There is, however a yellow sticker on top that says I have to install Fireware Appliance Software on the device, and that I must hold down the up arrow on the front while turning it on. This I can do. So I do. And the box just says ‘Booting OS …’ and never makes it further. So it’s time to get all sorta of ninja-hacker-style on it’s ass.

I plug in the included serial console cable, install [tutty](http://putty.dwalin.ru/) on my newly vistafied workstation and fiddle around until I determine that the watchguard is using 115200,n,8,1. This is what I see:

Press any key to continue.

So good little monkey that I am, I smash the spacebar a few times, and get this

 +-------------------------------------------------------------------------+
 | Red Hat Linux (2.4.26-wgrd)                                             |
 |                                                                         |
 |                                                                         |
 |                                                                         |
 |                                                                         |
 |                                                                         |
 |                                                                         |
 |                                                                         |
 |                                                                         |
 |                                                                         |
 |                                                                         |
 |                                                                         |
 +-------------------------------------------------------------------------+
      Use the ^ and v keys to select which entry is highlighted.
      Press enter to boot the selected OS, 'e' to edit the
      commands before booting, 'a' to modify the kernel arguments
      before booting, or 'c' for a command-line.

    GRUB  version 0.93  (638K lower / 515072K upper memory)

 [ Minimal BASH-like line editing is supported.  For the first word, TAB
   lists possible command completions.  Anywhere else TAB lists the possible

Ok, so they're running a redhat variant. Well, I knew this was a linux based product, and I know redhat, so in general this is good news. 15 seconds later, grub times out and I see this:

  Booting 'Red Hat Linux (2.4.26-wgrd)'

root (hd0,2)
 Filesystem type is ext2fs, partition type 0x83
kernel /boot/bzImage ro root=/dev/hda3 console=ttyS0,115200 ramdisk_size=256000
 ide=nodma

Error 15: File not found

Press any key to continue...

Uh ok. So this isn't such great news. Getting really fancy and setting the boot loader to boot (hd0,0)/bzImage gives me this:

