{"id":759,"date":"2016-11-10T18:43:00","date_gmt":"2016-11-10T18:43:00","guid":{"rendered":"https:\/\/jay-miah.co.uk\/?p=759"},"modified":"2024-11-17T20:20:01","modified_gmt":"2024-11-17T20:20:01","slug":"deploying-smoothwall-express-3-1-explicit-proxy","status":"publish","type":"post","link":"https:\/\/jay-miah.co.uk\/index.php\/deploying-smoothwall-express-3-1-explicit-proxy\/","title":{"rendered":"Deploying Smoothwall Express 3.1 (Explicit Proxy)"},"content":{"rendered":"\n

<\/p>\n\n\n

Smoothwall Express\u00a0is a open source project setup in year 2000 to develop a free firewall that includes its own security-hardened GNU\/Linux operating system and easy to use web interface.<\/p>\n

This product is not to be mistaken for the commercial corporate product \u201csmoothwall\u201d which \u00a0is a a very powerful web filtering and security\u00a0appliance that can be used to control web traffic in depth working up to layer 7 of the OSI model.<\/p>\n

The smoothwall express device can deployed in two methods,<\/p>\n

Explicit Mode:<\/strong>\u00a0In explicit mode, requests are sent to the proxy device for analysis and matching from hosts as the traffic travels\u00a0from inside to the outside network, using this method means users would need to define a proxy server inside their internet options. The proxy server can also be bypassed if the settings are removed from internet options and the firewall is allowing hosts to get out on http and https.<\/p>\n

Transparent Mode:\u00a0<\/strong>In transparent mode, the data must pass the device in order to get out, its like a bump in the wire, this method is more secure in the sense that requests are not sent to the proxy server however the proxy server is the ultimate destination. No settings need to be defined inside internet options when using this method.<\/p>\n

Smoothwall Express is a great free product, however there are limitations \u2013 these include the lack of NAT and VLAN support. Currently only one network per interface may be defined, so if you \u00a0have multiple VLANs it will be tricky to get them all to work. Regardless of the limitations this is a good product and was designed for home use, however small business can take advantages too.<\/p>\n

In this step by step guide we will go through the process of deploying smoothwall express as a VM in Hyper-V and configuring the device with basic settings to act as a explicit proxy.<\/p>\n

Although Im using Hyper-V the device can also be deployed using VMware ESXI\/WS Oracale VB<\/p>\n

Below is the topology that we will be working with:<\/p>\n

\"72\"<\/p>\n

Lets get started!<\/p>\n

1.<\/strong>\u00a0Download\u00a0\u201csmoothwall express 3.1\u201d\u00a0from\u00a0www.smoothwall.org<\/a>\u00a0, you have the option to download a standard\/developer\/offroad version in 32bit or 63bit, in this example we will use the standard 64bit version. There is also a .OVA template of V3.0 for ESXI if that\u2019s your preferred flavor.<\/p>\n

\"1\"<\/p>\n

 <\/p>\n

\"2\"\"3\"<\/strong><\/p>\n

2.<\/strong>\u00a0Launch\u00a0\u201cHyper V\u201d, right click the host and click\u00a0\u201cNew\u201d\u00a0\u2013\u00a0\u201cVirtual Machine\u201d<\/p>\n

\"4\"<\/p>\n

3.<\/strong>\u00a0At the wizard, click\u00a0\u201cNext\u201d<\/p>\n

\"5\"<\/p>\n

4.<\/strong>\u00a0Give the virtual machine a name and specify a location to store the VM, click\u00a0\u201cNext\u201d<\/p>\n

\"6\"<\/p>\n

5.<\/strong>\u00a0In order for the device to be able to boot using\u00a0an\u00a0IDE controller and run the version of OS we require, we must use a Gen 1 VM, Select\u00a0\u201cGeneration 1\u201d\u00a0click\u00a0\u201cNext\u201d<\/p>\n

\"7\"<\/p>\n

6.<\/strong>\u00a0Allocate memory for the VM, in this case i have allocated\u00a0\u201c2048\u201d, you can allocate a smaller amount if you do not have enough RAM. Click \u201cNext\u201d<\/p>\n

\"8\"<\/p>\n

7.<\/strong>\u00a0By default the VM will have a single NIC, connect the default\u00a0NIC to the virtual switch for network connectivity. Click\u00a0\u201cNext\u201d<\/p>\n

\"9\"<\/p>\n

8.<\/strong>\u00a0Create a new had drive and allocate 50GB as its size, specify a location to store the VHD file and click\u00a0\u201cNext\u201d<\/p>\n

