Dynamic Hostname Port Forwarding Rules SmoothWall Mod.
By Leonard Chan
This SmoothWall Mod. Updated for SmoothWall
Express 3 and it has moved. It is now hosted at http://blog.perceptus.ca/smoothwall-ddns-mod/.
- 2007-12-22 - The SmoothWall Mod has been updated for SmoothWall
Express 3 and moved. It is now hosted at http://blog.perceptus.ca/smoothwall-ddns-mod/.
- 2006-11-04 - This SmoothWall Mod has been updated. It
is now compatible with SmoothWall Express 2 with updates 8.
- 2003-08-01 - The original release for SmoothWall 2 Beta 4 "mallard"
This document will help you modify a SmoothWall firewall
than IP address. Moreover, the rules will, with a modest time delay,
to changing host IP addresses. In other words, you can create rules for
that have dynamic
DNS host names from services such as dyndns.org, yi.org,
Possible uses for this modification include giving employees
the ability to connect to your
LAN from outside the office network to use VPN, Remote Desktop, POP3, or
whatever. This is an excellent compromise between locking down external
access completely versus opening ports to the world. If you have doubts about
the security of your server software such as VNC or Remote Desktop or POP3,
then this mod could be for you. There
are large pros and cons to this modification.
Now, if you are still interested:
Use this document at your own risk.
I provide no warranties whatsoever.
Your firewall may develop leaks, break, burn, and generally destroy your business
take all responsibility for your actions and will hold me harmless.
So on and so forth.
While we're on the subject of legal mumbo jumbo, all files
distributed for this modification inherit the GPL license from SmoothWall. Feel
free to share it and improve it.
There are two major sections of this document, the Quick and Dirty Implementors
Guide, and the Semi-Verbose
Section(which amounts to a brain dump of everything
related to this project).
If you have questions please post them in the Dynamic
Hostname Port Forwarding Rule SmoothWall Mod forum. The forum space is
borrowed from Perceptus Solutions Inc.'s forum
server (that's my company). Please use the forum, rather than trying to email
me. If you want to take your chances with email, try me at email@example.com.
I have been running a modified SmoothWall install at a client's site for 2
years on an ADSL line with half a dozen remote access (RDP and VNC) users and
it seems to work fine. Your mileage may vary.
Dirty Install Guide
These instructions require some basic knowlege of Linux, Windows. These
instructions are not quite idiot proof yet. But
feel free to post questions in the forum. Note to those who installed
previous versions of this mod, the instructions
have changed, hopefully for the better.
The big picture overview is that you will install SmoothWall,
copy 3 files that you get from this webpage to specific locations
on the SmoothWall, and setup a recurring cron job via SSH. So here
- Download SmoothWall Express 2
- Download the the files for the Dynamic Hostnames Port Forwarding
rules mod files from this website by clicking here.
- Install SmoothWall as per SmoothWall.org instructions
- From a workstation
login to the SmoothWall web interface
- Open a web browser to: https://xxx.xxx.xxx.xxx:441 ("GREEN" IP
address) or https://smoothwall:441
Install the dynamic IP address
- All 8 of them (as of 2006-08-14)
- Yes, I also find the download and update process
is rather tedious for 8 fixes.
- Uncompress the zip file that you downloaded in step 2
the web interface, enable remote access (check the "SSH" box)
in "Services" -> "Remote Access"
- Use WinSCP or an alternative method to transfer the files
from a workstation to the SmoothWall.
WinSCP.net to get WinSCP. It is Open Source,
- To connect to the SmoothWall use the GREEN IP address and
- The login username is "root" and the password
was set during the SmoothWall installation.
- The root password
can be reset by logging into the Secure Shell with user "setup" and
the administrative password.
- Ignore certificate errors - that's normal since SSL
certificates aren't applicable to smoothwall
- When prompted, overwrite
- copy setportfw to /usr/local/bin
- copy header.pl to
- copy crontab-root to /root (folder is
Create the port forwarding rules
- You have options on connecting to the SmoothWall.
to the SmoothWall PC
- Or login to with the
built in SmoothWall "Secure
Shell" from the web admin screens ("Tools"-> "Shell")
- Or you can use any SSH tool, e.g. Putty. Use
port 222 and the "GREEN" IP
- Install the cronjob
- Go to the folder where you copied crontab-root,
- Install the job, i.e. type "crontab crontab-root"
and press enter
- Close / quit / etc.
- Go back to the web interface
- Go to the port forwarding page
- You should now be able to
enter host names such as "lc.yi.org"
- Be extremely careful,
invalid names can cause slowdowns or breakages in the system
Older versions of this SmoothWall mod:
- Smoothwall 2 Beta 4
- Smoothwall 2 Final Updates 2
- contributed by votum76 (see the forum). It uses a WinImage file format.
