Tux Untangled: A Gateway Distro That's Easy to Use

By Charlie Schluting | Jan 9, 2008 | Print this Page

One of the best uses for Linux is special-purpose, tightly managed distributions for a single purpose, and Untangle has created one of the most impressive applications of this principle. The Untangle Gateway bundles together a list of applications that even seasoned sysadmins couldn't install and effectively manage in a timely manner. We've been playing with the Untangle Network Gateway for a few months, and we must say: "well done."

As the official name indicates, The Open Source Network Gateway, is open source. As with most commercial open source offerings, you must buy the Professional Package to get some features, but surprisingly few. All of the core functionality is included in the OSS version; enterprise management goodies augment the product for the Professional Package offering.


The excellent list of bundled software (features) includes:

  • Web Filter and Phishing Blocker
  • Spam/Virus Blocking
  • OpenVPN
  • Firewall/Router
  • Reporting

The interesting thing about the Untangle Gateway is that it doesn't require anything but itself. Let's say you'd like to implement spam filtering. This generally involves installing and maintaining many applications on every mail server. The Untangle Gateway sits at your border and transparently scans incoming e-mail for spam, intervening as it's configured to. Most of Untangle's applications work this way, and since Untangle is routing all your traffic, it can pull off some neat tricks.

E-mail, for example, is scanned by SpamAssassin, which includes the use of real-time blacklists. Spam may be marked as such by modifying the subject line, and it can also be returned, dropped, or even quarantined based on specific thresholds. SpamAssassin itself is very powerful, but running it effectively requires specific technical knowledge. Untangle, ahem, untangles the mess people often find themselves in when configuring such software.

Web filtering, phish blocking, and virus scanning are all similar. ClamAV is used to detect viruses (via user downloads or e-mail) and phishing e-mails, while the Web filters rely on URL blocklists of known-evil sites. Again, Untangle is uniquely poised to protect more than just e-mail: it can be configured to scan all HTTP traffic for malicious downloads.

On the networking front, Untangle provides an excellent GUI configuration tool for IPtables. You don't really know you're messing with firewall rules, as the configuration tool (in Basic mode) presents you with intuitive and easy-to-use settings. If you deem P2P bad for your company, you can simply tell Untangle to disallow it. Protocol Control, as it's called, uses L7-Filter Netfilters to classify network traffic; very effectively, we might add. Untangle also uses Snort for IPS with a nice configuration frontend.

Untangle is not just a well-done bundled Linux distro, however: there's plenty of proprietary technology in there. Most importantly, the DoS Attack Blocker. Untangle has created a system for classifying network traffic, and subsequently blocking evildoers. It can sanitize network traffic and filter well-known attacks, as well as keep track of who sent them. After a certain threshold is reached, an attacker is denied further access to the network. It doesn't really stop a DoS as advertised, since a UDP flood could saturate one's Internet link regardless of how fast Untangle discards packets, but that's just being nitpicky. One thing we'd really like to see is a more fully-integrated solution based around this reputation-based system. The network attack blocker would ideally take input from other components, especially the spam filters, and automatically deny access to anyone that repeatedly sends spam. The URL and spam blacklists just don't update as quickly as the gateway itself could react.


In a nutshell: best experience ever. The Untangle Gateway server gets installed in front of your Internet connection, and takes care of all your routing and firewalling needs. The instructions and install guide explains it very well: don't worry.

If you didn't know better, you'd possibly never even realize that the server was running Linux. A static splash screen is the only thing you see as your server boots. After being greeted with three dialogs, one to welcome you, one to click that you accept the GPL, and one to select which disk to use, the installer runs through a systems requirements check. As seen in Figure 1, it displays any deficiencies but, thankfully, will continue installing even if your system fails to meet the requirements.

After a few stern warnings about your selected disk being fully erased, the install continues and runs to completion. After a reboot you're brought to the main menu where you can launch the client. When running the client, which can be accessed remotely too, you're completely enveloped in the Untangle software — you really aren't administering anything but the applications Untangle provides.

The Untangle Gateway is laid out as a virtual rack, giving you easy access to each feature you wish to administer. Figure 3 shows which applications we've installed and enabled, most of which required zero configuration. By providing sane defaults and applications that "just work", Untangle makes this amazingly simple, yet highly customizable. Take a look at the Java demo to click around and experience the configuration options yourself.

Now, we wouldn't be doing our job if we didn't point out the obvious. Yes, you need an extremely fast server if you're hoping to enable all of Untangle Gateway's features. Spam filtering alone is generally done on a dedicated server for medium to large businesses. We wouldn't want to see what happens your do-everything server comes under a spam attack, while at the same time trying to scan user downloaded content for viruses. That said, this product is really for small to medium-small businesses, and we feel it fills that role quite nicely. Heck, it's also a wonderful tool for the control-freak's home network.

Again, it's all about the bundled solution. You may be able to get the majority of this functionality with tons of work and your own Linux distribution, but why bother? The Untangle Gateway's additional features based on their own technology are enough to sway, but when you start configuring these complex applications with only the click of a few buttons, that's the icing on the cake. Throw in the fact that the Untangle Gateway takes great advantage of its unique network position, and we quickly realize that you cannot afford to hand-configure your own solution. You simply cannot do what Untangle does.