Topic: One NIC - Server gateway mode?

[yehaah]

I've installed my SME on a standard HP computer with only one NIC ( I don't need more).

I'f I use the "Server-Gateway" mode, the web pages are only visible on the internal network. If I use "private server" mode, it works without problems internally and externally.

But private server isn't secure enough is it, so how do I make my webserver visible for others than my self.

I've tried giving it diferent IP's for internal and external networks, and I've tried giving it the same IP. (Still only one nic) but this doesnt make a difference.

Yes I've checked that the DNS works and yes, I've set the i-bay to be visible by the entire internet without password.

I cant find any solutions in the FAQ.

What have I missed out.

[dmajwool]

I've installed my SME on a standard HP computer with only one NIC ( I don't need more).

I took the view that I did need more than one nic, and have had no problems.  How do you need only one nic for server/gateway?

[dcniki]

I've installed my SME on a standard HP computer with only one NIC ( I don't need more).


What have I missed out.

Yes you do. For server - gateway you need two. Just put a second nic in, give it a BS ip and forget it's even there (doesn't even need a cable pluged in, just has to be there). Mine is set up standalone (server-gateway, does nothing but email for me at the moment) but trust me, you need two nics for server - gateway mode period, no way around it.

[yehaah]

I've installed my SME on a standard HP computer with only one NIC ( I don't need more).


What have I missed out.

Yes you do. For server - gateway you need two. Just put a second nic in, give it a BS ip and forget it's even there (doesn't even need a cable pluged in, just has to be there). Mine is set up standalone (server-gateway, does nothing but email for me at the moment) but trust me, you need two nics for server - gateway mode period, no way around it.

Thanks.

The other modes don't give enough protection do they?

[arne]

The server only installation has basically no firewall at all. (But it is easy to apply a firewall script so it will get one. Personally I use to do that.)

The server and gateway installation is based on the prinsipple of controlling the ip trafic between two internet interphases. It will work as a router between those two network interphases. I think you can say that this is the normal operation of the sme server and gateway.

From a teoretical point of view, I think it might be possible to actually set up a router that have only one network card, but I find it hard to believe that the sme server will support this (???) (As it is designed for the normal 2 card installation.)

If it is possible to set up a one card Linux router, I think then the one card should have assigned two addresses, the external adress, ie 123.123.123.1/24 and the internal adress ie 10.0.0.1/24 Then I think it could be possible to route trafic from the external ip to the internal network 10.0.0.0 By applying proper filtering rules should it then be possible to prevent external access to the 10.0.0.0 network ?

I have never tried this thery, but if it works, it should then be possible to convert a sme server only to a one port router/gateway.

By the way, if you set up one common swith for incomming and outgoing trafic in front of the server and the clients, the client will basically not be able to protect the clients (workstations) at all (I think.)

Even though a interesting thougt the "one card gateway" should not be a very practical solution or arrangement.

Anybody who have tried or who nows if this idea can be done vie Linux / iptables at all ?? (I would believe that such a one port router can be made but with allmost zero security as a result because the router can be freely bypasseded.)

Possibly a bit "offtopic" from my side, but I just thought that this question was rateher interesting ..

[dcniki]

The other modes don't give enough protection do they?

No they do not... wanna find out, just set one up in "server only" and hook it up. It will be hacked within a matter of hours.

I was going to use 2003 Web Edition, I barely got it loaded and was downloading SP1 for it when it got nailed. Had been running less than an hour.

Almost the same with SME in "server only" (yes, I messed up and wasn't thinking about it)

[moodyp]

What about the scenario where you have 1 NIC for a local LAN and use a USB port for connection to an ADSL modem? This configuration only uses a single NIC but one would want the firewall to work between the USB modem and the NIC.

I posed a question like this a month or so ago and am still unsure how to configure my SME server for use with this sort of set-up.

Does anyone know?

Regards
Pete

[dcniki]

What about the scenario where you have 1 NIC for a local LAN and use a USB port for connection to an ADSL modem? This configuration only uses a single NIC but one would want the firewall to work between the USB modem and the NIC.

I posed a question like this a month or so ago and am still unsure how to configure my SME server for use with this sort of set-up.

Does anyone know?

Regards
Pete

Don't confuse the issue - "Server Only" mode offers no protection at all (unless you do it manually, I would rather not).

It's not a matter of "what" you are using to connect with, it's a matter of "where" your server stands in the network.

ISP-------->SMEServer(Server Only)-------->Network = BAD!!!

ISP-------->Firewall-------->SMEServer(Server Only)------->Network = OK

ISP-------->SMEServer(Server & Gateway)-------->Network = OK

ISP-------->Firewall-------->SMEServer(Server & Gateway)------->Network = OK but redundant.

or some other setup where SMEServer is not dirrectly connected to the internet via cable, dsl, dial-up whatever. It has nothing to do with what 2 network cards you use, or network card / DSL modem, or network card / dial-up... it has to do with it (SMEServer) being the first connection from however you're connecting to the internet.

So long story short Pete - in order for you to have any kind of firewall for your network it needs to be "Server & Gateway" (public or private is up to you), but not "Server Only" unless you set up some other form of firewall.

[CharlieBrady]

What about the scenario where you have 1 NIC for a local LAN and use a USB port for connection to an ADSL modem?

SME currently has no support for USB modems.

[It won't have support for USB modems until someone develops software to do that - either because they need it themselves, or because someone is paying them to develop that feature.]

[moodyp]

Thank you for your replies, I think I am getting a better understanding of this now.

Summarising this in my own words to ensure I have understood you right: If the server is set-up for "Server and gateway mode", the script configures a firewall.

With two network cards, a decision needs to be made as to which card is the local network and which the "public" side in order to configure the firewall to filter packtes in the right direction. This is why Admin's configuration script asks questions about this. Once this decision has been made, the firewall can be configured to block out nasty packets on the public side from the local network.

In 'Server only' mode it disables firewall support completely.

So far so good. Now, imagine that I have configured the system as "Server and Gateway" with two network cards but I do not use the public card for an internet connection. Instead, I add a connection using my USB ADSL modem and, after the modem has booted and received an IP address from my ISP, I type something like:

Code: [Select]

route add default pppd

Does this then tell the firewall to act as firewall between the new default route (the USB modem) and the local network card? If so, then I am home and dry and can use this configuration, if not then I need a bit more light reading about how the firewall works - any suggestions?

Just as a note: Although SME server has no intrinsic USB modem support, I have successfully managed to get my SpeedTouch USB modem working properly using various HowTo's and help files scattered on this site and over the web. This allows me to ping public IP addresses.

Thank you for your time and patience

Regards
Pete

[CharlieBrady]

What about the scenario where you have 1 NIC for a local LAN and use a USB port for connection to an ADSL modem?

The SME server currently has no support for USB ADSL modems.

But you are right in that servergateway mode doesn't need a 2nd NIC if there is another device being used for the WAN connection (e.g. a modem dialup connection).