Topic: Firewall - is there a GUI front end for SME

[nicolasdiogo]

hi

just find out if there is some front end for the firewall (iptables)
in the forum there a number of posts and howtos asking explaining how to use the firewall.
it seems that it is only possible to amend the firewall via command-line.

many thanks

[byte]

There is no GUI for changing firewall settings, nor has there ever been.

What are you looking to do?

[raem]

nicolasdiogo

The GUI server manager has a number of panels that directly affect firewall rules.
There are also numerous command line "db commands" that directly affect firewall rules.
Just look at the forum posts of the last two days re blocking, AllowHosts & DenyHosts, also read the Developers Guide, FAQ & Wiki for additional info.

It really depends on what you want to do, as to which approach you take to make the changes.
ie it would be counterproductive (and possibly a security issue) to write special iptables rules when there is a db command or a server manager panel that can make the change you want.

What do you want to do ?

[nicolasdiogo]

thanks,

i am looking to redirect traffic for certain ports to particular local IP.
allow traffic for a certain port for only one desktop.

is there plans to create a front end for the firewall?

regards

[mmccarn]

i am looking to redirect traffic for certain ports to particular local IP.

This is already in the GUI under server-manager::Security::Port Forwarding

allow traffic for a certain port for only one desktop.

If this is different than the previous item then I don't understand what you're trying to say?

[CharlieBrady]

is there plans to create a front end for the firewall?

There is a front end for the firewall - it is the server manager, which has various policy settings and panels which affect the firewall.

There are no plans to have two different front ends.

[okepc]

Byte said

nor has there ever been

You are misinformed take a look at:

Masq Manager

http://www.muzo.homeip.net/wiki.php/SmeServer/Contribs

This wil PROBABLY NOT WORK with sme7 cause it is written for sme6

Regards

Dirk

[byte]

Byte said
You are misinformed take a look at:

Masq Manager

Misinformed ? I don't think so, thats bad advice to suggest something thats not even compatible with sme7, even when that package was compatible with sme6 it didn't work properly.

http://www.muzo.homeip.net/wiki.php/SmeServer/Contribs

This wil PROBABLY NOT WORK with sme7 cause it is written for sme6

So why even suggest this package in the first place if you say it will probably not work ? Bad advice again, have you even tried this package on sme7 ?

[Daniel B.]

Hi everyone. Maybe it wasn't a good advice to talk about the masq manager contrib, I never tried it. But I think a advanced firewall configuration tool would be a good thing. Even if there's no panel in the server-manager. I know we can already open some ports, and forward others but a lot of things are missing (IMHO) like:
- limit a port forwarding to a range of source addresses
- Forward port for both tcp and udp in a single rule
- Possibility to comment each forwarding rules
- possibility to forward a port range
- support others interfaces than Internal and External, this could be great for site-to-site VPN, or a DMZ, or a WiFi device
- Support forwarding rules between the different network if there are more than 2 interfaces
- possibility to disable NAT with a db key
- Block all the outgoing ports traffic (excluding an admin IP range) and allow just those we want
- Add some protection against ssh scan at least (it seams to be possible with simple iptables rules, but I haven't tested)
- Add shaping rules (the script from hancees based on HTB works great, I think it should be added in the base)

Something like the BOT (BlockOutTraffic) on ipcop would be cool, I know SME is not designed to be a complex firewall, but for small installations, it would be usefull to have some advanced firewall options, even for personnal use (I have a SME at home, and I'd need a third interface to connect a WiFi device and capture the traffic with chillispot. I'd even need a 4th interface for a site-to-site VPN with openvpn, and I don't want to disable the firewall on this interface like some people does, I'd just like to open some ports.)

I've started looking at the masq script, but implementing those functionnality needs a total rewrite (I think), and such a thing won't be integrated in the distro. That's why I haven't open bugs as NFR. I know it represent a lot of work, but these functionnality are really missing.

That was my advice

[raem]

VIP-ire

> ...I haven't open bugs as NFR. I know it represent a lot of work, but these functionnality are really missing.

Well if you think the OS needs the functionality, you should open NFR bugs, at least then your requests will be considered by the developers. If enough people ask, and the developers agree, and they have resources or are sponsored, then it may happen.

