The e-smith server and gateway
That's a question I've asked on a number of occasions when offering to set up an inexpensive Internet gateway, mail server and firewall solution. Sometimes, the server also serves up web pages. Linux is nothing if not flexible. Aside from being an entirely feasible approach, the final product based on this question never failed to impress the companies for whom I created such a system.
Of course, somewhere in there, I had to install the system, configure sendmail, diald, firewall rules, configure the hardware, the network, the web server, the ... well, you get the idea. When I heard about e-smith, it sounded like a dream come true. A server of this type was one trouble-free installation away. No messy configurations and a simple point-and-click interface for administration. What could be better?
The e-smith server and gateway came to me with a CD-ROM, boot diskette and a spiral-bound manual. The manual is clear and opens flat (which is nice), and the latest version is always available from the e-smith web site. It's not a lot of information, but it covers all the basics of installing and running an e-smith gateway.
I love documentation, even if I don't always use it. So I decided to go straight to my tests and skip what the manual had to offer. After all, if it was that easy, why not jump right in?
In the course of this review, I did two tests, one on a notebook computer with a PCMCIA Ethernet card and modem, and the second on a desktop server with one card and an external 56K modem.
My first test system did not allow me to boot directly from the CD, so I worked from the diskette instead. After a few seconds, the welcome screen came up, complete with a message saying "this installer program will convert this computer into a fully functional e-smith server and gateway. It will then be ready to run 24 hours a day as a network server, and will no longer be available to run other applications."
Hmm ... that's all right I guess. After all, we're setting up a server and not a workstation.
Another warning says to make sure that your hardware configuration is supported by e-smith. The list of supported hardware is in the manual I wasn't reading and also on the web site. I decided to push ahead. When you are ready, type accept at the boot prompt and proceed with the installation.
Next, we get to the "Installation Type" where you can select a single hard disk configuration (or hardware RAID-1 mirroring), or a dual hard disk configuration with software RAID-1 mirroring. Your third option is to upgrade an existing gateway. I chose the first option, tabbed over to the okay prompt and press Enter.
This is the first time I got into trouble. Seconds into the install, a message came up that said "An error occurred reading the partition table for the block device hda." I thought that perhaps it was now time to check out those hardware requirements they talked about earlier. I visited the web site and, yes, it seems I have a valid hardware configuration (Pentium 150 with 1.4 Gigs of disk space and 64 Megs of RAM). Looks fine.
A little sleuthing pointed to a problem with my partition table, just as the message had said. I use this notebook to test lots of different things and, somehow, my previous installation of Slackware may have suffered some weirdness, leaving the partition table in a questionable state. One boot into single-user mode and an fdisk later, and I was back on track.
Another reboot, another acceptance of terms and one final warning. The message informed me that this "will" erase your whole hard disk. It literally says "This is your LAST WARNING." No problem, I am ready. I typed proceed as instructed and my installation was under way.
Disks spin, the CD whirs (or makes some kind of swishing noises), and a Red Hat-like text-based installation flashes across my screen. There is no surprise here. After all, e-smith is based on Red Hat's distribution.
With the installation completed and the system rebooted, I came to my first configuration screen. It was time to choose a password. Then, we started network configuration with domain and host name setup. Unfortunately, this is where it got a tad more complicated; e-smith failed to locate my Ethernet cards. I would have to configure them manually. I can always get to root, after all. Strange. The web site says the e-smith gateway pretty much supports the standard Red Hat set of drivers, and I had run Red Hat on this notebook. I pushed on.
There are two different modes of operation for e-smith, Server and gateway (provides local services and access to the internet) and Server only, (provides only local services). I chose the first option which is also the default. The next step is to choose the access mode. In other words, how will you connect to the Internet? Since my internet connection was doing fine on its DSL connection, I decided to choose the second option, a dial-up configuration, as opposed to the dedicated option. This brought me to a screen asking for my modem's serial port. I seemed to recall that it was on ttyS2 (from previous installations), but I wasn't sure. Personally, I think it would be nice if the installation process did a little auto-checking for you. Querying the serial ports is easy, and it would save the user a great deal of effort.
