Topic: Using SME 7.1 as a firewall, how to block open ports?

[zi4]

hi all,
Maybe one of you know which is the correct way to deny access from the Internet to an open port?

I installed my first SME as follows, in Server/gateway mode:

Code: [Select]

    [ PPPoE modem ]
             |
             |/-------eth1 (ppp0)
          [ SME 7.1 ]
             |\-------eth0
             |
  [ internal network ] (1 hub, 2 Windows users)

I know, mail+web services and specially samba file shares should not run on a firewall, but I have no other router and want to use this old PC as a firewall, and to test some features of SME, locally only.
So, mainly to learn how to do it, I've set up a local mail server on this SME box, which should not be accessible from internet.  I was amazed how easy it was to setup!  Then checked for open ports with a remote port scanner and ... Ooops - the mail server is listening to the whole internet on port 25...:

Testing port 25: Port open - lets see if we can talk....
220 mydomain.local ESMTP
550 Sorry, I don't believe that you are  xxx.180.21.yyy.

Checking for a open Windows share....
Testing port 136: Connection timed out....
Testing port 137: Connection refused....
Testing port 138: Connection refused....

So I want to close ports 25, 137-139 and 465 (=smtps) to the internet (ppp0), or should I DROP all ports and allow only the ident port (tcp 113). (?)
I had some experience with iptables, but not sure which is the correct way to edit/create a custom templates.  I suppose I need to create:
 

Code: [Select]

  mcedit /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/90local_chk01
Then add rules like this:

Code: [Select]

/sbin/iptables --in-interface $NEW_PPPconn  --replace INPUT --destport 25  -j denylog


I found this in the SME FAQ:

Code: [Select]

 config set manta service access public status enabled TCPPort nnn
  config setprop manta ~AllowHosts 1.2.3.4,10.11.12.0/24
  config setprop manta ~DenyHosts 16.17.18.18
  signal-event remoteaccess-update
but could not find any post on how to block an existing open port. Would the following work?

Code: [Select]

config setprop  smtp  ~AllowHosts 192.168.1.0/24
 config setprop  smtp  ~DenyHosts 0.0.0.0
  signal-event remoteaccess-update
for now, I just entered manually:

Code: [Select]


/sbin/iptables -I InboundTCP_16348  --proto tcp --dport smtp -j denylog
/sbin/iptables -I InboundTCP_16348  --proto tcp --dport smtps -j denylog
 This works -- until next reboot...

Any advice for a better way would be appreciated!  I'm also unsure if this post should move to the bug tracker...

Stefan

[meanpenguin]

Hi zi4,

I understand your concern.  
But the SME server was designed to be secure.
I would not be too concerned about the two open ports, 25 and 80.
There are thousands of servers operating in this mode with no reported breaches (with up to date patches, base install).

It will work well just as a firewall.

Ed

[judgej]

I *think* if you configure the server as 'Firewall and private server' then it does not open any external ports.

But at the end of the day, it is designed to be a mail and web server, and that is why the mail and web ports are open. If they weren't, then it would not be able to operate as a mail and web server.

You can also turn these ports off at a higher level through the admin screen, by disabling public access to i-bays, and setting mail fetching to POP3-only, etc. But if you want to messa round with IP tables and suchlike, then it would be best to use a different server. This one just does 'the right thing' out of the box and is as secure as you are going to get.

-- JJ

[raem]

zi4
> Any advice for a better way would be appreciated!  

Well do you prefer to do things the hard way or rather choose the easy way ?

Reiterating what judgej said, it sounds like you probably want Private server mode which allows you to access the Internet from your LAN but you don't exist as far as access from the external Internet is concerned, no-one can see your server as all incoming ports are closed.
Logon as admin & run the Configure this server option and select Private server mode.

Rarely do you need to mess around directly with iptables rules etc as there are selectable options or db commands or server manager settings that will put into effect what you want (including opening & closing ports in the firewall & enabling & disabling services), you just have to make & select the correct choices.
 
The command line is always there to allow override when needed.

PS Have you read the manual as the server modes are explained there.

[raem]

zi4

> I know, mail+web services and specially samba file shares should not run on a firewall

That's what sme server does do and it does it very well and securely, by design.
Many people have that false belief that firewalls & servers can't be in the same box, but in 7 years of using sme I've never heard of a firewall breech.
Bad code on web servers sites (eg php vulnerabilities) can allow hackers in, but that would happen anyway even if you were behind a standalone firewall.

The conclusion that a firewall & email & web & samba server cannot securely coexist on the same box is incorrect, sme has proven that to be false.

[bpivk]

But at the end of the day, it is designed to be a mail and web server, and that is why the mail and web ports are open. If they weren't, then it would not be able to operate as a mail and web server.

This is true. But if you have a program that uses this port then hackers can't use it. The only problem would be if you would open port 80 and you wouldn't have any program that uses it. Then hackers could use that open port. But if you do have a program that uses a port than you have no problems.