[jdavey]

VIP-ire said:
- limit a port forwarding to a range of source addresses
- Forward port for both tcp and udp in a single rule
- Possibility to comment each forwarding rules
- possibility to forward a port range
- support others interfaces than Internal and External, this could be great for site-to-site VPN, or a DMZ, or a WiFi device
- Support forwarding rules between the different network if there are more than 2 interfaces
- possibility to disable NAT with a db key
- Block all the outgoing ports traffic (excluding an admin IP range) and allow just those we want
- Add some protection against ssh scan at least (it seams to be possible with simple iptables rules, but I haven't tested)
- Add shaping rules (the script from hancees based on HTB works great, I think it should be added in the base)

Something like the BOT (BlockOutTraffic) on ipcop would be cool, I know SME is not designed to be a complex firewall, but for small installations, it would be usefull to have some advanced firewall options, even for personnal use (I have a SME at home, and I'd need a third interface to connect a WiFi device and capture the traffic with chillispot. I'd even need a 4th interface for a site-to-site VPN with openvpn, and I don't want to disable the firewall on this interface like some people does, I'd just like to open some ports.)

VIP-ire said it - use IP Cop or Smoothwall (or m0n0wall). As elegant and simple a solution as SME is, I've never been confortable with the server functioning as the gateway / firewall, it just seems... dirty. That said, I've never had a problem for the few folks I've helped out with SME as a firewall. It's just that Smoothwall / IP Cop and m0n0wall are so configurable out of the box. Why take a chance on breaking security on the SME (which ambitious folks tend to do when modifying).

If it's a small installation then typically they don't need advanced routing and customized firewall rules. Additionally, it's a pain to support those changes when something goes wrong (and it will go wrong). If they do need those features then it's really not a small installation. With Smoothwall, IPCop or m0n0wall if you break it, it's a ten minute reinstall from ISO and you're done.

[CharlieBrady]

VIP-ire said it ...

Ray also said it - if something should be there and isn't, open a New Feature Request in the Bug Tracker.

BTW, quite a few of the features that VIP-ire advocates already exist.

[Daniel B.]

Ok, I'll try to open bugs for the features I've listed.
I know that if I want just a firewall, I should use ipcop, and for some installation, I use ipcop. But SME has a lot of features, and just a few are missing (still IMHO), and I'd like to have everything in one machine as it will save energy and money.

If it's a small installation then typically they don't need  advanced routing and customized firewall rules

I install SME for some small company, and I'd need the advanced functionality. I can live without it, but it'd be much better with.

BTW, quite a few of the features that VIP-ire advocates already exist.

Maybe I've missed something, can you point me to some documentation on the features I'd like which exists?

[CharlieBrady]

I install SME for some small company, and I'd need the advanced functionality.

So pay someone to develop the functionality you need ...

[Daniel B.]

Well, I'm just a young tech, I don't have lot of money and I try to do what I can to enhance this already great OS. I though giving some ideas could help but sadly it seems they are not very welcome without money

[byte]

I though giving some ideas could help but sadly it seems they are not very welcome without money.

Idea's are great especially when raised as a NFR, they are most welcome, but as we have a small dev team there is not enough man power to cope with the NFR demands so any that you/anyone else may need for business use then "sponser" a dev team to develop this.

Please do raise your NFR's - Thanks.

[CharlieBrady]

Well, I'm just a young tech, I don't have lot of money and I try to do what I can to enhance this already great OS. I though giving some ideas could help but sadly it seems they are not very welcome without money

The problem is that ideas is the one thing that there is no shortage of. Ideas are welcome, but not enough.

What is needed is working code, and that either needs someone to contribute the code, or someone to offer money so that a programmer can be coaxed from doing other paid work to develop the code that you want. Nothing else will create working code.

[judgej]

Well, I'm just a young tech, I don't have lot of money and I try to do what I can to enhance this already great OS. I though giving some ideas could help but sadly it seems they are not very welcome without money

Ideas are great, but people here do not have time to implement every idea suggested. If you want someone else to go out of their way to implement something that only you need, then you are going to have to reward them in some way. If you cannot afford to to pay for it, then you either make do with what you have, do it yourself, or get a team together of like-minded people who do want the feature.

