Hello All,
I have been using SME since 5.0 and just love this product. I wish to make a SME as a firewall only device using PAM and DansGuardian and possibly Antivirus Gateway to the Internet. I have most of the project worked out as shown below but looking for feedback. I want the users to have transparent proxy (no proxy setting in the browser), but at the same time authenicate to PAM. Currently, if I set thier browser to use a proxy, PAM works 100% and DansGuardian functions properly as well, but if thier seeting are to use no proxy, they bypass the PAM authentication and get out (NO GOOD). In the past on Smoothwall and IPCOP, I added iptable entries to force anyone leaving the internal network to port 80 were redirected to port 8080 with the following command ( iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080), but I am having trouble on where to place it on 5.6U4. Another project offshoot is a vpn gateway for wireless uses over IPSEC or PPTP. (I got that to work with M$ 2000 but wish to use Mitel 5.6 because the SME Server doesn't crash). Below is a cut and paste from an earlier forum question.
I am currently working on a project with a 5.6 update4 server as a 'firewall only' server and will be posting my findings soon because I need some help 'stripping' the server of unneeded features. It goes something like this, 1. 400MHz PC, 8GB IDE,2 Nic Cards (I have a cable modem). 2. Install 5.6 as gateway/private server and update to latest U4. 3. Install rpms , IPSEC VPN, Service control, port opening, port forwarding, Review DHCP, System Monitor Disk utilization, update system, DansGuardian 2.6.0 and PAM ( I will elaborate further in a later post). With the 'Services Module', I turn off unneeded services, leaving on DHCP, Transparent Proxy WEB Server and Web Proxy). 3. Install DG 2.6 along with Blacklists. 4. Install PAM (Pluggable Authentication
Modules).
I just began working on this 'project', but I findings are as follows: PAM and transparent proxy are not possible, so you need to set each browser to point to proxy server at port 8080. 2. Users can bypass PAM, if they known squid sits at port 3128.(I know iptables can help me here!!).
To use PAM and DansGuardian together goes something like this: Add 5 Users (A,B,C,D and E) to firewall server. 2. Add Users A and B to danguardians exceptionuserlist. Users A and B will still need to authenticate to PAM with thier username password that is on the firewall, but will not be restricted from any websites (unfiltered), Users C,D, and E with also need to authenticate to PAM, but will be filtered with DansGuardian which will block them from porn sites and so on.. If a user is NOT on the firewall server, then NO Internet Access at ALL. The username and passwords do not need to be the same as your internal servers username/passwords.
I need help to remove unneeded hyperlinks in the server-manager panel and tighten up this FW. I will be running vulnerability/portscans against the external interface using Nessus,ISS and GFI's system scanner.
If anyone wishes to help with this project please butt in.
TIA,
Bill
1 Replies
593 Views