Topic: Dumb Setup Question - Remote Administration

[pfloor]

Okay.
I see three basic scenarios here - with one constant.

The constant being: I WILL NOT remove my Firewall/Router
I used to think this way myself...You too will come around some day.

A. Put the box in S/G Mode and attempt to negotiate two gateways. (this outta be fun)
You don't need to negotiate 2 gateways.  Just don't hook anything to the internal interface.  You need the server in S/G mode because it is not safe in S/O mode behind a DMZ.  You have to have 2 NICs installed to get the server in S/G mode.

Maybe you don't understand what a DMZ is.  It stands for De-Militarized Zone.  The DMZ is NOT firewalled and it may allow traffic to the SME box that it can't properly handle if it is in S/O mode.  Putting a computer on the DMZ is just like hooking it directly to the internet and we all know how well that works.

B. Periodically reconfigure & jack a workstation (Laptop?) in the DMZ - for the sole purpose of administering the server.
This would be a waste of time.  The workstation in the DMZ would become infected within minutes of being hooked up.  Again, there is no firewall there.

After you put SME in S/G mode, hook a workstation to the internal interface and administer the server from there.  This would protect the workstation.
C. Park the server on the "inside" - - which defeats the purpose of having a DMZ.
Like I said earlier, you will see the benifit of just hooking the server directly to the web.  It will replace your router and make life much easier.  You don't need the router or the DMZ, SME will do all of it for you.

Whatever you do just remember one thing.  SME in S/O mode is not properly protected and needs to be behind a proper firewall.  A DMZ is not a proper firewall.

[bpivk]

I agree with pfloor.

I use it like that:

Modem ====> Server =====> Hub (for LAN network)
                                 |
                                 |
                                   =====> (Router for Wlan)

[psoren]

- - which defeats the purpose of having a DMZ.

The purpose of DMZ is not having a server with samba filesharing and stuff like that, but a server running just mailserver or webserver and NO other unnessesary services which could be used to break in with.

The SME server is a very good and secure router/firewall option. But in server mode it is like an open book. So you need another good router/firewall before it.

Many people run there server this way:

Internet-----router/firewall------SME server in server/gateway mode-----LAN.

I believe that is a good and safe way to do it. Double firewall (If the router is a good one).

Per

[bpivk]

Double firewall (If the router is a good one).

And if your router gives a s**t when you set him to do something.

My (Belkin wlan) router was set to forward port 80 to my sme box and he didn't do it. When you typed your ip he would open his setup panel (even after i checked the option to disable this pannel for wan).

So some of us are forced to use double firewall because of dumb routers.  

[psoren]

Double firewall (If the router is a good one).

And if your router gives a s**t when you set him to do something.

My (Belkin wlan) router was set to forward port 80 to my sme box and he didn't do it. When you typed your ip he would open his setup panel (even after i checked the option to disable this pannel for wan).

So some of us are forced to use double firewall because of dumb routers.  

Hmm.. Can you not tell you router to use a different port than 80 for setup page? Maybe that would do the trick.

per

[bpivk]

I can't. I have an option to disable it but id doesn't matter if it's off or on. It works in both cases.

But i have resolved my issue. I don't use belkin products and i use this router for wlan access point only. Sme helped me with that  

[mercyh]

oldphart,

Is there some reason this wouldn't work??

WEB>>>>Router (Eth2)
v
Router (Eth1 DMZ 10.0.0.1)>>SME server ( WAN IP 10.0.0.11)--LAN IP (192.168.1.XX)
v....................................................................................................v
Router (Eth0 LAN)>>>>>>>>>>>>>>LAN connection (192.168.1.X subnet)

connect as above with SME in server-gateway mode (two nics). Assign an IP to the LAN nic of 192.168.1.x and connect to your internal LAN. You can then do administration from any machine on the LAN. You would need to be sure that DHCP server was turned off for the inside as that function is already taken care of by your current setup.

This creates two gateways to your network but I don't really think that is a problem as you would not have SME set as the gateway on your clients.

[bpivk]

This could be a problem if both gateways asign ip's from the same pool.

I had this problem when i forgot to switch off the dhcp function of my router when i conected my SME to it.

[mercyh]

You would need to be sure that DHCP server was turned off for the inside as that function is already taken care of by your current setup.

The DHCP server MUST be turned off for the LAN on the SME server

[meanpenguin]

oldphart,

Maybe it would help if you
  1.  explain why you want the SME in a DMZ
  2.  along with a description of other servers / functions
  3.  what router you are using - one with the DMZ port

and the community can give you a better architecture.
The way we are progressing here doesn't make sense.
I have NOT found too many cases where you would really need a server in the DMZ.

ed

[oldphart]

Found the solution.....A different firewall/router product.

The new/current (working just fine) architecture:

eth0 (Internal LAN)
Addr: 192.168.1.1 Mask: 255.255.255.0

eth1 (My DMZ's NIC)
Addr: 10.0.0.1 Mask: 255.255.255.0

eth2 (My connection to the outside world)
Addr: xxx.xxx.xxx.xxx Mask:255.255.252.0


Or, if you prefer a (shamelessly plagarized) graphic


WEB--->Router (Eth2)
          v
Router (Eth1 DMZ)--->SME server (IP 10.0.0.11)
          v
Router (Eth0 LAN)--->LAN connection (192.168.1.X subnet)


I've set up the server on
Addr: 10.0.0.11 Mask: 255.255.255.0 GW: 10.0.0.1 (The DMZ's NIC)


The issue(s):
1. (Almost) Everybody who responded loudly protested that my DMZ is exposed, and that the SME Server should be in Server/Gateway Mode.

2. Cable Internet Service provider blocking inbound ports 80 & 25.
(not blocking outbound 25 for some weird reason)

3. I've always been taught that Good Network Design(tm) means that
you place boxes that are (even minimally) public-facing behind the public IP and into a DMZ.  I see no reason to violate that.

 
The requirements:
Just a private mail server......w/moderately easy configuration.
No added bells/whistles needed, thanks.



The firewall/router solution:
Smoothwall (smoothwall.org)

I've run every penetration and open relay test I can find over the past three days.

No Open Relay (didn't really expect it, but.....)

No penetration.  
NOTHING that is un-invited gets past the outside NIC.

SUCCESS !