[nicolasdiogo]

hi,

apologies for the delay.
i red your comments, the first two, and i have found the port forward feature but it only works from external to internal flow and i still not able to find any way configuring things like enabling certain ports/services via web-interface.

i have also noted some of the argument is around having much of ideas but no funds.
i agreed.

how about bounts? the community sets the goals AND raises the cash and let the developers work with support.

many thanks

[zatnikatel]

You have the wrong idea about money the options you want you can do with iptables and the command prompt also remember SME server is an email server samba and print server as the other ones you talked about are only a firewall/routers nothing else SME server does a lot more and there is a lot of work gone into SME server with the templetes setup
and don't forget thr DEV'S do a lot of work and they do deserve money for what they do if every person that used SME server just gave 10 dollars then more options could be added don't forget they have families as well as working on the SME server
if you want to have a look at the iptables setup at the shell type iptables --list
not flameing you down but before you say they are not very welcome have a good read though the forms first every one here is willing to help as much as they can and the DEV'S want to keep SME server simple and the firewall rules are very tight on the SME server i have never been hacked and i have been useing SME server before version 5 when it was called e-smith it is the most stable linux OS around and is simple enough for a person who does not even know linux to install it

Well, I'm just a young tech, I don't have lot of money and I try to do what I can to enhance this already great OS. I though giving some ideas could help but sadly it seems they are not very welcome without money

[raem]

nicolasdiogo

>... i have found the port forward feature but it only works from external to internal flow...

That's what it is designed to do.
Note you can forward to localhost, see this example
http://wiki.contribs.org/PortRedirect

What more were you expecting/wanting ?


>... i still not able to find any way configuring things like enabling certain ports/services via web-interface

Server manager does that for the services (& corresponding ports) that can be configured in server manager eg ftp, ssh etc.

If you want control beyond the functionality within server manager, then you would use the command line.
You have two options, to use db commands where the existing code supports the functionality for the services you require to adjust, or if not supported that way, then use manually configured iptables rules with custom templates.

Again you need to be specific as to what you want to do, so that you can be advised whether that is supported and by which one of the techniques mentioned or whether you need to write your own code/rules.


I suggest you carefully read the FAQ & the Developers manual they cover by example how to enable services and associated ports.

http://wiki.contribs.org/SME_Server:Documentation:FAQ#Firewall.2FPort_Forwarding.2COpening.2CBlocking

http://distro.ibiblio.org/pub/linux/distributions/smeserver/contribs/gordonr/devguide/html/devguide.html#AEN2072

[Daniel B.]

Wow, I didn't thought the discussion will turn this way. First, I apologize if if I said something the wrong way, I'm not english and sometimes, what I write is not exactly what I mean. In the first post of the topic, several people ask nicolasdiogo what he want to do with the firewall exactly, so I've listed some of the functionnality I though usefull. Then, I just wanted a discution arround that, are these functionnlity really usefull? Nobody else would like to see such features? What will be the + and the - of having features like that? etc...
Instead, everyone told me "so, you have to pay", "the developpers do not have time to implement every idea suggested" and things like that. I never said, you must implement that. Instead, I said that I'd find SME even better with features like that. I don't see the problem.
I can help with some code (I'm not a real coder, but I've already packaged some contribs for SME like openvpn, backuppc and trixbox), but first, I would like to know if some other people are interested, then, we can go in the bug tracker to discuss on the technical solutions.

Cheers

[nicolasdiogo]

thanks for the links,

i noticed that SME has a good firewall command lines, so that is i questioned whether someone had written a firewall front end.

if i want to enable traffic for eMule (used for research reasons only) into my network, i would have to ssh into SME and run the command rather than having an option on the front end.  it only seems lack on consistency from a user's perspective.

i am not trying to knock the dev team down, in fact i believe SME is a fantastic product as it is simple and robust which you guys should be proud of.

regards

[raem]

nicolasdiogo

if i want to enable traffic for eMule (used for research reasons only) into my network, i would have to ssh into SME and run the command rather than having an option on the front end.

Depending what you mean by "enabling traffic", that would be achieved using the Port Forwarding panel, which is actually a port forwarding and port opening panel.

[arne]

Basically and technically there is two ways of applying a new or modified set of firewall rules on a SME server.

Alternative 1. The diffcult one. You can learn the sme server into the deep where just a few nows it and do the modifications "the right way" as they should be done. (Yes there is some more eas shell config variants for the new 7.x but it is still rather difficult to get the complete overview of how your SME firewall really work.)

Alternative 2. The more easy, but I guess "the not so recomended one". That is to let your SME server boot up and apply its firewall, like normal, and without any modification of the underlaying operation system. Then after it is up and running you can flush out the existing sme firewall and apply a complete new set of firewall (and forwarding) rules.

Such a change can be done apying a firewall (iptables) configuration script.

I am using my sme 7.2 gateway server like this just now at the moment because the ordinary firewall stopped working for some unknown reason. Such a manual firewall script gives a fine grained detailed control of how things should work, but it also increase the risk of errors multiple time. It is rather easy to make misstakes that leaves your gateway completely open for attach. One single incorrect word in the configuration script is enough.  