\"10\"<\/p>\n

9.<\/strong>\u00a0Select\u00a0\u201cInstall an operating system from a bootable CD\/DVD-ROM\u201d\u00a0and select\u00a0\u201cImage file (ISO)\u201d\u00a0browse for the\u00a0\u201cSmoothwall Express 3.1\u201d\u00a0ISO downloaded earlier. Click\u00a0\u201cNext\u201d<\/p>\n

\"11\"<\/p>\n

10.<\/strong>\u00a0Review the information on the window and click\u00a0\u201cFinish\u201d<\/p>\n

\"12\"<\/p>\n

Hyper-V will create the VM<\/p>\n

\"13\"<\/p>\n

\"14\"<\/p>\n

11.<\/strong>\u00a0Now that the VM has been created we need to edit the settings to add an additional NIC, right click the VM and select\u00a0\u201cSettings\u201d<\/p>\n

\"15\"<\/p>\n

12.<\/strong>\u00a0From the left hand pane select\u00a0\u201cAdd Hardware\u201d\u00a0and select\u00a0\u201cNetwork Adapter\u201d, click\u00a0\u201cAdd\u201d<\/p>\n

\"16\"<\/p>\n

13.<\/strong>\u00a0Select the newly created NIC from the left pane, and allocate to the virtual switch<\/p>\n

\"17\"<\/p>\n

14.<\/strong>\u00a0Still under the new NIC, tick\u00a0\u201cVLAN ID\u201d\u00a0and specify the VLAN that will be used for the outside interface of the smoothwall device, this interface will connect to the firewall or WAN router.<\/p>\n

\"18\"<\/p>\n

15.<\/strong>\u00a0Now select the default NIC that was created as part of the VM creation and amend the VLAN settings. \u00a0This will be for the inside part of the network where the requests will be sent to the smoothwall proxy\u00a0from inside hosts. in this example Im using VLAN 255.<\/p>\n

\"19\"<\/p>\n

16.<\/strong>\u00a0Click\u00a0\u201cApply\u201d\u00a0and hit\u00a0\u201cOK\u201d\u00a0to save and close the settings window<\/p>\n

\"16-1\"<\/p>\n

17.<\/strong>\u00a0Right click the VM and select\u00a0\u201cConnect\u201d<\/p>\n

\"20\"<\/p>\n

18.<\/strong>\u00a0The console window will appear, hit the\u00a0\u201cStart\u201d\u00a0button to fire up the VM<\/p>\n

\"21\"<\/p>\n

19.<\/strong>\u00a0the VM will boot the ISO previously loaded, select\u00a0\u201cInstall Smoothwall Express\u201d<\/p>\n

\"22\"<\/p>\n

20.<\/strong>\u00a0Click\u00a0\u201cOK\u201d\u00a0at the notice<\/p>\n

\"23\"<\/p>\n

21.<\/strong>\u00a0Click\u00a0\u201cOK\u201d\u00a0to allow the installation to format and partition the hard disk.<\/p>\n

\"24\"<\/p>\n

22.<\/strong>\u00a0Click\u00a0\u201cOK\u201d\u00a0at the format warning<\/p>\n

\"25\"<\/p>\n

The installation of the files will begin<\/p>\n

\"26\"<\/p>\n

23.<\/strong>\u00a0At the message\u00a0\u201cSmoothwall Express was successfully Installed\u201d\u00a0click\u00a0\u201cOK\u201d<\/p>\n

\"27\"<\/p>\n

24.<\/strong>\u00a0At the message below click\u00a0\u201cNO\u201d<\/p>\n

\"28\"<\/p>\n

25.<\/strong>\u00a0Select\u00a0\u201cUK\u201d\u00a0and click\u00a0\u201cOK\u201d<\/p>\n

\"29\"<\/p>\n

26.<\/strong>\u00a0Select the correct timezone and click\u00a0\u201cOK\u201d<\/p>\n

\"30\"<\/p>\n

27.<\/strong>\u00a0Give the device a hostname and click\u00a0\u201cOK\u201d,\u00a0in this case i have left\u00a0it as\u00a0\u201csmoothwall\u201d<\/p>\n

\"31\"<\/p>\n

28.<\/strong>\u00a0At this stage you can select what type of security policy you would like to implement on outgoing traffic, you can leave all outgoing traffic as open\/half-open or closed, the default is\u00a0\u201chalf-open\u201d\u00a0which i have selected for this example. you can also amend this later.<\/p>\n

\"32\"<\/p>\n

29.<\/strong>\u00a0At the next window select\u00a0\u201cNetwork configuration type\u201d\u00a0and click\u00a0\u201cOK\u201d<\/p>\n

\"33\"<\/p>\n

30.<\/strong>\u00a0This menu allows you to select the interfaces that you want to use in the deployment \u2013 in other terms these are like zones which is represented by a color.\u00a0\u201cGreen + Red\u201d\u00a0for two zones such as\u00a0Inside\u00a0and Outside,\u00a0or \u201cGreen + Orange + Red\u201d\u00a0for 3 zones such as Inside, DMZ, Outside. For our deployment we will need two zones, Select\u00a0\u201cGreen + Red\u201d\u00a0and hit\u00a0\u201cOK\u201d<\/p>\n