Next, I was asked to enter the phone number of my ISP, including the user name and password for the account.
This is followed by a selection of connect policies. Simply put, how long do you want the connection to stay up once you have it configured? Long connect times minimize dialing delays. Unfortunately, there is no indication on this screen of what constitutes long. By the way, you get to decide these settings for different times; during business hours (defined as 8:00 AM to 6:00PM) and after business hours. There is also a weekend policy. I took the defaults (assuming I could change it later) and moved on.
One of the things I thought was pretty cool is e-smith's offer to allow you to set up a subscription to a dynamic DNS service (like yi.org or dyndns.org and others). I kept mine set to "off".
The next setting is a DHCP setup; should the e-smith gateway provide DHCP services? Personally, I find that in small, static organizations (the same people are always at the same desks), DHCP is more of a pain than not. I opted to override the default of "on" and turned those services off.
Since I was not running a dynamic DNS, I then entered my DNS address. Since I had no proxy server outside my local network, I accepted the default of "no".
I found the next option a bit uncomfortable. e-smith maintains statistics on how long their gateways have been in continuous operation. If you choose to accept this option, your gateway will send a message to e-smith once per day, specifying your IP address and your uptime and that, we are told, is all. Nevertheless, I don't even like the idea of anybody monitoring my system unless they have a darn good reason. Call me paranoid but I chose "No", which (to e-smith's credit) is the default.
Another thing I found unsettling was the option to have the e-smith gateway permanently logged in, automatically at every boot. This is the default. I don't know about you, but if something is my gateway or firewall, I want it sitting at a login prompt. I chose to override the default of "auto" and, instead, stare at a nice login prompt when the system boots. Take note, however, that the administrator login is not "root", but "admin". You can log in as root, but you do not get the administration menu.
The next screen allows you to chose IDE disk optimization. For the curious, this is the hdparm command talking here. The default is to keep this disabled, recommended for older systems. You are warned that while this may improve performance, there is a risk. If you are concerned, accept the default.
Finally, e-smith asks for your e-mail address. When you run the "Test Internet access" function, your e-mail address will be sent to e-smith. Again, I don't know how I feel about this. Actually, I do. Apparently, e-smith suspects that they know as well. If you enter nothing here and simply hit Enter, no information will be sent. Guess what I did?
All this information now gets written up in various configuration files and at some point we are ready to go.
I tried to use the gateway but to no avail. As it turns out, PCMCIA devices are not supported (at least as part of the installation), something that I failed to notice in the documentation. I could load the PCMCIA package and try to configure it manually. Instead, I decided the best approach would be to do this again with the type of hardware it was intended to support. So, I called a friend at a company I work with on a regular basis and asked if he had a spare server. He did (thanks, Frank).
This time, my test system was a SCSI desktop system with an external modem. The boot was automatic and did not require the diskette. The installation was going very smoothly until I got to the Ethernet card selection. Once again, my card, a Linksys LNE100TX, was not selected although it used a standard Red Hat tulip driver. No problem, I decided that I would not let that slow me down. After all, I could manually add the card later. I finished the configuration and rebooted. In my second experience, I was rather pleased with how well things had worked and how fast.
Here's a quick tip. If you want to get to the command line, log in as "root" and not "admin". After editing my /etc/modules.conf file to load the tulip driver, I discovered the supplied driver is out of date for the card I had purchased. An internet connection would be nice at this point and, as it turned out, I realized that my e-smith gateway was working just fine with the dial-up connection. No trouble there. In fact, it was downright slick. I used the lynx browser to access the Linksys web site in order to get the latest driver.
The excitement was building. I was almost there. I unpacked the source, ran the install script and discovered that I had no C compiler. Tech support informed me that they do not install the compiler for security reasons, and I could accept that, but it wasn't even on the disk. Finally I gave up, found an old ISA card, plugged it in and was able to get the gateway up and running perfectly with one last boot.