Of cource it would be not so very complicated to work out a graphical shell that could set up such an alternative firewall based on the prinsiple that it is not integrated into the existing firewall setup, but rather in that way it flushes out the existing firewall. Web based could be one alternative.  One other way would be to make some text based interactive program that generates the firewall configuration script.

For reasons I don't know, it looks like the principle of flushing out the existing firewall, and replacing it with new rules works when the web proxy is disabled and does not work when it is enabled. At least it does not work for me when trying to use the web proxy.

At the moment it looks like that its possible to apply a standard iptables firewall configuration script on the SME 7.2, to obtain the full controll of the firewall behaviour and data streams to and from and trough the server, when the web proxy (Squid) is set to off.

By the way, I have just tested it a few days after the regular SME firewall were broken.  (But I have also tested it on earlier releases before.)

It is my impression that the SME server developers does not like to much the idea about ordinary users playing with the firewall, but I guess it can be done. (But with the risk of being hacked and punished.)

[raem]

arne

...you can flush out the existing sme firewall and apply a complete new set of firewall (and forwarding) rules.
I am using my sme 7.2 gateway server like this just now at the moment because the ordinary firewall stopped working for some unknown reason.

So you should have reported this as a bug.

It is my impression that the SME server developers does not like to much the idea about ordinary users playing with the firewall, but I guess it can be done. (But with the risk of being hacked and punished.)

I think you are unwise to continue to promote the concept of flushing out the firewall rules and replacing them with something you have created.
It suggests an underlying lack of appreciation and understanding of the complexities of the existing firewall rules and how these rule sets are interdependent, and the order in which certain rules get implemented depending on user selections etc etc etc. The existing firewall in a sme gateway server is based on a very complex set of reasoning and not something to be lightly played around with.
Changing the approach to firewall management that you propose, will dramatically alter the security model of sme server, and likely create an insecure server, unless of course, you are a firewall and a sme expert who really does know what you are doing.
The reality is that very, very few of us are sme & firewall experts, so the majority of us should therefore leave tweaking of the firewall rules to currently accepted methods as allowed for in sme server design scope ie server manager panel changes or a range of db commands or custom template changes.

To redesign or add an additional firewall GUI which implements a lot of fine tuning functionality, will only open up the possibility of more easily creating an insecure server by well meaning but unknowledgable admins, which is quite the opposite of the sme server design philosophy.

Developers have directly asked you to provide firewall code improvements to them via bugzilla and you have not done so.
If you want changes to the sme server to be implemented in the base code, then you need to work with the developers, not go off on your own promoting the blasting away of existing firewall rules and replacing them with something you have created, which appears to function independantly of settings within sme server and therefore is not in accordance with the design scope of user simplicity.

I would also suggest that changes get made in small increments on an as needed basis ie add this particular firewall rule capability as users seem to need this now, add another firewall rule as that has become important to end users etc etc. Small incremental changes are more likely to be adopted rather than large major rewrites of new or existing GUI panels etc.

You could contribute your knowledge of firewall rules to the sme project, but it appears you are not willing to do so.

[arne]

Well I think I would se it the other way:

The Linux Netfilter firewall is a really beautifull relly and easy understandable (when it comes to practical use) and well designed part of the Linux kernel. The work done by Rusty Russel (I think his name was) is really something great.

My point of view:

1. The logical function of the firwall is something that should be regarded as someting different from those problems related to the server functions, as this would relif more freedom and focus on the firewall design itself.

2. The firewall problems is easily separated (and should be separated) from the rest of the problems related to server security.

3. If both problem areas is considered as a whole and without a prinsiple of modularization or breaking up the problem into pices (the firewall part and the server part) the complexibility of the project will be on such a level that it will be rather difficult to do anything else than just small steps and minor modifications.

4. with a new approach and a bether modularization and a bether structure between firewall and server related problems, a lot more could be done.


The way that the Linux firewall works gives the situation where developers are free to work on the firewall problems as something different and separate from the server functions, which I think could reduce the complexity of the over all situation to just a fraction of what it is when all these problems are mixed into one bag. 


Of course I would contribute if I could, but I don't understand at all how this could be done.


