Topic: Firewall/Iptables

[nrm]

Is going to be a Panel to administrate of firewall rules in SME7??

[CharlieBrady]

Is going to be a Panel to administrate of firewall rules in SME7??

I'm sure that this has been answered many times. There are various panels which adjust service policies, such as whether IMAP, POP and LDAP are accessable from outside the LAN. These panels already administrate the firewall.

In general, the SMEServer manager panels do not specifically tweak various configuration options. They instead change system policies, and then the template and event systems translate the changed policies into changed configurations.

[gardnc]

You know, I just don't see the point to your post Charlie Brady.  These forums are supposed to  assist us in helping one another, and I don't see where you thought that reply would help.

If this question has been answered even once before, I'm unable to unearth it.  The references you actually did provide don't go to the heart of the original question - is there going to be a control panel to control iptables.

I for one would like to see such a contrib so we could open/block ports based on criteria such as IP addresses.  Other firewalls we us at work have that type of panel and even the Plesk Control panel on our web servers have it to contol iptables in the Fedora Linux OS.  So I don't think it's out of the question to ask about such a panel.

If you don't know whether or not those creating the new 7.x version are going to add such a panel, then why say anything at all?  

So, anyone out here that knows for sure have an opinion?

Larry

[smeghead]

Charlies post is accurate but perhaps not explicit enough!

No panel exists in the base product that manipulates the firewall rules directly.

There are a few contribs that provide this function, one example is:

http://www.muzo.homeip.net/nest/contribs/HowTo/howto-SME-Masq-manager.htm

Dungog also has this function roled into its Dansguardian commercial app (I think) - very nice and only a few bucks.

HTH

[nrm]

Im now developing a panel to administrate firewall rules(Iptable) for SME7. Thanks for the replys.

NRM

[gordonr]

Im now developing a panel to administrate firewall rules(Iptable) for SME7. Thanks for the replys.

NRM

It would be worthwhile discussing this on the developer's list before you delve too deeply. It is quite likely that the firewall rulesets will undergo a major overhaul in 7.x, with most of them driven directly from config db entries.

Gordon

[smeghead]

.. of course the easy (but $$$) way is to use a dual wan router such as a Xincom.

The good ones do inbound and outbound load balancing & failover and also have their own public DNS server built in.

For the best reliability the two connections would be with different ISP's and perhaps using a different technology (one using ADSL 2+ perhaps).

HTH

[gordonr]

It would be worthwhile discussing this on the developer's list before you delve too deeply. It is quite likely that the firewall rulesets will undergo a major overhaul in 7.x, with most of them driven directly from config db entries.

To elaborate on this, and Charlie's post, there has never been a firewall panel as the firewall is automatically opened and closed as services are configured to be "public" or "private". So, when you set IMAPS to public, we open the firewall for it. When you set it back to private, we close the firewall hole.

Some people want finer grained control than "public" or "private". I, for example, limit ssh to a known set of hosts I need ssh access from. This ability is already there, but not exposed in the panels.

In 7.0alpha, each service can be defined in the configuration db with the following properties:

- TCPPort: Which TCP port(s) the service is listening on
- UDPPort: Which UDP port(s) the service is listening on
- DenyHosts: What hosts/networks to deny
- AllowHosts: What hosts/networks to allow (if not already denied)
- access: Public or private (after filtering by Deny/Allow)

The firewall rules are automatically generated from these items. We are also working on a later version of the firewall code which is driven even more directly from database settings.

A firewall panel which directly manages iptables rulesets is likely to conflict with the existing rules and will need modification as we roll out the new rulesets. If it displays and sets the properties above, it could be a very useful addition.

However, we need to be careful not to end up with confusion - e.g. a "firewall" rule which blocks all IMAPS, while IMAPS is set to "public". Again, if the panel works through the configuration database, we won't have that issue.

[arne]

nrm ->

How do you do that ? It would be rather interesing to hear a little bit more about your project.