\"34\"<\/p>\n

31.<\/strong>\u00a0Select\u00a0\u201ccard assignments\u201d\u00a0and click\u00a0\u201cOK\u201d<\/p>\n

\"35\"<\/p>\n

32.<\/strong>\u00a0From this menu we will assign a NIC to a zone, click\u00a0\u201cOK\u201d\u00a0to proceed<\/p>\n

\"36\"<\/p>\n

33.<\/strong>\u00a0From the first NIC select\u00a0\u201cGreen\u201d\u00a0and hit\u00a0\u201cOK\u201d(make sure the MAC address matches the VM NIC allocated to VLAN 255) this will be the \u201cInside\u201d zone<\/p>\n

\"37\"<\/p>\n

34.<\/strong>\u00a0Now for the second NIC select\u00a0\u201cRed\u201d\u00a0and hit\u00a0\u201cOK\u201d\u00a0this will be our \u201cOutside\u201d Zone<\/p>\n

\"38\"<\/p>\n

35.<\/strong>\u00a0Once all card have been successfully allocated click\u00a0\u201cOK\u201d<\/p>\n

\"39\"<\/p>\n

36.<\/strong>\u00a0Select\u00a0\u201cAddress settings\u201d\u00a0and hit\u00a0\u201cOK\u201d<\/p>\n

\"40\"<\/p>\n

37.<\/strong>\u00a0Select\u00a0\u201cGreen\u201d\u00a0and hit\u00a0\u201cOK\u201d\u00a0to specify IP details for the Inside zone.<\/p>\n

\"41\"<\/p>\n

38.<\/strong>\u00a0Click\u00a0\u201cOK\u201d\u00a0to proceed<\/p>\n

\"42\"<\/p>\n

39.<\/strong>\u00a0Enter the IP Details of the Inside Zone, which in this case is in VLAN 255. I have used 192.168.255.7 \/24 as the interface IP.<\/p>\n

\"43\"<\/p>\n

40.<\/strong>\u00a0Select\u00a0\u201cRed\u201d\u00a0and hit\u00a0\u201cOK\u201d\u00a0to specify IP details for the Outside zone.<\/p>\n

\"44\"<\/p>\n

41.<\/strong>\u00a0Select\u00a0\u201cStatic\u201d\u00a0and leave the default\u00a0\u201cDHCP Hostname\u201d. Allocate an IP on the Outside Interface, in this case i have used 192.168.10.7 \/24 which is within VLAN 10. Hit\u00a0\u201cOK\u201d\u00a0to exit.<\/p>\n

\"45\"<\/p>\n

42.<\/strong>\u00a0Now select\u00a0\u201cDone\u201d\u00a0to apply the settings.<\/p>\n

\"46\"<\/p>\n

43.<\/strong>\u00a0Select\u00a0\u201cDNS and Gateway Settings\u201d\u00a0and click\u00a0\u201cOK\u201d<\/p>\n

\"47\"<\/p>\n

44.<\/strong>\u00a0Enter the DNS information and the default gateway address the smoothwall device will use to get off the network. In this case our default getaway is on the outside so this is our firewall at 192.168.10.1<\/p>\n

\"48\"<\/p>\n

45.<\/strong>\u00a0Select\u00a0\u201cDone\u201d\u00a0to apply the settings<\/p>\n

\"49\"<\/p>\n

46.<\/strong>\u00a0Select\u00a0\u201cFinished\u201d\u00a0to complete setup<\/p>\n

\"50\"<\/p>\n

47.<\/strong>\u00a0Now enter a password for the\u00a0\u201cadmin\u201d\u00a0user, this is the account that will be used to administer the device via the web GUI. Click\u00a0\u201cOK\u201d<\/p>\n

\"51\"<\/p>\n

48.<\/strong>\u00a0Enter a password for the\u00a0\u201croot\u201d\u00a0user, this is the account that will be required to administer the device via CLI using console\/SSH<\/p>\n

\"52\"<\/p>\n

49.<\/strong>\u00a0Click\u00a0\u201cOK\u201d\u00a0the device will reboot.<\/p>\n

\"53\"
\"54\"<\/p>\n

The\u00a0\u201cSmoothwall Login\u201d\u00a0prompt will indicate that the device is now ready<\/p>\n

\"55\"<\/p>\n

50.<\/strong>\u00a0Launch a browser and using http, navigate to the address of the smoothwall device on the inside interface on port 81.\u00a0for eg.\u00a0\u201chttp:\/\/192.168.255.7:81\u201d, at the prompt login using the\u00a0\u201cadmin\u201d\u00a0credentials. (https can also be used on port 441)<\/p>\n