My opinion is that the Linux firewall is something very easy and quite managable, if one just understand its siplicity and lack of complexities. as I would see it, the easier and the more well structured a firewall design is the more "safe" it will be. "Safe" will in this case mean that it is possible to predict how it will behave under certain situations and to deside how it did fail, if this should happen. The oposite way: The more complex a firewall design is, the more risk is it fore something unexpected to happen and the more diffcult will it also be to trace it out if it fails.

Bu the way I'm not selling or promoting anything at all. I'm just discussing, trying to learn a little bit more. (And I certainly does not have all the valid answers.)

As I will se it Linux firewalling is much like bicycling. You don't need to be an expert, but you need to understand what you are doing. It might be safer to take taxi or train to town but some of us might prefere bicycling and freedom of going where you want to go, and to have the full control.

If there should be developed bether and more flexible firewall solution I think that the first ting that would be needed were some discussion about how should a firewall work, why should it do this and this and this, and not that, and so on.

What actually normally happen if someone mention something about firewalling on this forum, is that someone from the development team posts a message that advices: "please do not discuss firewalling".

If firewalling could be discussed, and some poeople were interesed in this field of problems, I think it could be possible to come up with some alternative and new solutions.

If SME developers like to think that the firewall problems need to be tightly integrated into the server problems at the SME server, because it has allways been like that, they are free to do that. But if someone think that the area of firewalling has its own life inside the the Linux kernel they can do that as well, because if you tell the kernel and yourself that it is like that, from a technically view, actually it is like that.

So technically to flush out the existing sme firewall ruleset and replace it with a new one is one option, for a change to the bether or the worse.

As I would see it - It will be very difficult if not allmost impossible to make big changes in the SME firewall if not the firewlling and the server related problems is separated in an effective way. On the other way, it should be rateher easy to come up with new solutions if it is done. These could have graphical or non graphical front-ends.

If the SME server is an open source project there should be no reason why it should not be possible to also build in advanced firewalling functions like for the new version of Smoothwall. But I believe that this can not be done (in a practical way) via the existing template system of the sme server. (It will be nedded a some more or less independent fireall configuration mudule or system of some kind.)

Eventually building such a module will also include to experiment with security and to get hacked. (No hacking no learning - as for the bicycling.)

Alternative firewalls for the SME server could have been there alredy for a long time ago, if there were some positive will to have it.
These firewall configuration tools could also do all kind of fine grained firewalling control and also manage the problems related to a dmz zone, a wireless zone, outbound trafic control, inbound trafic control, etc, etc.

[CharlieBrady]

But I believe that this can not be done (in a practical way) via the existing template system of the sme server.

And there you are wrong. You can provide your own file /etc/e-smith/templates-custom/etc/rc.d/init.d/masq and do there absolutely anything you want.

[arne]

Well I know it I'm wrong as it can be done, and I know I am right as I have done it a number of times.

Modification of the template system is a to slow and a lot to complicated way to do an effective firewall design.

It could on the other hand be quite possible to first develop firewall rules and then apply them into the template systems after troubleshooting, testing etc.

And then one other issue:

If you compare the number of functions and the complexability in the configuration panel of a SME server and the new Smoothwall, one can se that the number of functions and the complexability is, I belive bigger on the Smoothwall, that is only a firewall.

As I will see it, It will be impossible to implement a really finegradeded and flexible firewall controll on the SME server without destroying it's main force as a server, its simplicity and ease of use.

As I would see it a more flexible and more fine graned firewall controll would require somecontrol panel or interacivity outside the ordinary server-manager panel. To sy it simple: It is not possible to do all the functions of the Smootwall and the SME server in one admin panel without messing it all up. This is one of the reason that I believe that an "aditional firewalling configuring thing" could be something, something with a relatively clear modular design.   

[jdavey]

In reality, if you want the fine grained configurability and control of smoothwall, then just use smoothwall. It's built, assembled and ready to run. It's what I use in numerous deployments. It is what it is built for. The new Express v3 looks interesting, but I am cautious. As Smoothwall founder Dick Morrell points out - it's a firewall/ security device - the more things you run on it, the more opportunity you expose yourself to having bad things happen.

I'll repeat again, SME as a Server and basic gateway / firewall is a wonderful product. But when you need to offer someone something more than basics in terms of firewall / gateway, I just feel  more secure with a standalone product. Something more than SOHO and perhaps approaching enterprise level. And folks who need that level of capability really need to look at two solutions and not a single appliance. We can debate the merits between single point of failure vs. multiple points of failure with services running on separate boxes (domain server, mail server, web server, gateway / firewall), vs. a single box, but to me, a need for advanced firewalling, QOS, and fine grained control call out for a dedicated solution. If you are at the level of "almost enterprise", then build to that level.

