Topic: Perfect Firewall HowTO

[supersonico]

The idea of this thread is to make a How To for the "Perfect Firewall" configuration in sme-server.

All the problems related to : MSN, ICQ, P2P, Mail etc, can be solved easily by doing this steps.

1- Block outgoing traffic from internal network to Internet.
1.1- grant access to the SME-Server to the local network.
2- Make a list of the privileged mac/ip that need all the ports open (eg VoIP, Skype, Boss computer).
3- Make a list of the general services that can be accessed from Internet (web, smtp, 80, 443, ICMP, etc).
3,1- Establish a proxy that solves the web surfing.
3.2- Establish a proxy for mail.
4- Open the ports that are necessarily to day- to day working according to the terms 2, 3 above.

I´ve been working with this configuration that is so easy to setup on several IPcop machines with http://www.blockouttraffic.de/, and others with FreeBSD and ipfw for more than five years .

And is so effective, believe me I have three years with No viruses, No P2P, No Chat from internet, the only problems are with the USB memory sticks.

Now I'm trying to setup SME-servers to reduct machinery (electrical problems are coming) and with less machines the UPS systems can work better, less CO2, and smaller support-plants.

I think the SME-Server is fairly superior to the IPcop possibilities.

So I was reading the site but I can not easily find the doc that show me how to do this in an "elegant form"

My idea is:

-make a SCRIPT that blocks all the traffic from internal network (Green Network)to SME-Server
-make a SCRIPT that blocks all the traffic from internal network (Green Network)to Internet Access.
-make a list of  the internal machines/networks that can be connected to the SME-Server. (default every machine in the Green Network)
-make a list of the "standard open ports" for all the machine in the network (eg POP3, IMAP, SMTP, ICMP)
-make a list of the "standard machines" that can access the "standard open ports" (default every machine in the Green Network)

This is the end of the configuration for everybody in the network,

Now we can make serveral groups that can access or reach the ports

-make a list of the "privileged open ports #x" for the "privileged machines" in the network (eg GRE, IPSEC, OVPN, VoIP, ect)
-make a list of the internal machines/networks that can reach "privileged open ports #x"
(the privileged machines are always the accountant, the VoIP machines, everybody that drives special info)

Then:

make a SCRIPT that reads the "standard open ports" and "standard machines" and write the correct configuration to the firewall script.
make a SCRIPT that reads the "privileged open ports #x" and the "privileged machines #x" and write the correct configuration to the firewall script.

As You can see we can drive easily several groups of machines,.and this tool for every network administrator that have to fight with P2P and Chat is solved since the beginning.

I was reading the dev-manual and tring to understand Iptables scripts. but I can not make work well.
So help is welcome to make this scripts avaiable to everybody.

Thanks in advance.

[byte]

Moving this topic to the SME 7.x contribs forum, it is more appropriate there. Thanks!

[raem]

supersonico

I assume you mean to create an interface that allows "easy" configuration of more complex firewall rules.

I don't think there is any document in existence that has all the answers neatly laid out. The devguide is the best resource for "how to do it" in sme.

Here are some other useful links for iptables references:

http://www.netfilter.org/documentation/HOWTO//networking-concepts-HOWTO.html

http://www.linuxguruz.com/iptables/howto/

http://iptables-tutorial.frozentux.net/iptables-tutorial.html

see particularly chapters 9, 10 & 11
http://iptables-tutorial.frozentux.net/iptables-tutorial.html#HOWARULEISBUILT
http://iptables-tutorial.frozentux.net/iptables-tutorial.html#MATCHES
http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TARGETS


> I was reading the dev-manual and tring to understand Iptables scripts. > but I can not make work well.

In simplistic terms (& you probably already know this), you can run iptables commands from the linux command prompt, and immediately see the effect they have.
In sme these changes will not survive system reconfiguration & reboots etc, due to the templating process.

You can read the code fragments for the firewall/masq templates that create the existing rules in
/etc/e-smith/templates/etc/rc.d/ini.d/masq


When you have worked out what iptables rules you want/need, add those to the masq templates, by using custom templates in
/etc/e-smith/templates-custom/etc/rc.d/ini.d/masq

(You can copy & modify the original fragments).

Expand the template
Restart

If you work out a custom set of iptables rules, post those either here or create a development bug in bugzilla, and ask for assistance from developers or others familiar with sme masq templating, re how to incorporate those rules into the existing masq templates code.

Based on your comments/thoughts, it sounds like you would create databases with user preferences stored, and the revised template fragments would read those db values & create the required firewall rules.

