ClarkConnect
Not your Son’s Firewall
(Well, maybe it is)
Clint Tinsley
Note: Since this article was written, ClarkConnect
has release Home Edition 2.2 and their Firewall/VPN 2.2 for non-commercial user
on the http://www.clarkconnect.org
web site. This article and demos at the Linux meeting were based on the
ClarkConnect Home Edition 2.1 sp1 release. The Firewall/VPN edition provides
industrial strength network security along VPN tunneling and a DMZ for your
web and mail servers.
The last few meetings, the Linux Group has been spending some of its time
in looking at ClarkConnect, as Ed Works was using it both here and at his California
location. He showed me enough to interest me, even though I had my feet
pretty much cast in the cement of SME Server Developer Edition which has similar
but not all the capabilities of ClarkConnect. Before I got my DSL connection
(phone line), I had been using Smoothwall as a “dial-on-demand firewall” and
DHCP server for my home network. Without spoiling this review for you,
I am really impressed by ClarkConnect Home Edition for a number of reasons starting
with its free for non-commercial user, based on a standard version of RedHat
Linux with everything in the “standard” directory structure (something SME Server
is not), and provides a wide range of services including content filtering and
proxy along with e-mail and web server.
I had seen enough with Ed Work’s systems to want to try this out for myself
so I built one. This article will detail my experience with ClarkConnect.
Some Basics
Firewall – A system which secures your PC from outside attacks, basically rendering your PC invisible to the those on the Internet that would want to worm their way into your system via various port exploits and other attacks. It “sits” between the Internet and your computer, creating a “wall” between them. There are several software firewalls, such as ZoneAlarm and BlackICE; these firewalls run on your PC and take up resources, and can slow down your system. Hardware solutions such as routers, Smoothwall, and ClarkConnect move these firewall functions from your computer to separate hardware (another computer). When I first changed from my PC’s internally “hosted” dial-up modem and firewall configuration to Smoothwall, I immediately observed both an increase in the speed of my computer as well as an improvement in accessing web sites and downloads. The hardware requirements for solutions such as Smoothwall and ClarkConnect are minimal. ClarkConnect can be (emphasize “can be”) run on a simple Pentium class computer with a 1 GB hard drive and 64 Megabytes of RAM memory and I actually ran Smoothwall on a 586 (Pentium compatible) system with 32 Megabytes of Ram. ClarkConnect has a graphic on their website which states “Don’t throw out that old computer – Install ClarkConnect!”Why ClarkConnect?
ClarkConnect, while providing the basic Firewall and DHCP services, does
a lot more in providing services such as mail and content filtering, and also
provides a better firewall solution. You are able to configure the
firewall side of ClarkConnect as to what ports you want to let through the firewall
and you can even limit the amount of traffic on specific ports, something particularly
useful if you have someone in the house that is hogging all the bandwidth with
music or other downloads. All this is web administratable, either via
ClarkConnects built in administration tools or by installing Webmin, another
browser based administration tool. And if you want to really fine tune
your firewall, you can download and install Shorewall, a firewall configuration
tool, from http://www.shorewall.net which is also supported by the Webmin tool.
Ed Works swears by (and “at” on occasion I suspect) Webmin.
One unique service that sets ClarkConnect apart from the others is free Dynamic
DNS service provided by ClarkConnect. DNS is an acronym for Domain Name
Service and is the method by which you have an “address” on the Internet in
URL format such as http://clints.clarkconnect.org . Dynamic DNS is a function
provided by the ClarkConnect organization such that when your system comes up
online, it sends it’s assigned Internet address to ClarkConnect and the name
server there associates your URL with your assigned Internet address, so you
and others can find your website or mail server by its URL. Why do you
need “Dynamic DNS” you ask? Because, your assigned Internet address is
given you by your Internet Service Provider, be it the phone company or CableOne
and it can changed at any time, most times without your knowledge.