\"56\"<\/p>\n

 <\/p>\n

\"57\"<\/p>\n

51.<\/strong>\u00a0After successfully authenticating we should now be able to see the home screen of the GUI interface of the smoothwall device.<\/p>\n

\"58\"<\/p>\n

52.<\/strong>\u00a0By default the Web proxy and URL filtering features are disabled, so this needs to be enabled, to do this \u2013 navigate to\u00a0\u201cServices\u201d\u00a0\u2013\u00a0\u201cWeb Proxy\u201d\u00a0and tick\u00a0\u201cEnabled\u201d\u00a0and tick\u00a0\u201cURL Filter Enabled\u201d\u00a0hit\u00a0\u201cSave\u201d. We also have the option of enabling the web proxy in\u00a0\u201cTransparent\u201d\u00a0mode. however in this example we are deploying the smoothwall as a explicit proxy.<\/p>\n

\"59\"<\/p>\n

53.<\/strong>\u00a0Now that the URL filtering features have been enabled lets create a custom blocked list and test the explicit proxy. Click\u00a0\u201cURL Filter\u201d\u00a0and under\u00a0\u201cCustom Blacklist\u201d\u00a0tick\u00a0\u201cEnable\u201d. In the\u00a0\u201cBlocked Domains\u201d\u00a0field enter a test domain to block. I have used\u00a0\u201cbing.com\u201d\u00a0for this example. hit\u00a0\u201cSave and restart\u201d<\/p>\n

\"60\"<\/p>\n

57.<\/strong>\u00a0Launch \u201cDNS\u201d to create a DNS entry for the smoothwall device<\/p>\n

\"61\"<\/p>\n

58.<\/strong>\u00a0From the DNS window expand\u00a0\u201cForward Lookup Zones\u201d\u00a0and within the internal domain zone right click and create a\u00a0\u201cNew Host (A or AAAA)..\u201d\u00a0record.<\/p>\n

\"62\"<\/p>\n

59.<\/strong>\u00a0Enter the name of the device and its IP address, hit\u00a0\u201cAdd Host\u201d<\/p>\n

\"63\"<\/p>\n

60.<\/strong>\u00a0Hit\u00a0\u201cOK\u201d<\/p>\n

\"64\"<\/p>\n

The host record should now be visible under the zone.<\/p>\n

\"65\"<\/p>\n

61.<\/strong>\u00a0Test the new record to verify DNS is able to resolve the hostname of the smoothwall device to the IP address specified, Launch\u00a0\u201cCMD\u201d\u00a0and type\u00a0\u201cnslookup smoothwall\u201d<\/p>\n

\"66\"<\/p>\n

62.<\/strong>\u00a0Launch\u00a0\u201cInternet Options\u201d<\/p>\n

\"67\"<\/p>\n

63.<\/strong>\u00a0Click\u00a0\u201cConnections\u201d\u00a0and hit\u00a0\u201cLAN Settings\u201d<\/p>\n

\"68\"<\/p>\n

64.<\/strong>\u00a0Under\u00a0\u201cProxy Server\u201d\u00a0Tick\u00a0\u201cUse a proxy server for your LAN\u201d\u00a0and specify the DNS name of the smoothwall device followed by the port no.\u00a0\u201c800\u201d. Click\u00a0\u201cOK\u201d\u00a0and close the Internet options dialog box<\/p>\n

\"69\"<\/p>\n

65.<\/strong>\u00a0Launch a browser and navigate to the previously blocked site and verify if smoothwall blocks the page. In this example we blocked\u00a0\u201cbing.com\u201d\u00a0and we can see that a splash page is displayed showing the page is being blocked due to a policy enforcement.<\/p>\n

\"70\"<\/p>\n

66.<\/strong>\u00a0Navigate to\u00a0\u201cLogs\u201d\u00a0\u2013\u00a0\u201cURL Filter\u201d\u00a0and verify there is a log record of the action taken by smoothwall.<\/p>\n

\"71\"<\/p>\n

 <\/p>","protected":false},"excerpt":{"rendered":"

Smoothwall Express\u00a0is a open source project setup in year 2000 to develop a free firewall that includes its own security-hardened GNU\/Linux operating system and easy<\/p>\n","protected":false},"author":1,"featured_media":791,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,6],"tags":[94,92,93,95],"class_list":["post-759","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-network","category-security","tag-explicit-proxy","tag-proxy","tag-smoothwall","tag-url-filtering"],"_links":{"self":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/759","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=759"}],"version-history":[{"count":1,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/759\/revisions"}],"predecessor-version":[{"id":834,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/759\/revisions\/834"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media\/791"}],"wp:attachment":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=759"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=759"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=759"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}