I have used the e-smith/sme server for some years, but I have never tried the default sme firewall, at least not for many years. The reason is rather simple, even though also possibly rather foolish. I don't like firewall configurations that I have not set up myself. (From this philosophy I possibly should have set up the server functions as well, and not used the sme server at all, but well .. firewalls are "a bit fun" and server functions are "not so fun" .. (for a lazy "wannabe firewaller").

For the sme 6.0.1 at least it is possible to choose a "server only" installation with no firewall at all. From that as a starting point it should be possble to configure any kind of firewall without conflicting with the sme firewall, because there is not any.

Well, I have to admit that most of the sme server installations I have done, at least the last years, have been of the type "server only" with only one net card and a added firewall script. Then I have used other Linux distributions in the gateway role and configured them for that role with allmost no server functions.

But what will happen if you first build up a sme "server only" without a firewall, and then when this is up and running, you add one or more network cards and then a configuration script for those two or tree cards could it be possible to make the sme server to work in such a setup. I must admit I have not tried, but I will guess it can work. Why not ?

Last week I sat up a 3 card Linux router for a company that wanted to two secutity zones with two lan sones with firewall between and a common internet gateway, one lan sone with ordinary cabling and one lane zone based on wireless clients. There should be no access from the wireless less secure zone to the cabeled secure zone.

I used a Centos 4.0 minimum installation, but I really asked myself if this could have been a sme server instead, and then to use the firewall configuration script to chear the server resources as wanted and required between the internet pluss the two security zones. I dont know if this could have worked in real life, but I guess it could. (There would be a number of problem of that type: will this server function listen to eth0, eth1, eth2 etc or will it only listen to eth0 .. this have to be triedout.)

When it comes to such a thing like a firewall configuration panel, how deep does it have to be implemented into the ordinary configuration panel ??

Why not see the "firewall/nat/routing things" like a problem area of it own and just give it it own configuration panel ?? (One panel for the server functions, the existing one, and one other panel for different alternative firewall configurations. ..) Just an idea ..

If this problem could be handeled this way, then the problem about making a firewall configuration panel can be reformulated to this question: "Is it possible to make a web based interphase that is able to generate a bash script". I guess this could be quite possible.

Does the Sme server have to be restricted to be a "server only" or a "server gateway" or could it also be set up to be someting like for instance a four card gateway, with a wan connection, a dmz card for internal servers, a lan card for wired lan, and a wireless lan card, all with configurable security for each zone ??!! Just some ideas.

I think the difficult part of it would be to make a web based interphase that can generate a bash shell code text file. If this possible, it should also be possible to fill up this text file with any kind af routing/firewall rules in such a configuration script.

.. Just some (crazy ?) ideas on a non sleepy night..

If it eventually should not be possible to make the more exotic vatiants, it should still be possible to make really a huge number of one and two card configurations for those thinking that firewalling is the more fun part of computing.

For the 3 card Centos router I sat up a few days ago, it was perfectly possible to chear all server functions and all trafic between wan, lan1 and lan2 as wanted and required. Why should this not be possible also for the sme server, and why should it not be possible to make a web based interphase that can generate a text file ? (That can be used as a firewall configuration file)

.. And why does a sme gateway nessesarely have to be a router, why not a sme firewall bridge, (with both nic's connected to the same subnet) if someone for some reason should want to have such a thing ..

I think the thing I like best about the sme server, it is ok the sme server itself, but it is also the discussion forum with a lot of info and a lot of ideas .. The sme server installations allways runns for year and years, and it is easy to install, so if it can not generate the problems itself ...


Best reg Arne.

[arne]

And why does a sme gateway nessesarely have to be a router, why not a sme firewall bridge, (with both nic's connected to the same subnet) if someone for some reason should want to have such a thing ..

Because the sme uses a standard 2.4.x kernel this can not work. A bridging firewall require a modified 2.4.x kernel or a standard 2.6.x kernel .. sorry, I forgot that.

[gordonr]

I have used the e-smith/sme server for some years, but I have never tried the default sme firewall, at least not for many years. The reason is rather simple, even though also possibly rather foolish. I don't like firewall configurations that I have not set up myself.

