Rob K wrote:
>
> I just did an nmap of my test server,
Are you running this in server-only mode? If so, all packet filtering is disabled, as
server-only mode is designed for use on an internal network, behind a firewall.
If you are using server-gateway mode, please read on
> and found a lot of open ports - for my application, this isn't practical.
We enable external access to all configured services. The e-smith server
and gateway is designed to provide gateway features plus external HTTP
and SMTP.
So, if you have http, smtp, ssh enabled, then the ports for those will be
available on the external interface.
> All I want to see from the external interface is ssh - I'd
> like ipchains to drop anything else,
You will need to disable all of the other services from the public interface.
> pmfirewall style.
Actually, this is normal firewall practice. We used some of the pmfirewall rules
as initial thoughts, but changed them to be service based so that ports are
open an closed as services are enabled/disabled via the user interface.
> Is there an obvious bit of documentation I haven't read?
You can turn off many of the services, or make them accessible only on the local
network, via the web manager.
You cannot currently disable HTTP or SMTP via the web manager. You will
need to disable these in the configuration database (/home/e-smith/configuration).
We strongly suggest leaving the qmail.init service running, even if you disable
smtpfwdd. This will allow mail to be sent by administrative processes, but will
disable the smtp listener.
Gordon
2 Replies
458 Views