Topic: SME firewall -vs- D-link router firewall?

[esalkin]

I currently have my PCs behind my D-Link router's built-in firewall.  Will I loose/gain anything by using the SME server firewall and disabling the router's?  




(Using 'Recommended Hardware Requirements' or better)

[Boris]

Tha depends on what are you trying to do with SME.

[esalkin]

I'm setting up a 'vanity' web site with e-mail on my cable modem connection using a dynamic-DNS service.  Behind the firewall will be a couple of WinXP-Home  PCs running typical family-pc network apps.

[arne]

I believe it is not considered to be the right answer in the sme server environments to say what I say, but my experience is that the sme server can work very good behind a standard nat router.

Personally I have "allmost allways" used it this way.

Main reason: I like to play and work and do a lot of testing with my server PC's and if this also is my gateway, this will mean that I now and then will loose my Internet connection.

My experience is that absolutely all server functions on the sme server and and other servers as well work quite OK behind a styandard nat router, if the nat router is configured the proper way.

Then I also aply one aditional firewall script on the sme server in the server only mode, as a double security, even though it might not be really required.

One of my other experiences is that the sme server itself should not be modified to much. Actually allmost 100 % of the bugs I have had with the sme server during the years has been related to the unstandard modifications I have made myself. Then the rule should be: Keep it as standard and unmodified as possible and there will be no problems. (An extra firewall on the server only is a minor modifications that normally will give no problems at all.)

If some more specialized server functions is needed like for instance a asterisk ip telephony server, do not build or modify this into the sme server, do rather set up a specialized extra box, with for instance astlinux or trixbox.

I believe that the sme server will work bether for the vpn function if it is set up in the gateway mode. This I have not really tested, because I have used other means for the vpn function.

Just my two cents ..

[arne]

WinXP-Home

If you also had one XP-pro you could use windows remote desctop on one of the workstations, then you could use one of the workstations remotely, for things like for instence remote login to ssh or the server-manager. Then it will not be required to let these functions have internett access.

This will give a rather difficult access to the sme server for a potensial hacker.

[briank]

What Arne says is fine and I have left a router/firewall in place sometimes but it can complicate setting up some progs as you may need to portforward on the sme and remember to open relevant ports on the router. Generally these days I put the router in dmz mode to forward traffic to the sme  and rely on the sme firewall which I think is great.
Regards
Brian

[CharlieBrady]

My experience is that absolutely all server functions on the sme server and and other servers as well work quite OK behind a styandard nat router, if the nat router is configured the proper way.

The builtin dynamic DNS clients in general cannot work behind a nat router, as they do not know what the external IP address of the router is, or when it has changed.

Use of a NAT router also complicates making external services available because you need to set up explicit port forwardings on the router.

[gordonr]

Use of a NAT router also complicates making external services available because you need to set up explicit port forwardings on the router.

It must also be remembered that a simple port-forward provides no additional security on those forwarded ports. If you forward SSH through the router without additional filtering, your SSH port is just as open to the world as if you were directly connected.

I've seen a lot of advice which says that such a setup is more secure, which it isn't. It's also very likely that the home router box is running a much older Linux kernel than in the SME Server.

Finally, we enable additional anti-spam rules when we know the external IP address. This is lost when you port forward.

Server-gateway is better than server-only. You should use it.

[arne]

I understand that there is a few arguments for the gateway solution:

1. Built in dynamic dns client, if this function is needed.
2. Bether spam filtering.
3. Possibly bether/easier VPN connection (??).

On the other hand, what is concidered to be easy and what is complicated migt be a bit individual for each user.

I would personally say that the nat forwarding function of a standard nat router often makes everything easier, because it gives a presice, easy and clear picture of how the data flow are alloved to enter your network.

It is true that a forwarded port via a standard nat router has no security at all, from a firewalling point of wiew. On the other hand, there is nothing that prevent you from applying those filtering rules that you might wish on the open ports of the server only, if you apply an iptables script on the server only installation, behind the standard nat router, so that you get a double firewalling setup.

If the standard nat router just do forwarding, then you could quite easily set up your server only to do aditional filtering like preventing dos atacks, using rate and burst filtering, on the input chain, etc

On the other hand, it might be only a question of making things safe enough.

My SME servers has generally runned for years, without a problems, exept when I have been to clever with my modifications. Most of them have been a server only installation with an aditional firewall script, so there have been a double firewall setup. I guess that a server-gateway setup also normally would run for years without problems, so there is just two quite good alternatives.

From a very theoretical point of wiev I think that a doble firewall setup with firewalling via the nat router and aditional firewalling on the server-only installation, that also include the open ports, can make the whole installation "more safe". On the other hand, for the real world both installations might be just safe enough.