For a simple environment in a professional setting SME is fantastic, but when you are looking a regulated environment, with very specific demands, break it apart and put SME behind another firewall / gateway.

[raem]

arne

Alternative firewalls for the SME server could have been there alredy for a long time ago, if there were some positive will to have it.
These firewall configuration tools could also do all kind of fine grained firewalling control and also manage the problems related to a dmz zone, a wireless zone, outbound trafic control, inbound trafic control, etc, etc.

The links below are an example of some incremental work being done to develop code & db commands to control outbound traffic.
Once that part is done it's a much more straightforward project to develop a GUI to control the db selections, but many would question the need for such a GUI when db commands are perfectly adequate, and to some degree shield end users from doing something silly via a GUI panel.

http://forums.contribs.org/index.php?topic=36855.0

http://bugs.contribs.org/show_bug.cgi?id=2977

[CharlieBrady]

- limit a port forwarding to a range of source addresses

Already in the Bug Tracker - http://bugs.contribs.org/show_bug.cgi?id=2379

- Forward port for both tcp and udp in a single rule

When would you do that - what services run on both UDP and TCP (other than DNS)?

- Possibility to comment each forwarding rules

http://bugs.contribs.org/show_bug.cgi?id=771

- possibility to forward a port range

Already supported.

- support others interfaces than Internal and External, this could be great for site-to-site VPN, or a DMZ, or a WiFi device
- Support forwarding rules between the different network if there are more than 2 interfaces

There already exist new feature requests for supporting more than two interfaces. If that work is ever done, then firewall changes will need to be made. Until then, it would be pointless to add such support to the firewall rules.

- possibility to disable NAT with a db key

When would you want to do that, and why would a custom template not be adequate? I would be very hesitent to provide such a feature, as it would make it too easy for someone to make their LAN vulnerable. This "feature" would also be useful only to the very small number of people who have ISP allocation of more than one netblock.

- Block all the outgoing ports traffic (excluding an admin IP range) and allow just those we want

http://bugs.contribs.org/show_bug.cgi?id=9
http://bugs.contribs.org/show_bug.cgi?id=1409
http://bugs.contribs.org/show_bug.cgi?id=2977

- Add some protection against ssh scan at least (it seams to be possible with simple iptables rules, but I haven't tested)

http://bugs.contribs.org/show_bug.cgi?id=1645

- Add shaping rules (the script from hancees based on HTB works great, I think it should be added in the base)

http://bugs.contribs.org/show_bug.cgi?id=28
http://bugs.contribs.org/show_bug.cgi?id=674

I know it represent a lot of work, ...

You don't say.

... but these functionnality are really missing.

Well, you either need to live with what's there, use something else, or do something about what you think is lacking in SME server.

[arne]

From jdavey:

I'll repeat again, SME as a Server and basic gateway / firewall is a wonderful product. But when you need to offer someone something more than basics in terms of firewall / gateway, I just feel  more secure with a standalone product. Something more than SOHO and perhaps approaching enterprise level.

But the smeserver also have a fine grained control of the firewall actually more than the Smothwall has it.

as mentioned by CharlieBrady:

"You can provide your own file /etc/e-smith/templates-custom/etc/rc.d/init.d/masq and do there absolutely anything you want."

This is absolutely true. The only thing is that it is a bit complicated to do it this way. The more easy way is to test out a firewall configuration is to apply it via a script and then eventually after proper testing to implement it into the template system.

To apply a firewall script takes 2 minutes. To discuss if this 2 minutes job is possible to do takes in some strange an funny way hours, monts and years.

By the way I checked and went trough the sme bulit in standard firewall script this night, because I have some problems with it. It is located here: /etc/rc.d/init.d/masq (Please correct me if there should be more. Technically it is possible, but it does not look like that.)

After reading trough it my conclusion is that the sme server firewall is a standard stright forward statefull inspection iptables firewall.

Actually it is buildt much the same way as I use to do it so it wasn't much to complain about either. (exept for mine doesen't work.)

When I apply my forewall script I do the quite exately firewalling exept for the difference that I close down all ports that does not need to be open. I do not belive that a standard Linux firewall will be less secure because you close down some ports for external access.

It has been mentioned somewere above I think that you need to be an expert on firewalls to configure or understand the smeserver firewall. But it is actually a question of understanding the basic of a Linux netfilter firewall as far as I can see it.