<br /> root (hd0,2)<br /> Filesystem type is ext2fs, partition type 0x83<br /> kernel (hd0,0)/bzImage ro root=/dev/hda3 console=ttyS0,115200 ramdisk_size=2560<br /> 00 ide=nodma<br /> [Linux-bzImage, setup=0xc00, size=0xbaa40]</p> <p>Linux version 2.4.26-wgrd (root@X3-130) (gcc version 3.2.2 20030222 (Red Hat Lin ux 3.2.2-5)) #1 Thu Nov 10 07:46:53 PST 2005<br /> BIOS-provided physical RAM map:<br /> BIOS-e820: 0000000000000000 - 000000000009f800 (usable)<br /> BIOS-e820: 000000000009f800 - 00000000000a0000 (reserved)<br /> BIOS-e820: 00000000000f0000 - 0000000000100000 (reserved)<br /> BIOS-e820: 0000000000100000 - 000000001f800000 (usable)<br /> BIOS-e820: 00000000e0000000 - 00000000f0000000 (reserved)<br /> BIOS-e820: 00000000fec00000 - 00000000fec01000 (reserved)<br /> BIOS-e820: 00000000fee00000 - 00000000fee01000 (reserved)<br /> BIOS-e820: 00000000ffb00000 - 0000000100000000 (reserved)<br /> 0MB HIGHMEM available.<br /> 504MB LOWMEM available.<br /> On node 0 totalpages: 129024<br /> zone(0): 4096 pages.<br /> zone(1): 124928 pages.<br /> zone(2): 0 pages.<br /> DMI not present.<br /> Kernel command line: ro root=/dev/hda3 console=ttyS0,115200 ramdisk_size=256000 ide=nodma<br /> ide_setup: ide=nodma : Prevented DMA<br /> Initializing CPU#0<br /> Detected 1300.054 MHz processor.<br /> Calibrating delay loop... 2595.22 BogoMIPS<br /> Memory: 507732k/516096k available (1105k kernel code, 7976k reserved, 240k data, 260k init, 0k highmem)<br /> Dentry cache hash table entries: 65536 (order: 7, 524288 bytes)<br /> Inode cache hash table entries: 32768 (order: 6, 262144 bytes)<br /> Mount cache hash table entries: 512 (order: 0, 4096 bytes)<br /> Buffer cache hash table entries: 32768 (order: 5, 131072 bytes)<br /> Page-cache hash table entries: 131072 (order: 7, 524288 bytes)<br /> CPU: L1 I cache: 32K, L1 D cache: 32K<br /> CPU: L2 cache: 512K<br /> Intel machine check architecture supported.<br /> Intel machine check reporting enabled on CPU#0.<br /> CPU: Intel(R) Celeron(R) M processor 1300MHz stepping 05<br /> Enabling fast FPU save and restore... done.<br /> Enabling unmasked SIMD FPU exception support... done.<br /> Checking 'hlt' instruction... OK.<br /> POSIX conformance testing by UNIFIX<br /> mtrr: v1.40 (20010327) Richard Gooch (rgooch@atnf.csiro.au)<br /> mtrr: detected mtrr type: Intel<br /> PCI: PCI BIOS revision 3.00 entry at 0xf9f70, last bus=5<br /> PCI: Using configuration type 1<br /> PCI: Probing PCI hardware<br /> PCI: Probing PCI hardware (bus 00)<br /> PCI: Ignoring BAR0-3 of IDE controller 00:1f.1<br /> Transparent bridge - Intel Corp. 82801BAM/CAM PCI Bridge<br /> PCI: Using IRQ router PIIX/ICH [8086/2641] at 00:1f.0<br /> PCI: Found IRQ 11 for device 00:1c.0<br /> PCI: Sharing IRQ 11 with 00:02.0<br /> PCI: Sharing IRQ 11 with 00:1d.3<br /> PCI: Sharing IRQ 11 with 01:00.0<br /> PCI: Sharing IRQ 11 with 05:00.0<br /> PCI: Found IRQ 12 for device 00:1c.1<br /> PCI: Sharing IRQ 12 with 02:00.0<br /> PCI: Sharing IRQ 12 with 05:01.0<br /> PCI: Found IRQ 5 for device 00:1c.2<br /> PCI: Sharing IRQ 5 with 00:1d.2<br /> PCI: Sharing IRQ 5 with 00:1f.1<br /> PCI: Sharing IRQ 5 with 03:00.0<br /> PCI: Sharing IRQ 5 with 05:02.0<br /> PCI: Found IRQ 10 for device 00:1c.3<br /> PCI: Sharing IRQ 10 with 00:1d.1<br /> PCI: Sharing IRQ 10 with 00:1f.3<br /> PCI: Sharing IRQ 10 with 04:00.0<br /> PCI: Sharing IRQ 10 with 05:03.0<br /> isapnp: Scanning for PnP cards...<br /> isapnp: No Plug & Play device found<br /> Linux NET4.0 for Linux 2.4<br /> Based upon Swansea University Computer Society NET3.039<br /> Initializing RT netlink socket<br /> Starting kswapd<br /> VFS: Disk quotas vdquot_6.5.1<br /> Journalled Block Device driver loaded<br /> pty: 2048 Unix98 ptys configured<br /> Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI ISAPNP enabled<br /> ttyS00 at 0x03f8 (irq = 4) is a 16550A<br /> ttyS01 at 0x02f8 (irq = 3) is a 16550A<br /> Real Time Clock Driver v1.10f<br /> RAMDISK driver initialized: 16 RAM disks of 256000K size 1024 blocksize<br /> Uniform Multi-Platform E-IDE driver Revision: 7.00beta4-2.4<br /> ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx<br /> ICH6: IDE controller at PCI slot 00:1f.1<br /> PCI: Found IRQ 5 for device 00:1f.1<br /> PCI: Sharing IRQ 5 with 00:1c.2<br /> PCI: Sharing IRQ 5 with 00:1d.2<br /> PCI: Sharing IRQ 5 with 03:00.0<br /> PCI: Sharing IRQ 5 with 05:02.0<br /> ICH6: chipset revision 4<br /> ICH6: not 100% native mode: will probe irqs later<br /> ide0: BM-DMA at 0xf000-0xf007, BIOS settings: hda:pio, hdb:pio<br /> hda: SanDisk SDCFJ-128, ATA DISK drive<br /> ide0 at 0x1f0-0x1f7,0x3f6 on irq 14<br /> hda: attached ide-disk driver.<br /> hda: task_no_data_intr: status=0x51 { DriveReady SeekComplete Error }<br /> hda: task_no_data_intr: error=0x04 { DriveStatusError }<br /> hda: 250880 sectors (128 MB) w/1KiB Cache, CHS=980/8/32<br /> Partition check:<br /> hda: hda1 hda2 hda3 hda4 < hda5 hda6 hda7 hda8 ><br /> NET4: Linux TCP/IP 1.0 for NET4.0<br /> IP Protocols: ICMP, UDP, TCP, IGMP<br /> IP: routing cache hash table of 4096 buckets, 32Kbytes<br /> TCP: Hash tables configured (established 32768 bind 65536)<br /> Linux IP multicast router 0.06 plus PIM-SM<br /> NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.<br /> VFS: Mounted root (ext2 filesystem) readonly.<br /> Freeing unused kernel memory: 260k freed<br /> Warning: unable to open an initial console.<br /> Kernel panic: No init found. Try passing init= option to kernel.<br />

