Topic: deactivating mail services (& other)?

[chrisjscott]

I'm looking to use SME Server as a firewall/DHCP solution for a 20-person office... in setting up a test system, I've found that a handful of ports remain open that I'd like to close but am not sure how (I'm a Linux newbie).

25 (SMTP)
80 (HTTP)
113 (IDENT)
443 (HTTPS)

Considering the fact that we don't host our e-mail or web in-house, I'd prefer to close these, just for peace of mind. However, the SME Server manager interface offers no options for "turning off" the web and e-mail access.

What's the proper way to close these? Thanks in advance for your help...

-Chris

[bobk]

Chris,

I'm not trying to rain on your parade but SME was not designed to do what you are asking. SME is a gateway server with built in firewall capabilities. To do what you want you should use a dedicated firewall, do a Google search and you will find plenty of them. SmoothWall be a popular one.

Secondly, even with a dedicated firewall, closing the ports you want to close will stop web and email ability from behind the firewall. The ports need to be open and forwarded to the appropriate server for these services to work.

Having said that, you can close the ports by deactivating the services that use them. There are a couple of ways to do this.

1.   To manually disable services:

# /sbin/e-smith/db configuration setprop atalk status disabled
# /sbin/e-smith/signal-event console-save

Replace "atalk" with the name of the service you want to disable.

To see service status:

/sbin/e-smith/config show (service name) or blank for all

2.   Install the services control Server Manager panel contrib- e-smith-service-control-1.1.0-6:

Download from:
http://www.ibiblio.org/pub/Linux/distributions/smeserver/contribs/dmay/mitel/contrib/e-smith-service-control/

Then do

rpm -Uvh e-smith-service-control-1.1.0-06.noarch.rpm

[chrisjscott]

Bob:

Thanks for your reply... after being referred to SME Server by a posting on Usenet but not being able to find a clear definition of it's purpose when I visited this site, I downloaded it and set up a test server and, after doing that, I guess I'm a little confused to hear you say that SME Server isn't built for this sort of application. It sure SEEMS to work well as a gateway appliance...

Could you elaborate? If not this, then what IS the primary focus of SME Server? And why wouldn't SME Server work well for the application I've described?

Needless to say, I'm VERY interested in getting some clarification on this before I implement. Thanks!

[duncan]

SME Server is designed as a mail, file, print and web server - hence the open ports. Simply using it as a gateway device is overkill.

Something like m0n0wall is much better suited to that type of application.

[chrisjscott]

I see your point... I guess SME Server would work just fine for us but, since I don't intend to use the email, web or file sharing capabilities (all services would be handled by additional boxes) it IS overkill.

I'll reconsider and look at a more gateway-specific service. Smoothwall' looking very good... any comments on it (I realize I'm getting way off-topic here)?

[duncan]

Without starting a flaming session - I would avoid smoothwall. It has a colorful history.

m0n0wall or ipcop.

[shanen]

Without starting a flaming session - I would avoid smoothwall. It has a colorful history.

m0n0wall or ipcop.

Both are excellent suggestions

[marks]

if you su into admin you can config the server to private server-gateway mode which closes all external ports

cheers

Mark

[RonM]

In Private Server and Gateway mode, it actually stealths external ports, doesn't necessarily close them. For instance mail from/to an ISP works without issue; FTP out works; PPTP on 2233 works both ways; Groove on port 2492 or 80 works both ways, etc. Although I am perfectly happy behind SME (with client antivirus, firewall and antispy software) because of the extra functions and ease of use, and I wish all those zombie windows boxes out there were too, if I only wanted a firewall, I'd use something else to have more granular control.