Topic: Deny Ports for outgoing traffic

[shell]

Hi Arne,

Doesn't the SME solution mentioned above your post allow exactly what you are talking about - ability to block all ports outgoing (except mail). 

http://wiki.contribs.org/SME_Server:Documentation:FAQ#Firewall.2FPort_Forwarding.2COpening.2CBlocking

At least that is the way that I read it.  I have read a number of your posts now, and this seems to be a recurring theme / focus for you.  The issue I guess is that for any solution to be adopted it does need to fit in with the SME structure to ensure updating doesn't adversely affect (or simply remove) customisations. 

You are right in respect to the difficulty of blocking some applications by port number (although research generally identifies a range to block that is effective).  SME has always considered internal generated traffic as safe (correct me if this generalisation is too broad, those with more experience).  In most cases this is secure enough, although hardware and other firewalls are recommended if security is a priority.

The solution given above does all you have discussed - kudos to the team, this community is alive and kicking!  - (and the rest of us have from time to time identified as troublesome) with the exception that it is a console based solution.

I think the project now needing encouraging and input (and possibly funding!) would be a server-manager interface for this excellent fix to a community identified need, although this really would be the icing on the cake.

[raem]

shell (& arne)

The solution given above does all you have discussed .... with the exception that it is a console based solution.
I think the project now needing encouraging and input (and possibly funding!) would be a server-manager interface for this excellent fix to a community identified need, although this really would be the icing on the cake.

As I understand it, developers time & effort is given to the tasks with a higher priority.
Developing a server manager GUI panel for seldom used settings that can quite easily & quickly be done with db commands is probably a poor use of limited resources.
The other aspect to consider is that as the sme server (ie the server manager) is aimed at non technical administrators, then having technically complex settings available in a server manager panel will reduce the ease of use and potentially reduce security (due to possible incorrect usage).
It's therefore better for a number of reasons to leave some settings out of the GUI server manager, and only have them managed by db commands, rather than ever put them into a server manager panel.

[arne]

Shell ->

Doesn't the SME solution mentioned above your post allow exactly what you are talking about - ability to block all ports outgoing (except mail).

The thing is that when it comes to Linux firewalling "outgoing" can meen to completely different kind of "outgoing traffic", it can be "outgoing" from the internal server processes and it can be "outgoing" from the LAN network segment.

When I read from the guide:

"I want to block outgoing traffic from my server. " I read that as: "I want to block the outgoing traffic from the internal processes on my server." (A litle bit above in the same guide they talk about opening ports and then it is reasonable clear that is a question of opening ports into the internal processes running on the server.)

When on the other hand I look into the text of the modification I find the following:

$OUT .= " /sbin/iptables --table nat --append $pf_chain \\\n";

It's still a bit unclear, but it might be you are right. Table Output is basically doing the outgoing filtering from the server while table Forward is basically doing the firewalling out from LAN. Table nat in this case should indicate something that has to do with the nat mechanism wich eventually should mean the trafic out from LAN.

I will try to look into it and also test it out.

[raem]

To All

The location of the sme solution mentioned in this thread has changed from the FAQ to the Firewall page

http://wiki.contribs.org/Firewall#Block_outgoing_ports