Linux

I've been using Linux/Unix for many years. I've always had a strong interest in technology in general and computing specifically.

These are my opinions. Opinions are like noses, everyone has one, and they all smell.

Enjoy your visit.
April 2017
M T W T F S S
« Dec    
 12
3456789
10111213141516
17181920212223
24252627282930

Engarde 3.0.22 Community Firewall

EnGarde Secure Linux is a fork of Debian GNU Linux. I did my testing in a Vmare environment and one of the first challenges I encountered is that Engarde didn’t like my SCSI drive in the Virtual Machine, because it doesn’t have a bios. I switched to the IDE virtual drive and it installed fine.

The install was fast and painless. I love that the system tells you about nearly everything your installing, and lets you pick and choose applications and services to install. For partitioning, I stuck with the default settings, as most people would. I might customize it if I were doing and install for deployment. I was pleasantly surprised how small the initial install was. If it weren’t for the dependency on perl this could be run on an embedded system. It’s small enough to fit onto a 1Gb CF with room to spare. Take a look at the output of df -h

device Used mount point
/dev/hda2 455M /
/dev/hda3 66M /home
/dev/hda4 114M /var

Settings

EnGarde’s settings are all managed through a web browser like many modern firewalls. First you have an opportunity to change the default passwords for root and admin and decide from which networks or addresses you want to allow access to the WebTools.

01engarde-initial-configuration

Initial Configuration

Further down the page you have the opportunity to change the configuration of the time servers that you configured during the install, and decide which application groups you will have running on the system.

SSH

There are two pages related to configuring SSH (secure shell) in the WebTools. The first page lets you “define specific users or groups that you wish to allow or deny access to.”

Secure Shell Configuration

Secure Shell Configuration

Secure Shell Key Generation is the name of the next page. It guides you through the process to generate a public/private key pair for ssh, and allows you to download the private key through the web browser.

06-engarde-secure-shell-key-generation

Secure Key Generation

Tabs

There are a series of tabs at the top of the page, where you can access various parts of the configuration. I really liked the organization. It fits my idea of a logical layout. Here’s a few screenshots of the tabs.

Services Tab

Services Tab

32-engarde-auditing-tab

Auditing Tab

31-engarde-system-tab

System Tab

Virtual Hosts

There is a place to set up Apache Virtual Hosts, in the WebTools interface. I wouldn’t recommend running Apache on a system that is the first line of the defense on the network border. Fortunately Apache isn’t turned on by default. WebTools appears to be a set of perl scripts that uses a perl web server, similar to webmin. Maybe there’s even some cross fertilization. :)

Create Virtual Host

Create Virtual Host

Access Control

EnGarde 3.0 allows Access Control for the various services running on the system. You can control services like PPTPD, the point-to-point tunneling daemon, SLAPD, the standalone LDAP daemon and the FTP server, VSFTPD all of which I chose not to install because I consider them to be security risks. Access to other services Secure IMAP and secure POP3 service, SSH, the secure shell, the Guardian Digital Secure User Manager Service, and WebTool is also managed through the ACL page .

Access Control

Access Control

Backup and Restore

There’s even a backup and restore interface in WebTool.

Backup and Restore

Backup and Restore

There are a few pre-configured backups, which may be sufficient for most people. Essentially the backup script creates a gzip’ed tar file labeled $filename_prefix-$date-$time.tar.gz in /var/BACKUP, which you can then download through the web interface. I would prefer something a little more sophisticated. In the list of software that you can install are include Amanda and Bacula, two open source packages for doing backups. I doubt if the installation includes any WebTool interfaces. So you’re probably on your own finding documentation and setting it up through the console. Not bad if you have the experience.

Firewall Configuration

For managing the firewall, there’s a pretty decent WebTool page. “You may not start the firewall until you have saved the settings on this page at least once.”

Firewall Configuration

Firewall Configuration

14-engarde-general-configuration

Firewall Configuration

You can build your own custom rules with the Firewall Rules page which is accessible under the Modules tab of the Firewall Configuration Screen.

Firewall Rules

Firewall Rules

If you select Create New Rule you’ll get a pop-up like this.

15-engarde-edit-firewall-rule

Edit Firewall Rule

This makes it pretty straightforward to create your own custom rules. Another pop-up lets you configure rules for zones, giving or denying access by host.

Edit Host Entry

Edit Host Entry

There are more firewall rule settings configurable through the WebTools interface.

Package Management

Additional packages can be installed through the GSDN Package Managment Interface. Many, have no place on a firewall, in my opinion. There are a few packages that can enhance or add features to already installed packages.

18-engarde-packages

GSDN Package Management Interface

I decided to install some of the applications that would extend the capabilities of the system and configure it close to the other systems I have reviewed here. I chose to install the following packages.

amavisd.new
bridgeutils
john
openvpn
psad
pyzor
smokeping
spamassassin
squid

I didn’t think this was a major change in the already installed packages.

Installed Packages

Installed Packages

What I got was the following message in the middle of my browser.

28-engarde-some_dependancies

Nothing to tell me what the dependencies are, or how to resolve them. So I went to the console and used apt-get install to install them. The only failure was smokeping. Smokeping has a large number of dependencies. None were installable. Sorry, no screen shots from the console. At least there’s a work around, even if the WebTool fails. I can’t say that for every system I’ve looked at. The only change I found in the GUI interface was the Services page. So, for example there’s not GUI configuration for Squid, which I installed. Another disappointment was that dansguardian wasn’t an available package.

Pros:

  • Default install is minimal
  • WebTool is easy to use and well organized
  • Logical Layout

Cons:

  • Guardian Secure Digital Network Package Management Tool needs work.
    • Lacks dependency resolution.
    • Only allows installing packages, not removing them.
  • Doesn’t appear to be any WebTools interface to the supplemental packages.
  • OpenVPN is an optional install and no interface through WebTools

Conclusions:

I would use and recommend this product. I think this is one of the better Linux firewall distributions I’ve examined. With the default install, less a few packages, it looks to be a very secure system. The WebTools seem to work well enough. It’s a small footprint, so it would be easy to repurpose a previous generation workstation to run as a firewall, if you’re on a tight budget.

Share