Smoothwall Express 3.1 发布，包含Internet安全产品的Linux发行

Welcome to Smoothwall Express 3.1
The Smoothwall Community are pleased to announce the release of the long awaited Smoothwall Express 3.1 Firewall.

This release is a refresh of the Smoothwall Express 3.0 foundation and a culmination of five years of effort that began with the Roadster Test Vehicle. The build system has been thoroughly worked over, and the user interface has been freshened with several presentation improvements.

The vast majority of the work was done 'under the hood'. Here are just a few of the software upgrades: Linux 3.4.104, glibc 2.18, gcc 4.7.3, perl 5.14.4, squid 3.3.13, httpd 2.2.27, iptables 1.4.14, and openswan 2.6.41. Some of these updates are ready to enable new features such as HTTPS proxying in squid. In addition to these updates, numerous bugs present in v3.0 that caused hard-to-reproduce system problems and minor errors in the user interface were squashed.

If the firewall admin notices little difference between it and the v3.0 she has been using, the Smoothwall Express Community will have achieved our goal.


Key new features & improvements in version 3.1
Build

• The build system is vastly improved. It is now re-entrant (a build will continue where it left off when an error is encountered and fixed), and compiles will use all CPU cores present). It should produce correct i586 or x86_64 code for all packages.
• Grub Legacy is now used to boot all drives: ISO images, flash installers, and the installed target.
• SMP is standard for 32- and 64-bit installations. Smoothwall Express will now use those extra CPU cores.
• Installation on KVM, Xen, VMWare, Hyper-V and other virtual systems is supported. Operation on KVM was used extensively during development; operation on other hypervisor systems is known to work but hasn't been tested as thoroughly. Virtio disk and network devices are supported; they work well with KVM.
• The kernel now provides /dev entries for all devices it knows about; udev handles the rest.
• The latest firmware blob from kernel.org has been included to make more hardware usable with Smoothwall Express.
• The collection of manufacturer drivers for NICs and NADs has been moved into a separate package to make it easier to provide updates.

Distribution

• There are now three ISO images for each architecture: standard install, developer's edition that contains the development and documentation packages, and a 30MiB 'off-road' edition to be used to verify general hardware compatibility with v3.1. The developer's edition can be used to install a live firewall or a development system; installing the development and documentation packages is optional; they can only be installed using the Advanced Installer or by hand after installation.
• The distribution ISO image includes several new features. They include:
  
  • an option to make a bootable install flash drive; it is now possible to install from a flash drive when there is no CD/DVD drive available
  • options to install and/or boot using a serial console
  • the basic (traditional) installer--to be used when the system contains one hard drive, one CD/DVD drive, and standard VESA display with keyboard
  • a new advanced installer--to be used with all other install options
    
    • choose the target hard drive
    • choose the installation source drive (ISO, flash, or other)
    • use a serial (EIA-232) console
    • install and upgrade with a restore of 'variable' data from a previous archive
    • completely restore a 'total' archive
    • use EXT4 or Reiser file system
    • optionally install the development and/or documentation packages
  • a script, gpt2mbr, to convert the partition table scheme from GUI (GPT) to MBR (MS-DOS)
    This is a workaround for UEFI BIOSen that don't properly handle GPT-partitioned drives. Some BIOSen seem to assume that GPT means UEFI boot methods must be used.

Features: new and improved

• The Timed Access feature was reworked to use netfilter's '-m time' feature. It now acts instantly when crossing from reject to allow and vice-versa.
• The interfaces admin page and setup program now rewrite certain configuration files that contain IP and LAN addresses related to the firewall and the LANs it protects. The related features now work properly after the admin changes any of the firewall's IP addresses.
• The bandwidthbars presentation was reworked and improved.
• The interfaces page has a new subsection for the RED NIC that allows the admin to ignore the MTU setting ISPs send in their DHCP packets and allows the admin to override the ISP's DNS servers. The MTU override is required for Comcast and one or two other ISPs.
• The browser's preferred language can now control the language presented in the user interface. Please note that these translations are quite old and are incomplete.
• There is a new Plug-n-Play backup system: hot-plug a configured drive and the system will be automatically archived onto it with both a 'var' archive (all the 'variable' data on the system) that is useful when upgrading, and a 'total' archive that is useful when a system fails or is moved to new hardware. USB and eSATA drives are known to work. Be aware that archives can be larger than 2GiB which is the maximum file size on VFAT filesystems. If your archive exceed the size limit, you will need to format the backup drive using EXT4, Reiserfs or UDF.
• The QoS feature has been thoroughly reworked and provides much smoother traffic shaping.
• Nanouk's Smoothinfo mod has been improved and integrated into the admin interface.
• Marco's URL Filter mod from Express 3.0 has been fully integrated into 3.1.
• Stan's port of hype8912's DHCP Lease Table mod has been fully integrated into 3.1.
• Many elements of Steve McNeill's SmoothInstall work have been integrated; this will make properly organized mods much more resilient when official updates are applied.
• INVALID packets (such as TCP RESET) received when there is no corresponding connection tracking data in netfilter are dropped very early. There is an option on the advanced networking admin page to log them. Such packets were typically called 'spurious' in earlier versions of Smoothwall Express.
• Most, if not all, packet log entries identify the chain or feature that triggered the entry. This should make it easier to determine why packets are dropped or rejected.
• Syslogd no longer waits until its log entries have been written to disk before returning to get the next entry. This effectively eliminates the bottleneck associated with packet logging and with programs (such as snort) that dump tremendous amounts of data into syslog.
• Smoothwall Express 3.1 is not vulnerable to DoS while it starts up or shuts down. Ingress police barricades are erected during system start up until the firewall is fully ready to process packets and during system shutdown after the firewall has been disabled. Smoothwall Express 3.0's startup and shutdown could be almost infinitely extended with as little at 56kb/s of loggable traffic.