[stephen noble]

You really need advice from the developers,
raise a bug, or add to a few long open bugs that wish to modify iptables
modifying the SME firewall on the scale your suggesting is a black art
I'm not sure it's possible

[supersonico]

RayMitchell

Thanks about the paths and links (so confusing whe you don't clearly understand the schema).

Now I'm working on the bash scripts, the will be amazing to put a web interface to them.

Cheerss!!!

PD I'll post the scripts here, late this week.

Thanks.

[Daniel B.]

RayMitchell

Thanks about the paths and links (so confusing whe you don't clearly understand the schema).

Now I'm working on the bash scripts, the will be amazing to put a web interface to them.

Cheerss!!!

PD I'll post the scripts here, late this week.

Thanks.

Hi supersonico. I'm really interested in an advanced firewall configuration tool on SME7. In fact, what I'd like is the possibility to add other interfaces, not just internal and external (I'd like to add an interface for a wifi installation, with chillispot running, it would be also usefull for VPN connexions), but I don't see a easy way to store the configuration in the db of SME. Have you started your project? I'd like to help, but I think changing the firewall in SME is a lot of work.

[supersonico]

I`m Having problems with this...

Packet filter script was to easy. and blockout traffic is more.

I'm tring to use this project,

http://sourceforge.net/projects/phpfwgen/

Because is the most friendly and easy to set-up. also it doesnt move anything with the SME-serverl, so I can make a simple expand-template and keep working good.

Hope that can't make it work well.

[Franco]

phpfwgen version 2.0 has been released. This release has support for iptables based systems running the 2.4.x Linux kernels.

SME7 runs on 2.6 kernel. This may be a problem (?!)

[supersonico]

Hi there... I want to shut my self... is taking so long and I can not make it work

Some body recommend me this tool

http://vuurmuur.sourceforge.net/

I'm working it at work (no internet at home)... so is going to take a while..

[raem]

supersonico

This was suggested both by me and Stephen Noble earlier in this thread but I'm going to repeat it.
You should really subscribe to the developer mailing list (see  LISTS link at the top of forum), and post your working thoughts there for other developers to see and comment on.
They will most likely give you guidance & feedback and hopefully steer your code development/methodology in a direction that will end up working the best for sme and also not clash with other firewall code & functionality.

The sme server firewall rules set is very complex & relies on a lot of interdependent relationships. If you create code on your own without a full understanding of how the current system works and with no sme developer input, it may not work the best with sme and end up not being accepted by mainstream users.

If your code/techniques are developed in a way that fits in with sme design principles, then you have a much greater likelihood of your efforts being included in base code at some later stage, or accepted as an approved add on contrib.

I also suggest that you do not try to develop the code to it's final stage before presenting it to the world for review. Instead submit your early (unfinished) efforts to the developer list for review and they can comment if you are developing it in the most suitable way, before you expend too much effort on it.

When you have something developed to a more advanced stage, you can then move development work to a specific bug for tracking purposes.

[supersonico]

I made it work!!! 

RayMitchell

Ok, I understand the point, but first I want to make sure to find the right software (I don't want to start from zero), because I'm not or I don't feel, like a good programmer.(but this sme-server motivate me a lot)

So I been testing this vuurmuur tool, under SME 7.2 an 7.1, I have are several things to solve, this tool can use the sme-server rules, for the moment I'm starting to now how do it work with.

but:

-Easy setup.
-Easy configure.
-Black lists.
-I setup all the steps I describe in the first post.
-You can manage connections (kill a download if You want).

It can be the default tool for manage the sme-firewall!!!!

So I will suscribe as a developer, I want to integrate this vuurmuur with SME (but I don't know if I can).

Also I don't have a computer to prove, (I have to develop on production servers).

[raem]

...but first I want to make sure to find the right software...
...I have are several things to solve...
...I want to integrate this vuurmuur with SME (but I don't know if I can).

So ask each of those questions on the devinfo list, and heed the advice given, whether you like it or not.
Let the comments you receive steer and guide your development work, rather than you racking your brain to find out which way to do something.
Provide the code you have already developed to the devinfo list or bug report (as an attachment) and let developers review what you have already done & comment on it.

Also I don't have a computer to prove, (I have to develop on production servers).

You can use VMware, or even get a low powered old computer (for free or very little cost) to use as a test system.

[guest22]

You can use VMware, or even get a low powered old computer (for free or very little cost) to use as a test system.

Or use VirtualBox to build your test machine. See: http://forums.contribs.org/index.php?topic=38326.0