Why reinvent the wheel? We already have a service-aware, stateful firewall with a lot of extra packet checks. I'm sure it could be improved, and suggestions are welcome. If you have any issues with the firewall configuration, we'd like to hear about them via the bug tracker.

[arne]

Well, the "wheel" or Netfilter firewall/routing module is not a part of the sme distribution and the sme gateway server does not actually contain a firewall. The Linux kernel does.

So it is not a question of reinventing the wheel, but just about using "the wheel" as intended by the makers of "the wheel". http://www.netfilter.org/

The sme 6.0.1 "server only" does contain a firewall as it contain a linux kernel, but it is not used. It is configured to be set completely open as default. I find it difficult to se any good or reasonable reasons not to make that 5 minutes job it takes to give it a proper configuration.

There is no default option of setting up a sme server with two lan zones with a firewall between. The Linux kernel contains this option as well. Why not use it, if someone should need it, and why not use some of these oportunities that is built into the Linux kernel by default ?

The sme server does contain a default Primary e-bay. This is not a good argument for not setting up your own e-bays. The sme server does contain a linux kernel with a default firewall configuration for the gateway intstallation variant. As I will see it this is not a argument at all for not configuring the Netfiltet firewall, as required, for your installation.

The Netfilter firewall will allways be there. It's only a question of using it, as required.

[gregswallow]

Im now developing a panel to administrate firewall rules(Iptable) for SME7. Thanks for the replys.

NRM

Hi NRM - I'll second Gordon's suggestion to discuss what you're planning on doing on the mailing list (devinfo or smeserver-sourceforge).

I'm not sure if you are on the devinfo mailing list on contribs.org, but I just made some rpms for IPP2P.  See info here - http://no.longer.valid/phpwiki/index.php/DevList

It is an addon that blocks P2P filesharing traffic (kazaa, emule, bittorrent, etc) going through the server.  I didn't make a server manager panel for it yet, and it might be good in your panel if you'd like to add that to whatever features you were working on already.

[gordonr]

Well, the "wheel" or Netfilter firewall/routing module is not a part of the sme distribution and the sme gateway server does not actually contain a firewall. The Linux kernel does.

I don't understand your point. In what way does the server-gateway mode not contain a firewall?

The SME Server (or CentOS, or RHEL - take your pick) also includes Samba, Netatalk, Apache, and so on. The SME Server configures all of the underlying services, including iptables, Samba, etc. The firewall is no different - it's configured automatically when required.

So it is not a question of reinventing the wheel, but just about using "the wheel" as intended by the makers of "the wheel". http://www.netfilter.org/

We already generate iptables rulesets from the database configuration. My reason for posting to this thread was to help guide the proposed development so that it is in line with the rest of the system and driven by the configuration database.

The sme 6.0.1 "server only" does contain a firewall as it contain a linux kernel, but it is not used. It is configured to be set completely open as default. I find it difficult to se any good or reasonable reasons not to make that 5 minutes job it takes to give it a proper configuration.

"Server only" mode was designed (and documented in the screens and manuals) for use on a protected internal network. We could enable the firewall in server-only mode, but as a LAN server, it needs to be open on all ports which have configured services. So what, precisely, does it buy you in terms of security? We do enable the firewall in server-only mode in 7.0alpha, but only to allow packet tuning.

Should there be a "public server" mode? Yes. Has anyone contributed the code? No - patches are welcome. Is there a workaround? Yes - it costs you one idle Ethernet card (or none, if you know what you are doing).

There is no default option of setting up a sme server with two lan zones with a firewall between. The Linux kernel contains this option as well. Why not use it, if someone should need it, and why not use some of these oportunities that is built into the Linux kernel by default ?

Quite simply because nobody has done the work to make this happen. Care to contribute the changes?

The Netfilter firewall will allways be there. It's only a question of using it, as required.

Precisely. It's required in server-gateway mode. It's not required in server-only mode in the general case.