Along the same lines, no matter how hard we tried, the SmoothHost add-on module wouldn't initially install. Turns out "you have the wrong version/config" error message that showed up on the Web interface really means "you need to be connected to the Internet". Reading the PDF file will tell you that, but the screen itself (which is supposed to be easy to use) didn't. And, of course, we hadn't fully read the manual before we got started.

SmoothWall Corporate Server also includes the Linux Snort intrusion detection system. This is good. Snort is a solid solution. Unfortunately, using it to its fullest is rather complex and while SmoothWall Corporate Server allows you to turn on and off Snort modules, it doesn't really tell you much more.

This became a snag when we tried to update the Snort protection files (sort of like updating your antivirus definitions). The Snort IDS asks for Snort update files, and if you dig hard in the docs, you'll find a link to a Snort Web page with the files.

In big letters, that Web page tells you that you must be very careful with which update you apply to which version of Snort, but SmoothWall doesn't tell you which version of Snort it's running. You could log into the Linux root account and dig around, but the whole purpose of the SmoothWall Corporate Server layer is to make it possible for you to manage it entirely from the Web interface.

Updates for SmoothWall Corporate Server itself need to be downloaded, but the firewall doesn't pull them straight off the SmoothWall servers. Instead, the files need to be downloaded, using the SmoothWall Web interface to a local hard drive folder, and then, again using the SmoothWall Web interface, uploaded to the firewall. This extra process wasn't problematic, but since we were already about 20 hours into the configuration process, it was annoying.

Finally, we had no end of problems figuring out which NIC (network interface card) was which. As I mentioned earlier, we shoved three identical $30 NETGEAR 10/100 NICs into the machine. One would be the red interface (talking to the network), one would be the green interface (talking to the internal clients), and one would be the orange interface (talking to the server farm).

Unfortunately, there's no way to easily tell which NIC is red, green, or orange, and the external interfaces don't respond to pings. When we whined to SmoothWall, they told us to configure one card at a time, but when we did, adding the next card to the configuration moved the network to a different card.

We finally figured out which network was which, but with an unconfigured firewall, that process of elimination lost us another three hours.

Documentation was extensive, if you're a Linux guy. But if you're not, there was too limited documentation, specifically about what should go in the DMZ and what should go on the network, and whether the DMZ needs to be on its own address space, or whether it can use the external address space.

It turned out, setting up our internal DNS servers was also a bitch. We wound up having to go through every record on the Windows 2000 DNS, changing the external IP address to the new, NAT (network address translation) address. None of that was documented.