Some software has been included to support future features and mods. The smartmontools and lm-sensors packages have been included in the distribution to support hardware health monitoring and problem notification. Apcupsd has been included to support proper shutdown of systems on battery backup; direct connections to UPSes and client and server network connections to other daemons are supported. Ntop has been included to support more diverse network traffic statistics. Suricata v1.4 is available for those who wish to explore an alternative intrusion detection system. Ipset is available for those who want to develop ways to handle thousands of IP addresses in netfilter.


The known problems in version 3.1
There are a few known problems in Smoothwall Express 3.1:

• The latest 3.4 kernels seem to queue up direct disk accesses such as from parted. This can result in installation failures on very old IDE drives; parted can exit before its work is complete and the next step will fail.
• The ipt_ACCOUNT traffic counters are 32-bits long. A gigE network can roll them over in about 35 seconds; a 10gigE network in about 3½ seconds. To fix this is likely to be rather invasive; we decided to leave the work for an update.
• The PnP Backup system doesn't seem to detect when the backup medium is full. Nor does it detect when the maximum file size limit has been exceeded; the VFAT/FAT-32 file system has a 2GiB limit. The tar archives of a stock system might never exceed this unless squid is deployed with a large cache. The only fix is to clearly warn admins of the problem and advise them to format the backup partition with the EXT2 file system.
• Squid doesn't always feed cached files very fast; it usually seems limited to 400-500kB/s, even on a system that can saturate 4 gigE links.
• Some EFI BIOSen seem to be broken; they won't boot from an EFI partition unless UEFI is actively used. The installer initramfs has a gpt2mbr conversion script in the installer initramfs for these cases; it converts the GUID partition table to the old standby Master Boot Record format. The drawback to this workaround is that if the entire disk hasn't been assigned to filesystems, that unused space will be inaccessible.
• On the 64-bit version, iptables erroneously adds a harmless '--datestop' option with a date-time in 2038/01/19; this is likely the result of a bad conversion of an int from 32-bit to 64-bit. It's harmless because few Smoothwall Express 3.1 systems should be extant in 2038.

Upgrade warning
If you are running Roadster or any of the 3.1 release candidates, your system may be at risk; you must upgrade soon.

1. OpenSSL had a major bug that could leak data to unauthorized parties. The installed version is 1.0.1i.
2. IPv6 was not correctly firewalled before RC4; there's a small chance your UI and/or SSH could be accessed from RED via a link-local address; this bug is present in Roadster, too.
3. The bash bug is present in all but the very last test version of RC6. The present version is 4.1.17.
4. Many problems were corrected in the 3.4 kernel releases leading up to 3.4.104.

Again, you are strongly urged to upgrade your Roadster and 3.1 release candidate systems to Smoothwall Express 3.1 as soon as it is practical.


Download
Here are the links to the ISO images to download them.

• Smoothwall Express 3.1 (i586)
• Smoothwall Express 3.1 (x86_64)

• Smoothwall Express 3.1 Developers' Edition (i586)
• Smoothwall Express 3.1 Developers' Edition (x86_64)

• Smoothwall Express 3.1 Offroad (i586; to explore hardware compatibility)
• Smoothwall Express 3.1 Offroad (x86_64; to explore hardware compatibility)

Visit https://sourceforge.net/projects/smooth ... thWall/3.1 and click an ISO file's i icon toward the right of the sourceforge window to view the SHA1 and MD5 sums for that ISO. Use one of these sums to verify that your system has correctly downloaded the ISO.


Support
As always, community support is available via the Smoothwall Express 3.1 forum. Please report problems and successes there.


Developer Info
Build system hints (HOWTO download SWE3.1 sources)
Build system hints (HOWTO build SWE3.1)
Daily Builds