Topic: SME firewall -vs- D-link router firewall?

[gordonr]

I would say that it is not off-topic

You appear to have missed my point which was that this thread is a comparison of the merits of using a D-Link home router in front of an SME Server versus simply using the SME Server in server-gateway mode directly connected to the Internet.

There are endless things you can do to change the SME Server, including adding additional firewall scripts. But they do not exist in a standard installation and so they are not a choice most people have. A very small subset of the community has the skills to write a firewall script and we do not expect people to have such skills.

That's why server-gateway mode exists and I will state once again that I firmly believe that server-gateway is better than a home router plus server-only.

Why not set up a tread on the forum about modifications with some examples and some discussion about a firewall script for the server-only installation ?

I've asked quite a few times that you raise this in the bug tracker so we can discuss it there. The bug tracker provides the ability to attach versions of the scripts for comment and potential inclusion in releases - the forums do not. You have talked about your firewall scripts - attach them to the bug tracker entry for discussion.

The forums are not the best place to discuss critical code such as firewalling scripts. The forums provide no version control history, no method to "obsolete" attachments and no upgrade path for posted scripts. There is a very real danger that people will simply copy code from the forums and assume that it is correct. If a bug is found, what then?

By the way one main reason that I use the server-only alternative in my home is that my isp deliver a adsl conection with only one alternative, a nat router. (Well I have modified it to run in bridge mode as well, but that's a hack.) I think that there is a lot of users that does not have the alternative to receive the external ip to the sme box at all.

And one way to deal with that problem is to have a configuration setting which lets the server know the pre-NAT IP address. Then you could use the SME Server in server-gateway mode behind your NAT router. And better still would be to automatically determine what the pre-NAT address is by querying some external box which can tell you what they see as your source address,

[smeusr]

I'm very interested in this firewall discussion.  I don't normally read bug tracker for server configuration discussions.  How do we put the discussion out there so that others can readily see it, participate and learn?

Btw, I run a wireless nat router with gateway-server mode.  I connect into my internal SME network via OpenVPN.  Yep, I'm paranoid.  Small inconvenience for added security.

[gordonr]

I'm very interested in this firewall discussion.  I don't normally read bug tracker for server configuration discussions.  How do we put the discussion out there so that others can readily see it, participate and learn?

The bug tracker is not the place for configuration discussions. But it is the place for new feature requests. And it is the way in which things make it into future releases once either a developer gets an itch to implement it or someone pays them to do so.

There are a number of issues here, but they boil down to "What additional features might be required?" and "Who is going to implement them or pay for their implementation?".

Discussion is fine - let's decide what needs to be implemented. But that needs to be backed with someone writing the code. Arne has suggestions - let's see the code.

[arne]

The bug tracker is not the place for configuration discussions. But it is the place for new feature requests.

I would consider to apply a firewall script to a server-only installation to be nothing more than a minor configuration issue. The firewall is allready there and it is just a question of activating is.

When the alternative is no (activated) firewall at all, or some firewalling capability, it does not need to be that complicated, to give some improvements.

I will try to set up some more or less easy suggestions in the relatively near future.  Then users can suggest changes or improvements, if they want.

One very intersting problem that is mentioned above is the problems related to running wireless nettwork on lan. This might be a bit of a security issue. To modify the sme server with a third network adapter for the wireless lan will not be a very easy modification I believe (but of cource it could be done.)

And one way to deal with that problem is to have a configuration setting which lets the server know the pre-NAT IP address. Then you could use the SME Server in server-gateway mode behind your NAT router.

If you do it like thatm you could also solve some basic security issues related to running wireless lan, if you connect the wireless access point on a less secure zone (dmz) between your first nat router and the sme gateway, and then leave the inner zone between the sme server as a safe zone accessable only via local cabeling.

[arne]

http://forums.contribs.org/index.php?topic=33147.msg140911#msg140911