If you like to have the full control where each packet go, how many packets that are alloved to arrive, from where, to where etc, this full control can be obtained by using a standard nat router with forwarding, pluss a rather easy firewall script on the sme server-only installation.

[smeghead]

Finally, we enable additional anti-spam rules when we know the external IP address. This is lost when you port forward.

Gordon, could elaborate a bit on just exactly what is 'lost' in the SA config when running NAT to the SME (all routers on static IP)?

This is my default config for all my 50+ installs of SME 6 & 7 and provides me with a level of control that is not readily possible without the use of a NAT router; would hate to change this multi layer setup so need to know more about this.

Cheers

[gordonr]

Finally, we enable additional anti-spam rules when we know the external IP address. This is lost when you port forward.

Gordon, could elaborate a bit on just exactly what is 'lost' in the SA config when running NAT to the SME (all routers on static IP)?

The most obvious one is helo spoofing. We reject any mail which says "HELO a.b.c.d" where a.b.c.d is your external IP address. I get a lot of that every day. We also allow postmaster@[a.b.c.d] as required by the RFC.

[gordonr]

I understand that there is a few arguments for the gateway solution:

1. Built in dynamic dns client, if this function is needed.
2. Bether spam filtering.
3. Possibly bether/easier VPN connection (??).

On the other hand, what is concidered to be easy and what is complicated migt be a bit individual for each user.

Arne,

You have said many times that you use your own firewalling scripts and enjoy doing so. That's fine, and your choice. But since these don't exist in the standard configuration, it's somewhat irrelevant. If the base firewalling needs to be improved, raise a bug. If your scripts are better, raise a bug so we can compare. Otherwise, they remain your setup and your scripts.

This thread is about comparing the SME Server firewall and the D-Link firewall. Could we please stay on-topic? Thanks.

[smeghead]

The most obvious one is helo spoofing. We reject any mail which says "HELO a.b.c.d" where a.b.c.d is your external IP address. I get a lot of that every day. We also allow postmaster@[a.b.c.d] as required by the RFC.

Hmm, any way this could still be available to the SME box (perhaps via a db entry that hold the static public IP)?  If so I will add an NFR to the SME 7.0 bugtracker.

If this needs any further detailed discussion I'll open a new thread.

Cheers

[gordonr]

Hmm, any way this could still be available to the SME box (perhaps via a db entry that hold the static public IP)?  If so I will add an NFR to the SME 7.0 bugtracker.

Yes, NFR please. Thanks.

[arne]

Arne,

You have said many times that you use your own firewalling scripts and enjoy doing so. That's fine, and your choice. But since these don't exist in the standard configuration, it's somewhat irrelevant. If the base firewalling needs to be improved, raise a bug. If your scripts are better, raise a bug so we can compare. Otherwise, they remain your setup and your scripts.

This thread is about comparing the SME Server firewall and the D-Link firewall. Could we please stay on-topic? Thanks.

I would say that it is not off-topic. If you use a dlink or any standard nat router, I will say it is a quite natural thing to apply a iptable script on the server-only installation, as there initially is no firewall at all. I would see it this way: To use the sme server in server-only mode will by default involve to apply a firewall script, as there is no firewall at all, by default original design. (And that's a very good thing !)

As I would see it the design of a firewall for a server gateway and the design of a firewall for a server only installation is two quite different things. To design some firewall functionality for a server-only installation to be used togeteher with a standard nat router is much more easy.

(Reason - there is only two trafic directions that has to be controlled in and out, not in-out server (local processes) and in-out lan like for a gateway server.)

I do not agree completely in that (linux) firewalls can be compared at all. It's more a question like "Do you like the coffe with milk or sugar ?". If you compare two linux firewall you will allways have the full freedom to transfer rules from firewall A to firewall B, so you get the exact design as you like it. You can actually add sugar and milk as you want for your own taste.

Firewall scripts for gateways will normally contain some parts where users that are not familiar with Linux firewalling very easy will do misstakes if one try to modify. Firewall scripts for server-only installation with no gatyeway function, can on the other hand be made so easy to read that anybody can modify them.

Why not set up a tread on the forum about modifications with some examples and some discussion about a firewall script for the server-only installation ? I'm on vacation now, but I'm vondering if I could / should do that when I come home .. (so I first can do some testing.)

By the way one main reason that I use the server-only alternative in my home is that my isp deliver a adsl conection with only one alternative, a nat router. (Well I have modified it to run in bridge mode as well, but that's a hack.) I think that there is a lot of users that does not have the alternative to receive the external ip to the sme box at all.