LinuxWorld.com recently ran a series on Linux-based firewalls. One product that was not included was Cybernet Systems's NetMAX FireWall. I offered to review NetMAX FireWall because I saw it in August at the LinuxWorld Conference & Expo in San Jose, California. I'd also seen the product at my local Fry's Electronics shop.
I found NetMAX FireWall particularly interesting because of its secure Web-based configuration. If it lived up to its claims, I would no longer need to do everything via a console for my managed-services customers. The machine I used for this review would typically be used for a firewall.
The initial installation was a little frustrating. The software does not offer a network-based install, so I had to find a CD-ROM drive to put into the machine. That slowed my installation by only 10 minutes, but without a network-based install, it is difficult to efficiently install the product on multiple machines.
After installing the CD-ROM drive and changing the bios to boot from the CDROM, I put in the CD and waited for the magic.
Red Hat look-alike
NetMAX FireWall's initial screens are blatantly ripped off from Red Hat. The copyright text has been changed to read "NetMAX" instead of "Red Hat," but it is still an obvious Red Hat modification. Cybernet Systems makes no apologies; the company's retail box states, "Includes & installs Linux based on a distribution of Red Hat Linux."
As the installation started the initial loading, NetMAX's kinship with Red Hat Linux was even more apparent. That was actually a bit comforting; I am extremely familiar with Red Hat and liked the idea of installing a system I'd be able to manipulate easily.
The loading of the kernel modules was less comforting. As the NetMAX software tried to figure out what hardware I had on my system, it loaded all the modules. Unfortunately, it did so right on the console, which meant that I saw lots of errors. The errors are generated by modules that do not load correctly because the resources they require are missing. It was not an issue for me, but someone less familiar with the finer points of Linux may have thought something had gone wrong.
The software does not install everything at once. It asks for the network configuration first, then asks if you'd like to continue with the console-based installation. If you select "no," it starts Apache and gives you a URL based on the network parameters you have specified.
After selecting "no," I followed the instructions and opened the Web browser (KDE 2's Konqueror) on my workstation. As I typed in the URL, an error immediately popped up on the screen. I had typed http instead of https. After the error was displayed, it immediately redirected me to the correct https URL. I'm not sure why the error was displayed; I think a simple automatic redirect would have sufficed. In fact, there is even a redirect directive that can be used in the configuration file for Apache to achieve this.
Having chastised me for not using the https initially, the NetMAX software brought up an attractive form page with a disclaimer and legal information.
I clicked on the "Click here to continue" link and was promptly greeted with an error.
At that point, I decided to look at the documentation. NetMAX FireWall comes with a 228-page manual. There's a "basic troubleshooting" section in the back, but it did not cover the problem I'd encountered. I tried refreshing, to no avail. I tried clicking on the link. That didn't work either. I was unsure of what to do at that point, but it said "Reset the NetMAX interface and return to Home," so I rebooted the machine.
At least, I tried to.
The handy ctrl-alt-del didn't work. Instead, it just recycled the initial startup. I tried to access the Web-based administration again and received the same error! Frustrated, I hit the power switch. Actually, I tried to look around at the console level, but they have removed little programs like ls until the full installation is complete. I don't have to tell you how absolutely obnoxious that is.
Just out of curiosity, I tried to access the firewall with Netscape 4.7 instead of Konqueror. Oddly, Netscape brought up a completely different screen:
It actually wasn't that surprising; Konqueror has proven to be a little weird about certain things. However, before all you KDE zealots jump on me, I will say that I use Konqueror for 90 percent of my work and I think it's a better browser than Netscape 4.7 or 6.0.
License number purgatory
I was presented with a new screen asked me to accept a license agreement and proceed with a full install, which I did. After hitting "continue," I was promptly asked for a license number. That was a surprise, and I tried to ignore it. But as soon as I hit "continue," a very polite red bar appeared and said "Please enter a valid License Number."
OK, soapbox time. I appreciate the fact that companies want to eliminate piracy. But I, as a Linux person, should never (and I mean never) have to dig through a box just to find a little piece of paper that tells me my "license number" to install a Linux product.
So after digging through the box to find the little piece of paper that tells me my license number, I entered it and hit "continue."
The next screen warned me that if I installed the software, it would "totally and irrevocably erase the entire contents of the selected destination IDE disk device a." That was a little confusing. I understood that they meant hard drive a, or /dev/hda, but some people might think that "IDE disk device a" is the floppy drive. After reading the warning, I clicked on "I understand and agree" and started the installation process. Warnings are generally a good thing; it's not uncommon for me to talk to someone who rescued their computer by installing Linux, but forgot to back up their Windows data first.
I clicked on "start" and a new window popped up to inform me of my installation's progress.
Finally, the installation process completed and the program asked me to shut down and reboot the system. NetMAX came up flawlessly, and even offered a tutorial via the Web interface. It explained the initial process of creating a LAN configuration and setting up the administrative user.
As I moved through the initial configuration, I found that the manual, although very informative, was not needed. The configuration was laid out very well and was easy to understand. I only found three items that were frustrating:
A valid name server is required, and NetMAX does check. If it doesn't find a name server on the address that you specify, it will not let you continue.
I could not use the username "admin" as my administrator. It appears that the admin username is reserved for the initial templates.
It only allows a username of up to eight characters.
Once you commit the initial configuration, the system will restart its services and bring you to a login screen.
The system as a whole seemed very solid. I was able to configure basic rule sets, including IP Masquerading, without any issues. Unfortunately, while the system is designed for actual networking professionals, the product is marketed in places like Fry's Electronics. Patrons of Fry's are typically small office/home business types -- not the kind of folks who have the expertise to set up the software correctly.
Calling Mr. Wizard
NetMAX should take a moment and define some standard templates: a wizard-style interface in which the user is asked a series of questions and rules are applied according to the answer. For example:
1. Do you want people to access the Internet through this machine?
If the user answers yes, NetMAX configures the firewall for IP Masquerading.
2. Do you run Windows-based machines?
If the user answers yes, NetMAX blocks all external traffic for ports 137, 138, and 139 (to block unwanted broadcasts).
3. Do you need Internet-based FTP access?
If the user answers yes to this and to question 1, the software loads the ftp-masquerade module.
4. Are there machines behind the firewall that you would like the Internet to access?
If the user answers yes, the software enables ipmasqadm.
I don't know if the other firewall products do this, but it would be very useful if the NetMAX products had that option.
I'd like to mention some useful-looking features that I was unable to test. NetMAX FireWall includes a traffic monitor that logs and graphically displays all traffic over the network. That kind of monitoring could be very useful -- not only for ISPs, but in almost any corporate setting. If the quarterly report is due in an hour, but bandwidth seems a little slow, pop up the bandwidth report and find out that Johnny is on Napster again.
The NetMAX package also has a DHCP (Dynamic Host Configuration Protocol) server and a proxy caching server. Those two services have saved me a lot of time and money in the past. DHCP is a great way to manage the networking configuration of your client machines. A proxy server is a great way to limit the amount of bandwidth that your Web-browsing users consume. The machine will cache pages of Websites that are visited often, such as Yahoo. The cache will then refresh based on the settings you configure within the software.
Aside from the quirky install, I can't complain about the software itself. It appears to work very well, and is easy to configure. As long as you have some experience with the technology, this product will make your life as a network administrator a lot easier.