ClarkConnect Services
ClarkConnect is an application server based on a standard RedHat distribution. The text based installer is standard RedHat, does not require a fancy monitor or mouse and you basically accept the defaults as you tab and click okay through the various installation choices. The range of services available become evident during the installation process when you arrive at the “Standard Modules” choices. The choices for installation are as follows:
Standard Modules
[*] DHCP Server
[*] System Status
[*] Caching Name Server
[*] Dynamic DNS
[*] Web Proxy Server - Squid
[*] Pop-up and Ad Filter - Junkbuster
[*] Web Server – Apache with SSL
[*] Mail Server – POP3, IMAP,SMTP
[ ] FTP Server – ProFTD Server
[ ] File Sharing – Samba/Windows
[ ] Print Server – Cups Print Server
More Modules
[ ] Webmail – Squirrelmail
[ ] Spam Blocker – SpamAssassin
[*] Bandwidth Limiter
[ ] Intrusion Detection – Snort
[ ] PHP Support (Web Server)
[ ] Web Photo Album – Gallery
[ ] Caller ID
[*] Content Filtering – DansGuardian
[ ] Wireless Networking
These are a lot of services to be run a single computer if they all are fully
implemented along with the webmin server component and the built in web based
administration tools. I have built this on a PII 350 with 128 MB of ram
and with a small home network, this is okay but there are some, including myself,
who would really argue against putting all this stuff on a single computer.
Linux is wonderful but not that wonderful!. My demo ClarkConnect
system is a AMD 2100+ with 512 MB of RAM. At my office, we have some of
these services spread across 3 systems (Xeon 2+ GHz based, gigabytes of ram),
still suffer performance concerns at times. We do not provide on these
3 systems all the services that ClarkConnect offers on a single system, which
makes ClarkConnect even a bit more magical.
In the lists above, the * in the boxes mark the installation defaults. You
may not want to install some of the default or may want other choices not selected
by default. For example, in my build, I deselect Dynamic DNS, Pop and
Ad Filter but then I add the FTP Server, File Sharing, and Cups Print Server
and then in the “more” list, I deselect Bandwidth Limiter but add Webmail, SpamBlocker,
Intrusion Detection, PHP Support, and the Web Photo Album. Reasoning:
I don’t need Dynamic DNS as my system is an “internal” system and not
accessible from the Internet plus I use ZoneAlarm to take care of my Pop-up
and Ad Filtering. I don’t need Bandwidth Limiting because I am the sole user
of my network; wouldn’t want to limit what I can do on my own Internet connection
would I? I added several services for the following reasons: FTP
Server, this enables me to transfer files from other computers to ClarkConnect.
File Sharing so that I can use “Windows File Sharing” to have a common
place on my network where I can put files to be shared with other computers
on the network. Print Server provides the ability to share a connected
printer to other computers on the network. This configuration only requires
that I have one system up all the time, ClarkConnect, and be able to share resources
and use files from the “file and print server” that is ClarkConnect. The
services added in the “more” area are primarily of an educational nature for
me as I want to learn more on how to use these servers/services. Of particular
interest is the web server add-ons such as PHP Support and the Photo Gallery.
ClarkConnect comes with the very powerful 2.0 version of Apache with SSL
(Secure Sockets Layer) included which provides certificate based HTTPS secure
connection and then we add PHP support which is the web page programming language
that allows you to program functionality into your web pages that the HTML web
page language did not support such as SQL database queries. The web gallery
is a nice feature for organizing and displaying your digital photo album.
If you want to more about the various services, you can usually find more
information by using the Linux search engine at Google where you can simply
type in the keyword such as Snort, or DansGuardian, and you will be taken to
many links which should include the home page for the particular service or
server. The ClarkConnect documentation website is at http://www.clarkconnect.org/docs/2.1/index.htm. This should be the first place you look for information on installing
ClarkConnect as well as any of the modules and usually the page for that module
or service will also contain a link taking you to another website where you
can find out the particulars about that service. Don’t be scared or overwhelmed
by the wealth of information available here. ClarkConnect basically installs
and configures itself for basic use. Example, DansGuardian, if you were
to download the installation files and try to install it yourself would require
a lot of work in configuring it, just to get it to work. With ClarkConnect,
it has already been integrated with the Squid Proxy server, no assembly required.
