information on the connection for future reference. Enabled Select to enable the connection. Make sure that it is transferred securely to the other end of the connection. Navigate to and select vpnconfig. Click Import. SmoothWall Express uses the settings to configure the remote end of the connection. A major use for this is to determine the source of requests appearing in logs.
SmoothWall Express displays any information available. Use it to prove that SmoothWall Express can communicate with its local networks and external hosts on the Internet.
The result of the ping command is displayed. Tracing Routes Traceroute is used to reveal the routing path to Internet hosts, shown as a series of hops from one system to another. A greater number of hops indicates a longer and therefore slower connection.
The output of these commands is as it would be if the commands were run directly by the root user from the console of the SmoothWall Express system. It is of course, more convenient to run them from this page. The result of the command is displayed.
Note: In order to use this feature, SSH access must be enabled. Your browser must have Java Virtual Machine capability installed. For details on setting your browser up in this way, consult your browser help system.
Correctly configured, especially where relatively slow Internet connections are used, the cache will provide faster access to pages that have recently been visited by users on the same SmoothWall Express system.
The cache size must not exceed the amount of free disk space available. As a rough guide, it should be at least M Bytes smaller than hard disk size. Note: An excessively large cache size may slow down information access, causing SmoothWall Express to spend more time and resources managing a large cache that the time saved retrieving pages over a fast connection.
We recommend that you experiment with different cache sizes to achieve optimum performance. Remote proxy username If using a remote proxy which requires authentication, enter the user name required. Remote proxy password If using a remote proxy which requires authentication, enter the password required. Max object size KB Enter the largest object size to be stored in the cache or accept the default value.
This option enables you to ensure that large downloads do not clog up the cache. The default is not to cache objects larger then K Bytes 4 M Bytes. Min object size KB Optionally, enter the smallest object size that will be stored in the cache. Max outgoing size KB Optionally, enter the maximum amount of data, for example — file uploads or form submissions, that a browser is allowed to send through SmoothWall Express, regardless of whether the data is cached or not.
This option can be used to stop people from downloading excessively large files that would slow down your Internet connection Click Save and clear cache to save and implement your settings and clear any information currently in the cache.
In transparent mode, all requests are automatically redirected through SmoothWall Express. Enabled Select to enable the web proxy service. Setting Description Enabled Select to enable the instant messaging proxy service. Swear-word filtering Select to filter English swearwords.
Yahoo Select to proxy and monitor Yahoo conversations. Setting Description Enabled Select to enable the service. Emails which contain a virus will be replaced with an explanation email containing details of the email including the name of the detected virus.
AV signatures are automatically updated daily. Logging level From the drop-down list, select the level of logging required. Log calls Select to log individual calls. Maximum number of clients From the drop-down list, select the maximum number of clients which can use the service. Transparent Select to run the SIP proxy service in transparent mode. Both the green and purple networks can use the DHCP service. Boot server If network booting is enabled, enter the IP address of the server running Trivial File Transfer Protocol TFTP Boot filename If network booting is enabled, enter the name of the file workstations or devices should use to boot.
Root path If network booting is enabled, enter the path to the file workstations or devices should use to boot. Interface From the drop-down list, select the network you want to configure the service for. The first three parts of the IP address should normally be the same as that of the SmoothWall Express.
The default address range suggested by SmoothWall Express is from This allows addressing space below the DHCP range for computers using fixed IP addresses, such as file and print servers. To statically assign an IP address: 1 In the Add a new static assignment area, configure the following settings: 2 Click Add to add the assignment to the list of current static assignments. Upon expiry of the lease, the client PC has to re-request a new IP address.
For most users, this field should be left at its default value. Domain name suffix Enter the domain name that will be given to systems requesting an IP address. For most small networks this can be left blank. Description Optionally, enter a description about this assignment. The MAC address must be entered as six pairs of hexadecimal numbers, with a space, colon or other separator character between each pair, e.
IP address Enter the IP address you want to assign to the client. Enabled Select to enable the assignment. This, in turn, enables you to run services such as a web server even if you do not have a static IP address. Currently, SmoothWall Express supports the following services and providers: Note: We encourage users to donate to organisations which rely largely on donations for funding.
Service Provider dhs. Behind a proxy Select this option if you are using no-ip. Enable wildcards Select this option to have all the sub-domains of your dynamic dns hostname point to the same IP as your hostname.
For example, when selected, www. Note: This option does not work with the noip. Hostname Enter the hostname you registered with your service provider. Username Enter the user name you registered with the service provider. Password Enter the password you registered with the service provider.
Enabled Select to enable the service. SmoothWall Express refreshes the current dynamic IP addresses. This includes SmoothWall Express itself. Comment Optionally, enter a description Enabled Select to enable the entry. Note: This service only detects intrusion attempts, it does not prevent them. Note: Fetching the rules and restarting the service may take a while. You are only permitted to download the rules at a limited frequency. Do not share the same Oink code between different SmoothWall Express systems.
Click Save. Oink code Enter the code you have received from Snort. Allow admin access only from valid referral URLs Optionally, select to make a referral check that ensures that any request for an admin function is from SmoothWall Express and not a third party web page.
Set Select to set the time and date. Time From the drop-down lists, select the current time. Date From the drop-down lists, select the date. Enabled In the Network time retrieval area, select to enable SmoothWall Express to synchronise its date and time with network time servers that are accessible on the Internet.
Next update in Displays when the next synchronisation will take place. Multiple random public servers Select to use a different network time server each time SmoothWall Express synchronises the time settings.
This is the default and recommended option. Selected single public server Select to use the same network time server each time SmoothWall Express synchronises the time settings.
0コメント