Leonard Chan's Logo

Leonard Chan's Web World

  
     

 

  

Some Projects:
The Scribble Web
random content from LC
The Scribble Web Code Project
Get the code powering the Scribble Web
WinPops!
A Java "winpopup" replacement.
My SmoothWall Mod.
Create firewall rules for Dynamic DNS users.
JavaSheet
An experiment in Excel->Java->Web spreadsheets
Other Stuff:
Perceptus.ca
Home of my personal corp.
LC's Site Archive
It's a crude look back. But fun.
 

Dynamic Hostname Port Forwarding Rules SmoothWall Mod.

By Leonard Chan


This SmoothWall Mod. Updated for SmoothWall Express 3 and it has moved. It is now hosted at http://blog.perceptus.ca/smoothwall-ddns-mod/.

Change Log

  • 2007-12-22 - The SmoothWall Mod has been updated for SmoothWall Express 3 and moved. It is now hosted at http://blog.perceptus.ca/smoothwall-ddns-mod/.
  • 2006-11-04 - This SmoothWall Mod has been updated. It is now compatible with SmoothWall Express 2 with updates 8.
  • 2003-08-01 - The original release for SmoothWall 2 Beta 4 "mallard"

Introduction

This document will help you modify a SmoothWall firewall to allow the creation of port forwarding rules by hostname rather than IP address.  Moreover, the rules will, with a modest time delay, adjust themselves to changing host IP addresses.  In other words, you can create rules for machines that have dynamic DNS host names from services such as dyndns.org, yi.org, and dynip.org. 

Possible uses for this modification include giving employees the ability to connect to your LAN from outside the office network to use VPN, Remote Desktop, POP3, or whatever.  This is an excellent compromise between locking down external access completely versus opening ports to the world. If you have doubts about the security of your server software such as VNC or Remote Desktop or POP3, then this mod could be for you.  There are large pros and cons to this modification. 

Now, if you are still interested:

Use this document at your own risk.
I provide no warranties whatsoever.
Your firewall may develop leaks, break, burn, and generally destroy your business and/or life.
You take all responsibility for your actions and will hold me harmless.
So on and so forth.

While we're on the subject of legal mumbo jumbo, all files distributed for this modification inherit the GPL license from SmoothWall. Feel free to share it and improve it.

There are two major sections of this document, the Quick and Dirty Implementors Guide, and the Semi-Verbose Gory Details Section(which amounts to a brain dump of everything related to this project). 

If you have questions please post them in the Dynamic Hostname Port Forwarding Rule SmoothWall Mod forum. The forum space is borrowed from Perceptus Solutions Inc.'s forum server (that's my company).  Please use the forum, rather than trying to email me.  If you want to take your chances with email, try me at lc@lc.yi.org.

I have been running a modified SmoothWall install at a client's site for 2 years on an ADSL line with half a dozen remote access (RDP and VNC) users and it seems to work fine. Your mileage may vary.

Quick and Dirty Install Guide

These instructions require some basic knowlege of Linux, Windows.  These instructions are not quite idiot proof yet. But feel free to post questions in the forum. Note to those who installed previous versions of this mod, the instructions have changed, hopefully for the better.

The big picture overview is that you will install SmoothWall, copy 3 files that you get from this webpage to specific locations on the SmoothWall, and setup a recurring cron job via SSH. So here we go:

  1. Download SmoothWall Express 2
  2. Download the the files for the Dynamic Hostnames Port Forwarding rules mod files from this website by clicking here.
  3. Install SmoothWall as per SmoothWall.org instructions
  4. From a workstation login to the SmoothWall web interface
    • Open a web browser to: https://xxx.xxx.xxx.xxx:441 ("GREEN" IP address) or https://smoothwall:441
  5. Install fixes
    • All 8 of them (as of 2006-08-14)
    • Yes, I also find the download and update process is rather tedious for 8 fixes.
  6. Install the dynamic IP address mod
    • Uncompress the zip file that you downloaded in step 2
    • In the web interface, enable remote access (check the "SSH" box) in "Services" -> "Remote Access"
    • Use WinSCP or an alternative method to transfer the files from a workstation to the SmoothWall.
      • Visit WinSCP.net to get WinSCP. It is Open Source, and free.
      • To connect to the SmoothWall use the GREEN IP address and port 222
      • The login username is "root" and the password was set during the SmoothWall installation.
      • The root password can be reset by logging into the Secure Shell with user "setup" and the administrative password.
      • Ignore certificate errors - that's normal since SSL certificates aren't applicable to smoothwall
      • When prompted, overwrite existing files
        • copy setportfw to /usr/local/bin
        • copy header.pl to /var/smoothwall
        • copy crontab-root to /root (folder is arbitrary)
  7. Install the cron job.
    • You have options on connecting to the SmoothWall.
      • You can log in directly with a keyboard and monitor attached to the SmoothWall PC
      • Or login to with the built in SmoothWall "Secure Shell" from the web admin screens ("Tools"-> "Shell")
      • Or you can use any SSH tool, e.g. Putty. Use port 222 and the "GREEN" IP address.
    • Install the cronjob
      • Go to the folder where you copied crontab-root, i.e. "cd /root"
      • Install the job, i.e. type "crontab crontab-root" and press enter
      • Close / quit / etc.
  8. Create the port forwarding rules
    • Go back to the web interface
    • Go to the port forwarding page
    • You should now be able to enter host names such as "lc.yi.org"
    • Be extremely careful, invalid names can cause slowdowns or breakages in the system
  9. That's it!