Pretty standard linux boot spam, but it looks like perhaps we've got a bad CF disk, given the seek errors. The real kicker is that punching the serial number from the back of the box into the 'activate online' page of the WatchGuard website is utterly unsuccessful as well.

In its defense, the red box is at least as good looking as I imagined it, and it IS exactly the solid state Linux 1u rackmount with a lot of Ethernet interfaces i've been looking for. Unfortunately, $3000 + service contracts is an awful lot of money for a cute box with software that doesn't work!

Update 2006-12-10

I spent too much of my weekend poking around with this and posting on the [WatchGuard forum](http://forum.watchguard.com), but I'm pretty convinced that this machine is just DOA. I can't get link lights on any of the Ethernet interfaces (sort of a show stopper for a firewall), and in addition the compact flash card doesn't seem to be loaded with the rescue image, let alone a full firewall OS. I was at least able to get onto the livesecurity website, turns out I'd transposed two digits of the serial number while reading it leaning over the firewall, and caught it when I recopied it from the box.

Being able to get on the website means I was able to get the software, and found out that it requires an explorer extension to complete the installer, which means it won't finish installing on xp64 or vista64. None of it seemed to want to run on vista either, but putting it into compatability mode seems to bring it to the same point as xp, meaning it won't finish installing because I can't activate the toolbar in a way it can find it since it installs into 32 bit explorer. The good news is that the important parts of the install do seem to have completed, at least all the files are on the disk. I was able to try to use fbxinstall to reinstall my CF image, but apparently that does'nt work on the e-series boxes, so I don't know if it failed due to bum hardware or not. Maybe its just me, but it seems making your installer dependent on activating a shell extension, for a firewall product of all things, seems like some dumb decision making.

I've opened a support ticket and started some dialog, but I'm not holding a lot of hope that I'll actually get a replacement unit in here in time to have it usable over the holidays. The responses I've gotten to my post on the forums indicate that the general user base of these boxes, 'experts' included, doesn't really have a clue what the underpinnings of the system look like, which is I guess for the most part a good thing. It does, however, tend to reduce the usefulness of their responses to my questions. DOA units also seems to be outside the radar of the average forum denizen, so I'm hoping my box is an isolated case. It does start making HA failover look pretty nice though.

Update 2006-12-11

I got a call from a 'fixer' at WatchGuard who has arranged for me to get a new unit overnighted. He concurs with my assessment that the unit is very much DoA. Kudo's to my sales guy and watchguard for stepping up on this one, I'm awaiting a functional unit with baited breath!

### [Cisco 2600 with IOS 12 advanced firewall](http://www.cisco.com) ###

I’ve been running this for the last couple of years, on 2600 class hardware. In general, its a very complete solution, but configuring it can be extremely trying. I can’t even remember the number of times I’ve been stumped by some issue that ‘should be working’, only to find out a month or two later that the problem was software revision I was using. Cisco is very difficult to work with wrt getting firmware updates for their software, and I typically don’t have good luck findout out what other version I’d need, anyway. The cisco ipsec vpn implementation seems to be solid, as are their routing abilities. The CBAC packet inspection system is where the cisco starts to weaken as a firewall platform, however. Even just inspecting standard TCP traffic can easily put the 2600 under enough load that I can’t really afford to run it between my internal network and DMZ.

Cisco’s single file configuration, plethora of hardware interfaces, utterly complete routing support and general hardware reliability are second to none however. If it were easier to get a bunch of ethernet interfaces tied into a 2600, and it was in general easier to get ahold of firmware updates and modules for the hardware I’d be hardpressed to want to change.

