First of all, let me mention that I have no idea at all how the sme firewall is configured, even though I have used the sme server for some years. Reason - I never use preconfigured firewall rules on the sme or any other Linux, I like to know how they work, so I like to set up the configuration myself. (Even though I'm quite sure many of the preconfigured firewalls has a bether configuration than I can make. At least I know the weaknesses when I make them my self and I have the fun of making it.)
Generally, I think it is not a good idea to try to modify an existing firewall when you dont know how it work as a whole. This is much like modifying a window in a house you have not seen yet. Wery often the result will be something else than you expected, and generally - "something else" works bad for secyrity. In the best case it don't work at all.
Don't know much about the earlier generations of Linux firewall than IPTABLES, but could still try to translate a little bit, as things seems to be a little bit like the IPTABLES (Kernel 2.4.x and 2.6.x)
http://man.he.net/man8/ipfwadmipfwadm -F -i accept -m -P tcp -S 10.0.0.0/8 1024:65535 -D 200.201.174.0/24) 80
ipfwadmin
-F forwarding chain
-i insert, set the rule at the top of the stack.
accept
-m match
-P protocoll
tcp
-S source
10.0.0.0/8 networknumber
1024:65535 specifying portnumber for trafic from that network
-D destignation
200.201.174.0/24 that network
80 portnumber
Look like a little bit strange rule because it looks like it restricts the trafic out from the lan to only one certain network (200.201.174.0/24) Can this be right ? (Unless there is some other rules that does something else.)
By the way these rules:
/sbin/iptables -A INPUT -p tcp --dport 80 -s 200.201.174.0/24 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -m tcp --dport 80 -j ACCEPT
Has absolutely nothing to do with the trafick between lan clients and Internet, they will open for trafick to and from internal processes on the gateway server only.
As mentioned, I have no idea how the sme firewall works or how it is configurated, but the "usual way" to configure a Linux gateway is to allow all trafic out. If it is set up as a transparent proxy, I think it is likely to believe that a communcation problem out from the lan to some external internet located server is related to this proxy.
Personally I am not so happy with the "transparent proxy prinsipple" because of this potensial issue. I think that you should allways have the oportunity of turning a proxy off. (Can it eventuelly be turned off at the sme server ?, I don't know.)
Please conform if there really should be a rule that restricts the trafic out to only one network like the ipfwadm rule seems to do .. or if it only a question of opening for some certain trafic out to this server (in addition to all other trafic.
By the way the -A append optin in iptables set a new rule at the end of a chain where it will often not work. -I set a new rule at the top of a chain where it will work, but not neccessarly like expected.
To make changes of a firewall you shoul know all about it, and if the problem should happen to be a proxy problem and not really a firewall problem, it should be solved like that.
Arne.
9 Replies
1722 Views