I once made a simular check of the Smothwall (not the newest) and I think it was much the same.

The main difference I think is that the SMEServer has a more finegrained configuration oportunity via the template system.

On the other hand discussing firewalls is posiible "quicker" at the Smoothwall user forum.

To read trough the sme server firewall configuration script takes 5 minutes. To discuss if a port or two can be opened or closed takes some time.

To have the fine grained controll over the SMEServer firewall and network trafic is actually not a problem et all. It can be tested out on a separate config script and then implemented into the template system. (I had actually forgotten some stuff about the template system so thanks to Charlie for reminding me. The only problems with my sme servers is that they allways works so I got rateher little maintenance experience.)

To set up a 3 network adapter soulution is a bit more "tricky", but not much. I have it running right now and the 3'rd nic does not make a problem at all. The firewalling is done quite the same way as using the standard SMEServer firewall script, and it is actually not a problem at all.  To implement it into the template system would be a project I guess, but as an "add on" it is not a problem.

I don't know why people think that a firewall should be such a difficult thing because actually it is not. Some firewall designers does strange things, but the standard firewall of the sme server seems to be a rather stright forward, well structured and clean one.   

(But the new smoothwall has some qos fuctions and etc but thats another story.)

[arne]

RayMitchel and CharieBrady ->

Thanks a lot for interesting info about ongoing firewall developing projects.

I have to admit that I did not know exately how this bugzilla works at all. (I had a bug there some years ago, but it was not a success.)

The strange thing about the firewall "problem" is that the existing SMEServer firewall seems to be "only" based on a rather stright forward Linux firewall configutation script, if I'm not wrong. (/etc/rc.d/init.d/masq)(Buildt up useing the template system.)

But the main thing about a firewall is that it should not be regardet as something "pice by pice" and "bug by bug".

I think that a firewall should be rather regardet as "a complete whole".

I also think that good enough firewalls, like the Netfilter firewall, should not be about technology, and neither som much about security, it should rather be about users and user experiences. (Security and technology is already built in by the Netfilter team.)

To work on a good firewall, I thinkt there will be needed lopback times from sugestions to testing not, 2 monts in a bugzilla but rather 5 minutes in a test environment.

As I will see it, the feedback from the users and the discussion about how the firewall should work is the firewall, while the technology around it is something more secondary.

Lets take filtering of outgoing trafic from lan as an example. It is rather easy and stright forward to set up, but it would normally have a great influence of how the user experience will be for using the net. On the other side it could also have great influence for the overall security. This question is not a question of technology, or some "bug" it is a question of how humans experience the use of the net, and how it can or might be made a trade off between security and functionality. I guess that the more tight and secure and outgoing trafic control is, the more there will be a need for an easy and detailed interactive user control of the firewall functionality.

As I would see it the best way of doing this is by working on the firewalling thing first to obtain solutions that is comlete and well working first, and then to make the technology implementation after.

The firewall allone is something rateher very easy and managable that can be changed easy in allmost any form. The technical part of implemting an well working firewall into the SME configuration system seems to be something rather more difficult. 

The firewalling part of the firewalling problem is allmost nothing at all if it is handled as a whole, and not as a pice by pice by pice colletion of technical parts from the sme server.

When considered and tested out and discussed as a whole, it should the be possible to find a technical implementation of a well working firewall solution.

When the all firewalling probelems and all the server problems it put into one bag and mixed togeter I think you get something rather difficult, even though it is about something rather easy. I think that the good trick is modularity and to solve one problem at the time, the firewall problem and the server problems. If not such a modularity things will be rather difficult to improve or change.

As I would see it a good firewall is the sum of all user experiences and all the discussions that is behind it.

A good firewall is per definition not something one person can develop allone and come up with a solution for, as it should be the result of all the discussions that is the content of the firewall.

Just my point of view

[raem]

arne

After reading trough it my conclusion is that the sme server firewall is a standard stright forward statefull inspection iptables firewall.

That is freely available information that has been published for years, so you didn't discover anything there.

To apply a firewall script takes 2 minutes. To discuss if this 2 minutes job is possible to do takes in some strange an funny way hours, monts and years....
To read trough the sme server firewall configuration script takes 5 minutes. To discuss if a port or two can be opened or closed takes some time.

Your discussions seem to be about alternative firewall scripts that flush the current configuration, that's why you don't get much support for your approach.

As you now admit that it is straightforward and relatively easy to understand, then the existing code base for masq can be built upon & added to, rather than being discarded as you have been consistently promoting.

