EnGarde Secure Linux is a fork of Debian GNU Linux. I did my testing in a Vmare environment and one of the first challenges I encountered is that Engarde didn’t like my SCSI drive in the Virtual Machine, because it doesn’t have a bios. I switched to the IDE virtual drive and it installed fine.
The install was fast and painless. I love that the system tells you about nearly everything your installing, and lets you pick and choose applications and services to install. For partitioning, I stuck with the default settings, as most people would. I might customize it if I were doing and install for deployment. I was pleasantly surprised how small the initial install was. If it weren’t for the dependency on perl this could be run on an embedded system. It’s small enough to fit onto a 1Gb CF with room to spare. Take a look at the output of
device Used mount point /dev/hda2 455M / /dev/hda3 66M /home /dev/hda4 114M /var
EnGarde’s settings are all managed through a web browser like many modern firewalls. First you have an opportunity to change the default passwords for root and admin and decide from which networks or addresses you want to allow access to the WebTools.
Further down the page you have the opportunity to change the configuration of the time servers that you configured during the install, and decide which application groups you will have running on the system.
There are two pages related to configuring SSH (secure shell) in the WebTools. The first page lets you “define specific users or groups that you wish to allow or deny access to.”
Secure Shell Key Generation is the name of the next page. It guides you through the process to generate a public/private key pair for ssh, and allows you to download the private key through the web browser.
There are a series of tabs at the top of the page, where you can access various parts of the configuration. I really liked the organization. It fits my idea of a logical layout. Here’s a few screenshots of the tabs.
There is a place to set up Apache Virtual Hosts, in the WebTools interface. I wouldn’t recommend running Apache on a system that is the first line of the defense on the network border. Fortunately Apache isn’t turned on by default. WebTools appears to be a set of perl scripts that uses a perl web server, similar to webmin. Maybe there’s even some cross fertilization.
EnGarde 3.0 allows Access Control for the various services running on the system. You can control services like PPTPD, the point-to-point tunneling daemon, SLAPD, the standalone LDAP daemon and the FTP server, VSFTPD all of which I chose not to install because I consider them to be security risks. Access to other services Secure IMAP and secure POP3 service, SSH, the secure shell, the Guardian Digital Secure User Manager Service, and WebTool is also managed through the ACL page .
Backup and Restore
There’s even a backup and restore interface in WebTool.
There are a few pre-configured backups, which may be sufficient for most people. Essentially the backup script creates a gzip’ed tar file labeled $filename_prefix-$date-$time.tar.gz in /var/BACKUP, which you can then download through the web interface. I would prefer something a little more sophisticated. In the list of software that you can install are include Amanda and Bacula, two open source packages for doing backups. I doubt if the installation includes any WebTool interfaces. So you’re probably on your own finding documentation and setting it up through the console. Not bad if you have the experience.
For managing the firewall, there’s a pretty decent WebTool page. “You may not start the firewall until you have saved the settings on this page at least once.”
You can build your own custom rules with the Firewall Rules page which is accessible under the Modules tab of the Firewall Configuration Screen.
If you select Create New Rule you’ll get a pop-up like this.
This makes it pretty straightforward to create your own custom rules. Another pop-up lets you configure rules for zones, giving or denying access by host.
There are more firewall rule settings configurable through the WebTools interface.
Additional packages can be installed through the GSDN Package Managment Interface. Many, have no place on a firewall, in my opinion. There are a few packages that can enhance or add features to already installed packages.
I decided to install some of the applications that would extend the capabilities of the system and configure it close to the other systems I have reviewed here. I chose to install the following packages.
I didn’t think this was a major change in the already installed packages.
What I got was the following message in the middle of my browser.
Nothing to tell me what the dependencies are, or how to resolve them. So I went to the console and used
apt-get install to install them. The only failure was smokeping. Smokeping has a large number of dependencies. None were installable. Sorry, no screen shots from the console. At least there’s a work around, even if the WebTool fails. I can’t say that for every system I’ve looked at. The only change I found in the GUI interface was the Services page. So, for example there’s not GUI configuration for Squid, which I installed. Another disappointment was that dansguardian wasn’t an available package.
- Default install is minimal
- WebTool is easy to use and well organized
- Logical Layout
- Guardian Secure Digital Network Package Management Tool needs work.
- Lacks dependency resolution.
- Only allows installing packages, not removing them.
- Doesn’t appear to be any WebTools interface to the supplemental packages.
- OpenVPN is an optional install and no interface through WebTools
I would use and recommend this product. I think this is one of the better Linux firewall distributions I’ve examined. With the default install, less a few packages, it looks to be a very secure system. The WebTools seem to work well enough. It’s a small footprint, so it would be easy to repurpose a previous generation workstation to run as a firewall, if you’re on a tight budget.