We’ve also been using Cisco hardware for our vpn endpoints. At this point they consist of a soho91 and a pair of 857w’s. In general, these are very capable endpoint routers, and obviously their ipsec vpn connectivity to the 2600 is second to none. However, they lack support for any sort of split horizon dns, so using dns at client sides is trying at best. In addition, I’ve not gotten so far as to even attempt to control access to the vpn at the remote ends, so I’m stuck trusting that anybody managing to connect to one of the remote endpoint networks (wired, wireless, or otherwise) is trustworthy. I believe I ought to be able to apply CBAC or packet filter rules to traffic arriving from the VPN but the complexity of figuring out how to apply them in the face of cisco’s ip stack traversal order has prevented it.

In addition, the ios nat implementation doesn’t seem to be able to do any sort of hairpinning, which is pretty frustrating since our mail server is snatted through the router. This means I can’t send smtp traffic from any of the vpn endpoints currently.

### [M0n0Wall](http://m0n0.ch) ###
This is another very nicely integrated freebsd based web managed firewall implementation. It is designed to run on embedded hardware such as Soekris or WRAP single board computers. It supports IPSEC tunnels, split horizon dns using dnsmasq, but again is targetted fairly directly at the SOHO market, with no support for vpdn or static routing. I used it for several months running on my soekris 3ethernet box and had no problems with the functionality it provided.

### [LEAF](http://leaf.sourceforge.net) ###
This is an interesting amalgam of linux software packages for embedded hardware. Unfortunately, the price to be paid for the flexibility of a full linux system is complexity. You’ll have to edit the files in /etc folder on a ramdisk, and figure out which package they are a part of in order to get them ‘backed up’ to compact flash so they will be available post reboot. The firewall portion of LEAF is typically handled with shorewall.

### [Shoreline Firewall](http://www.shorewall.net/) ###

This is basically an iptables configuration script. It uses a series of files (typically placed in /etc/shorewall) defining things like interfaces, rules, and policies, and turns it all into a complete set of iptables rules. It seems to be able to configure just about any aspect of iptables you might want to, but the downside is that it generates copious amounts of rules, which makes reading the iptables -L output the old fashioned way pretty tough. The other downside is obviously that you have to edit the files, and do it correctly, or you risk blowing up all kinds of stuff.

### [Proxmox Firewall](http://www.proxmox.com) ###
This appears to be another shorewall based firewall solution. I did manage to download and install it, but in its install process it appears to have assigned itself an IP address using dhcp and then started using it statically, and I have no idea what it is or how to get it back. Oh well.

### [Gibraltar](http://www.gibraltar.at/) ###
Based on debian . Looks to be utterly feature complete (including multiple dmvpn options, heartbeat failover support, lots of proxies, etc), and it still knows how to back itself up / restore easily. Runs off read only media, and according to their site they have some VERY nice hardware solutions for a reasonable price. What I don’t like is that the UI is anything but user friendly. It’s basically just a series of web forms to cover up the standard debian configuration files. When I tried to save the configuration to my vmware hard drive, it wouldn’t work, either, so at this point I’m gonna have to backburner this option.

### [Smoothwall (GPL)](http://www.smoothwall.org) ###
This is very nicely integrated firewall package. It has explicit dsl modem support, and a fairly strong community and selection of add-on packages. However it is clearly aimed at the SOHO market. It doesn’t support multiple DMZ’s, nor any static routing. The web interface appears to be very nice, but you really have to be sure your needs will fit directly within their model.

### [IPCop](http://www.ipcop.org) ###
This is the ‘more open source’ fork of smoothwall. It adds support for the snort IDS, complete with automatic rule updates, a ‘blue’ dmz interface (for wireless networks, I think), and in general is another very nice package. But again it only supports ipsec vpn (although it will handle dynamic vpn terminals using dyndns). It also doesn’t support any static routing that I can find.

### [Smoothwall Advanced Firewall](http://www.smoothwall.net) ###
This is the commercial version of smoothwall. They’ve been in the business for a long time, and feature wise this looks like an extremely compelling option. They provided me with a free evaluation license, so I downloaded it and spent a few hours checking it out while running in a VPC. In general it has a quite nice web configuration interface, but again it really isn’t designed for a more complicated network. In particular, it doesn’t appear to have any mechanism to support static routing or layer 2 filtering, making it difficult for me to use my class C block of IP addresses effectively.