ClarkConnect requires
that you have a minimum of two network
“interfaces” or cards in the computer. At installation time, it will not be clear when one it says
is “eth0” which is the “external” interface that needs to be connected to the
World. When you first bring it up, you have a 50/50 chance of getting
it right as to which Ethernet card you plug the cable going to your “router”
into. If you don’t’ get it “right” and you login into the ClarkConnect
terminal screen on the box, it will show the eth0 interface as disabled. To
get it “right,” all you need to is swap the cables between the two cards on
the ClarkConnect box and then click on Enable to start it. You have two
ways of connecting your computer to the second “interface” card: If you
have a home network, then you need a switch or hub connected to the second
network card and then you can connect your PC(s) to the hub. If you have only one
PC presently, you can use what is called a crossover cable which eliminates
the need for a switch or hub and that is what I am using presently to test my
evaluation system.
There is at least one gotcha in getting the system up and running and that
is you have to do all the initial setup from a computer on the inside of the
ClarkConnect but the DHCP service necessary for your computer to automatically
find the ClarkConnect box is not started by default and you have to manually
start it. To do this, you have to first manually configure your workstation
with an Static IP address and gateway. The static IP addresses is detailed
at http://www.clarkconnect.org/docs/2.1/win98.htm that are required to initially
connect to your ClarkConnect system and initially configure the services which
includes automatic startup of the DHCP server. The documentation suggests
that DHCP is started automatically by the installation and you don’t have to do
static at all but you do have to configure static IP addressing on the first workstation
and it is probably best to enter the address of https://192.168.1.1:81 to access
the admin page the first time. The https show that you are already using
a secure connection to administer the box and the :81 sets up the communication
on port 81 rather than port 80 which is used for normal web traffic.
One other note, I built the two systems used at the Linux Group
April Meeting on AMD
2100+s with 512 MB. As a test, I am currently evaluating ClarkConnect on a
PII 350 MHz system and it took about 25 minutes to load the ClarkConnect software vs 5 minutes on the
2100 and admin tasks are noticeably slower to respond.
After you get your ClarkConnect system up
and running, first tasks are to
register it with ClarkConnect (required but free), and then get the critical
updates and download other modules such as webmin. Webmin is not a “standard”
module and has to be added after the initial installation. And don’t forget
to turn on the service DHCP which is found via the System tab, Running services,
where you can start it and set it “To auto” so that it automatically starts
when you bring up your ClarkConnect system. The first tests of your ClarkConnect
after enabling DHCP is to set your workstation back to getting its Internet
Address information automatically (rebooting if you are running Windows98) and
then accessing your favorite web site such as Google.
Leaving it on
Some thoughts on leaving your ClarkConnect box on all the time. There is no reason that you cannot leave it on all the time. This is a Linux based system, very stable, and provided the computer you installed it on has no challenges to where it will run 24 hours a day, 7 days a week, without any hiccups, you are good to go. Ed Works has two systems running 24/7, one here in Boise and another in California. You would want to leave it on all the time if you were using it for a web server, mail and FTP services to the Internet. If you do this, then you must also consider using ClarkConnect Dynamic DNS service or other DNS service so you and others can find your system on the Internet. If you are just going to use this internally, as I do, then the question gets fuzy. Bottom line is that I don’t leave mine on but only turn it on when I need its services.
Comments from Ed Works
There are several changes going on at ClarkConnect as of this writing and
some of what you have read here may change. There are also several groups of
online help and forums on the web. So if you have an old box sitting around
and a want to play with your own file or web server, give it a try. If you need
help installing or just getting it to run, I can help you via a phone
call (343.9513) or in person, or better yet come to our Linux Group Meeting.
My main server is running at www.ez3.org and the gallery is at www.ez3.org/gallery.
I also have a Boise server that is in the test phase and may be working or not,
the link is on the ez3 page as Boise. And just as a point of information, the
ez3 server is a Pentium pro 200 and 64 meg of ram. This was set up to be a quiet
as possible, and for low power consumption.
A few notes on a web server , if you want to set up a web server for just
you and your friends and don't want the sited indexed by Google or others go
to www.robotstxt.org and read how to keep bots out of your site. If you
don't want to deal with the CC.box sitting between your computer and the net,
you can just setup a DMZ if you have a router that has that capability
and most do.
Linux Group Meeting
If you are interested in ClarkConnect or Linux, you are encouraged to attend our Linux Group meetings. This group is open to all current and prospective IPCUG group members. We meet at ExecuTrain on the 1st and 3rd Thursday of each month, 6:30 PM, 8950 W. Emerald, Suite 178.