Older versions of this SmoothWall mod:

    • Smoothwall 2 Beta 4
    • Smoothwall 2 Final Updates 2
      • contributed by votum76 (see the forum). It uses a WinImage file format.
      • Disk Image (WinImage format - you may need to right-click and save-as)
    • SmoothWall does NOT read MS-DOS formatted floppies.  Use an EXT2 formatted floppy or some other means of transfering files (see WinSCP in the new instructions above). Thus using my prepared disk image is probably the best bet.  You can write the floppy image (after it has been unzipped!) using "rawrite" in Windows.
    • Log in to your SmoothWall as root (not the Web interface!).  It is probably best to log in to the console directly if you do not know what you are doing!
    • If you are using my floppy image, mount it. "mount /mnt/floppy"
    • From the floppy (or other file source), move (and overwrite when asked) the following files to the following locations:
      • header.pl to /var/smoothwall/ - this file appears to be a common code collection for the web GUI.
      • setportfw to /usr/local/bin/ - this file is compiled C code that actually sets the port forwarding rules.
      • crontab-root to anywhere (try /root) - this file is used to set your cron jobs. It allows adapting to dynamic hostnames.
    • There are other files on the floppy for you to look at if you are bored.

Some brief notes on how this all works

  1. Your dynamic hostname can point to a different IP address relatively quickly.  Do this through your dynamic DNS provider's tools or website. Typical DDNS providers anticipate changes to take 15 minutes or so to take effect.
  2. A cron task runs every 5 minutes on your modified SmoothWall.  The task refreshes your SmoothWall's database of which IP addresses to grant access to your local network.
  3. So, if your IP address changes, within a few minutes (usually) your SmoothWall will adjust to let you connect again.
  • Good luck. Again, if you need help, go to the forum.  You have a chance of getting help there!  Visit the Dynamic Hostname Port Forwarding Rule SmoothWall Mod forum.
  • Oh, one last note: some fixes, updates, and upgrades of SmoothWall will break this mod. You will have to figure this out for yourself or ask in the forum.

Semi-Verbose Gory Details

Various tidbits of background and detail are dumped here. 

  • Background

    This whole project started when I got tired of updating firewall rules whenever employees got new IP addresses.  We allow a handful of employees Remote Desktop access to a couple of Windows XP workstations on the LAN. The mod seems to work quite well.  An alternative would be to leave the port wide open to the world; however, that requires a certain amount of trust in Microsoft's code, the quality of the users passwords, and well, luck.  The company name shall remain anonymous, in the name of security by obscurity.  Note that any service opened with the dynamic hostname modification are still protected by the password systems present in each application.

  • Risks

    This opens holes in your firewall, but that's the whole point of port-forwarding. You also place some amount of trust in your Dynamic DNS provider's systems.  However, even if your DDNS provider was compromised, there is no obvious direct link between your DDNS hostname and the server to which you are connecting. So, all-in-all the additional risk is minimal, but non-zero. And it's far more secure than opening an IP to the public internet.

  • How was it done?

    Source files were taken from the SmoothWall dev. kit.  Basically all the code changes are to remove error checks that would otherwise limit the rules to IP Addresses.
    • header.pl was easy to edit as it is just Perl. 
    • setportfw was trickier (probably because I don't know C/C++!).  The file edited was actally the header file, setuid.h.  Then setportfw was compiled with "make setportfw".  This was all done on a Knoppix 3.2 bootable CD. As an aside, this is also why I've worked with SmoothWall rather than IPCop.  It compiled with whatever was on Knoppix, whereas IP Cop didn't, and I didn't want to spend too much time on this little project.
    • These files are all in the zip download. So the sources are all there, and the originals too, if you want to make a patch.
    • The networking code in Linux handles hostnames just fine. Although it will stall if you give it a bad address or hostname!

  • Truly Misc. Notes

    1. Pico is not installed on SmoothWall, but Joe is (jpico in older SmoothWall versions).
    2. SmoothWall does not read vfat floppies.
    3. Many broadband providers implicitly provide dynamic DNS names. For example, names similar to "cr123459-a.home.com" was at one time used by the At Home network. Taking advantage of this can save one the effort of signing up with a DDNS provider and maintaining their database with a current IP address.
    4. You can not (easily) read EXT2 format (i.e. Linux format) floppy disks in Windows. Nor can you easily read DOS/Windows formatted floppies in SmoothWall (though, you can in most Linux distributions). Fun isn't it? Fortunately, I've learned to use SCP which sidesteps this particular set of issues.

  • Performance Issues

    There are minimal performance issues.  The way Linux handles hostnames in the rules creation is that is will lookup the IP address and store it.  Once it is looked up, packets are processed in exactly the same manner as if an IP address had been passed to the networking code.  That's where the cron job does it's magic every few minutes.

  • Known Issues

    • Error checking is seriously hampered.  It was for the most part purposefully removed.  There is room for improvement, but it won't be done by me.
    • This system will put a slow, consistent load on your DNS and Dynamic DNS servers.  It would be nice to minimize it somehow.
    • Some DNS servers ignore the age limits of DDNS providers.  This could change your update times to days rather than minutes.
 
 
 
 
 
  Comments? Concerns? Jibberish? Send it all to the webmaster@lc.yi.org.