In some ways, having problems while doing a review is not such a bad thing. You get to call tech support which gives you a feel for how quickly your questions and concerns will be answered. I am happy to report that not only did I not have to wait in a queue, but the person I spoke with was knowledgeable, helpful and open to the suggestions I made regarding the whole installation process. Consequently, by the time you read this, the problems I experienced may well have been solved.
I've spent a lot of time talking about the installation because I wanted to convey the type of thing that can throw off a turnkey installation like e-smith. Now that the system was up and running, it was time to experience it from the customer's point of view.
As I mentioned, the modem dialer (which uses diald) worked flawlessly. I had some nice tests planned out for this phase of the operation, with my notebook already configured to take advantage of my e-smith gateway. The default installation makes access to the Internet easy with all the appropriate IP masquerading rules already in effect.
Security is a serious issue with e-smith and perhaps its greatest strength. The server does not boot up with a dozen services running and a dozen potential places for a cracker to get in. Even SSH isn't activated by default. This is a very secure system that nonetheless provides a number of services for its internal users. One of the many things that e-smith's browser-based administration interface does is allow you to modify (see Figure 1). This interface is one of e-smith's strengths. With it, a non-technical administrator can oversee an installation and attend to their users' needs.
Through the web interface, you can also set up e-mail using either individual accounts or a multidrop system using fetchmail. Easy to configure, it worked flawlessly on my test (see figure 2). If you want to create and deploy your own web site, there's a menu option for that as well. e-smith's dialog will take you through the configuration for a "starter" web (figure 3). For performance, e-smith even comes with a Squid proxy pre-installed and ready to go.
Did I mention secure services? Besides SSH for secure remote access, e-smith includes a secure Apache web server and secure web-based e-mail as well. Sticking with e-mail for a moment, e-smith also provides a network directory with LDAP.
To round out this package, e-smith provides workgroup and intranet tools with "i-bays", information sharing sites, document repositories, file services that can be configured for local, remote, shared or private access (see Figu>e 4). Once again, easy to set up and use. When you configure a user through the interface, each one magically gets their own file services area. I won't spoil your adventure of discovery, but I will tell you that these "i-bays" also provide ready access to the web site, making it easy to do web design with your favorite HTML editor.
The one qualm I have about the web interface is a minor one. The bright orange "e-smith" banner on each page takes up an awful lot of real estate on the screen. It could be trimmed without affecting the functionality.
e-smith is available directly from the company for $595 US and includes a one year support subscription. This includes the packaged software along with documentation, unlimited technical support and regular updates (security updates, patches, etc) which come out a few times during the course of the year and arrive on CD-ROM.
The price is somewhat flexible depending on the type of organization and the reseller. Different dealers will offer additional or included services, and the price may vary. Check with e-smith and ask them to put you in touch with a local reseller.
You can also download a copy from e-smith's web site, but at that point you are on your own.
All in all, e-smith is an excellent idea. It provides a neat, packaged solution with a strong emphasis on security that is quite admirable if not downright laudable. The web interface means you can then turn the finished product over to your customers so they can handle their own administration once the installation is complete. Finally, the update service means you can let someone else keep an eye on security fixes and updates.
In particular, I believe that this is an excellent product for resellers or systems integrators. It provides them with an easy-to-deploy and easy-to-administer solution. My experience with the installation process confirmed that for me. Would I recommend this for the home user? Probably not. Would I recommend it for small- and medium-sized businesses that need an internet server and firewall? Absolutely.
Boston:e-smith, inc.1050 Winter StreetSuite 1000Waltham, MA 02451
Ottawa:e-smith, inc.150 Metcalfe StreetSuite 1500Ottawa, ONCanadaK2P 1P1
Marcel Gagné lives in Mississauga, Ontario. In real life, he is president of Salmar Consulting Inc, a systems integration and network consulting firm. He is also a pilot, writes science fiction and fantasy, and is co-editor of TransVersions, a science fiction, fantasy, and horror anthology. He loves Linux and all flavors of UNIX and will even admit it in public. He is the author of Linux System Administration: A User's Guide, available this fall from Addison Wesley. He can be reached via e-mail at firstname.lastname@example.org. You can discover lots of other things (including great Wine links) from his web site.