- Disk Image (WinImage format - you may need to right-click and save-as)
does NOT read MS-DOS formatted floppies. Use an EXT2
formatted floppy or some other means of transfering files
(see WinSCP in the new instructions above). Thus using
my prepared disk image is probably the best bet. You
can write the floppy image (after it has been unzipped!)
using "rawrite" in
- Log in to your SmoothWall as root (not the Web interface!). It
is probably best to log in to the console directly if you do
not know what you are doing!
- If you are using my floppy image, mount it. "mount /mnt/floppy"
- From the floppy (or other file source), move (and overwrite when asked)
the following files to the following locations:
- header.pl to /var/smoothwall/
- this file appears to be a common code collection for the web GUI.
- setportfw to
/usr/local/bin/ - this file is compiled
C code that actually sets the port forwarding
- crontab-root to
anywhere (try /root) - this file is used
to set your cron jobs. It allows adapting
- There are other files on the floppy for you to look at if
you are bored.
Some brief notes on how this all works
- Your dynamic hostname can point to a different IP address relatively
quickly. Do this through your dynamic DNS provider's tools or website.
Typical DDNS providers anticipate changes to take 15 minutes or so to take
- A cron task runs every 5 minutes on your modified SmoothWall. The
task refreshes your SmoothWall's database of which IP addresses to
to your local network.
- So, if your IP address changes,
within a few minutes (usually) your SmoothWall will adjust to let you
- Good luck. Again, if you need help, go to the forum. You have a chance
of getting help there! Visit the Dynamic
Hostname Port Forwarding Rule SmoothWall Mod forum.
- Oh, one
last note: some fixes, updates, and upgrades of SmoothWall will
break this mod. You
will have to figure this out for yourself or ask in the forum.
Semi-Verbose Gory Details
Various tidbits of background and detail are dumped here.
This whole project started when I got tired of updating firewall rules whenever
employees got new IP addresses. We allow a handful of employees Remote
Desktop access to a couple of Windows XP workstations on the LAN. The mod
seems to work quite well. An alternative would be
to leave the port wide open to the world; however, that requires a certain
in Microsoft's code, the quality of the users passwords, and well, luck. The
company name shall remain anonymous, in the name of security by obscurity. Note
that any service opened with the dynamic hostname modification are still
protected by the password systems present in each application.
This opens holes in your firewall, but that's the whole point of port-forwarding.
You also place some amount of trust in your Dynamic DNS provider's systems. However,
even if your DDNS provider was compromised, there is no obvious direct link
and the server to which you are connecting. So, all-in-all the additional
risk is minimal, but non-zero. And it's far more secure than opening an IP
to the public internet.
How was it done?
Source files were taken from the SmoothWall dev. kit. Basically all
the code changes are to remove error checks that would otherwise limit the
rules to IP Addresses.
- header.pl was easy to edit as it is just Perl.
- setportfw was trickier (probably because I don't know C/C++!). The
file edited was actally the header file, setuid.h. Then setportfw
was compiled with "make setportfw". This was all done on a Knoppix
3.2 bootable CD. As an aside, this is also why I've worked with
SmoothWall rather than IPCop. It compiled with whatever was on Knoppix,
whereas IP Cop didn't, and I didn't want to spend too much time on this
- These files are all in the zip download. So the sources are all there,
and the originals too, if you want to make a patch.
- The networking code in Linux handles hostnames just fine. Although it
will stall if you give it a bad address or hostname!
Truly Misc. Notes
- Pico is not installed on SmoothWall, but Joe is (jpico in older SmoothWall
- SmoothWall does not read vfat floppies.
- Many broadband providers implicitly provide dynamic DNS names.
For example, names similar to "cr123459-a.home.com" was at
one time used by the At Home network. Taking advantage of this can save
one the effort of signing up with a DDNS provider and maintaining their
- You can not (easily) read EXT2 format (i.e. Linux format) floppy disks
in Windows. Nor can you easily read DOS/Windows formatted floppies in
SmoothWall (though, you can in most Linux distributions). Fun isn't it?
Fortunately, I've learned to use SCP which sidesteps this particular
set of issues.
There are minimal performance issues. The way Linux handles hostnames
in the rules creation is that is will lookup the IP address and store it. Once
it is looked up, packets are processed in exactly the same manner as if an
IP address had been passed to the networking code. That's where the
cron job does it's magic every few minutes.
- Error checking is seriously hampered. It was for the most part
purposefully removed. There is room for improvement, but it won't
be done by me.
- This system will put a slow, consistent load on your DNS and Dynamic
DNS servers. It would be nice to minimize it somehow.
- Some DNS servers ignore the age limits of DDNS providers. This
could change your update times to days rather than minutes.