How about you contribute code to the project rather than just lot's of discussion.

I'll refer you again to
http://forums.contribs.org/index.php?topic=36855.0
and
http://bugs.contribs.org/show_bug.cgi?id=2977

The people involved took it upon themselves to create additional code. The code was based upon & fitted into the current design.

Read the links and you can follow the sequence of events that has lead to this code & db commands being developed. I'm sure it was more than 5 minutes work by a skilled coder(s) who understood both iptables and sme templating.


You do not need to discuss anything here ad infinitum, just start doing something, and if you upload code to bugzilla that fits into the current design concepts, I'm sure it will be picked up by others and developed further, if/as necessary.

To quote Gordon Rowell in
http://bugs.contribs.org/show_bug.cgi?id=9
(which refers to a revised iptables script by hans-cees)

"We'd be very happy to have a look at this, as long as:

- We have code to look at
- The code works in with the existing system or provides a
total replacement with all of the existing features. We're
much more likely to be able to assess a diff/patch than a
total replacement.
- Each part is separable and can be independently assessed
in a separate bug"


The developers clearly prefer ideas/code that fit into the existing structure. If your ideas are way different to what is currently being done, then don't expect the developers to develop it for you, unless as they say you present a "total replacement" that includes all existing features plus any additional stuff.

If you cannot or don't know how to implement something into the sme templating structure, then propose iptables rules and ask that they be implemented by someone who does know how.
You have been asked to contribute code previously, yet we see nothing from you except discussions, and having just read your most recent post, something that sounds like philosophical diatribe.

[arne]

RayMichel -> Thanks a lot for your answer  !

Your discussions seem to be about alternative firewall scripts that flush the current configuration, that's why you don't get much support for your approach.

Yes, but that is because I beileve that this is the only way to develop somthing (an improved firewall design) that will fit into the existing structure.

It's like if you are sitting and you want to walk. You first have to rise up, then you can walk. You can not walk when you are sitting.

If you want to develop some firewall stuff you will have to flush out the existing firewall to get started and you will have to do it again and again, when you are doing the developing work.

Then it is possible to do those discussions and to do the exange of experiences that will end up in an well functioning firewall that can be implemented into an existing structure.

As I will se it flushing the existing firewall and discussion with the users is the basic thing you are doing when you are working on a firewall that might be implementet into "technical structure" A or B, when it works.

As I will se it "can not flush" will mean "can not do anything" like "can not rise" will mean "can not walk" when you re sitting in a chair.

I have not understood how anything could be done at all about the firewall in an envirinment where firealls can not be flushed, as the flushing will be the basis for everything else.

When I see the links to the suggestion of Hans_cees is mentioned abovehttp://bugs.contribs.org/attachment.cgi?id=1416 I think I understand a little bit how to set up a suggestion concerning a firewall.

As I will see it the important thing about a firewall design is the dialog and expericences and the feedback from the users.

I tried to do a discussion about firewalls here on this forun for about someting like 2 or 3 years ago, but it did not work in this forum.

At that time I took the general project of devlop such a 3 port firewall for the Centos out to one other web forum to make the required discussion with interested users, to devlop a 3 port firewall with full controll of the trafic between the 3 network segments. We did and it ended up with a 3 port firewall soulution in it basic design not so unlike the one at the sme server or the Hans Cees suggestion. I will se if I am able to  find it again on the web and post it in the bugzilla system like the Hans Cees suggestion. I think it should work on the SME 7.2 as well (But I dont know how easy a 3 port mot into the existing template system will be.)

But by the way the Hans Cees suggestion is also based on flushing (and testing):

/sbin/iptables --flush  FORWARD
/sbin/iptables --flush  INPUT
/sbin/iptables --flush  OUTPUT

.. as I think practically all Linux firewalls are.


************************

Something here: http://www.eksperten.dk/spm/541674

(This firewall will not work directely on the SME server as it is a stright forward firewall gateway design where the gateway is without server functions.)

************************

This was obviosly a gateway design we did at that time. It needs some rework to be adapted to a server gateway.

But I did just now and I posting trough the old firewall from 2004 on my new 2007 model 3 port sme 7.2 server gateway.

If things were easy in this world we could just revork the old 2004 firewall a bit more and post it here. It could have been done some debugging and discussions and possibly someone could come up with some automated configuration tool (Actually I have started to make one myself based on php as I don't know Perl at all.)

As things were developed and checked for proper functinality we could then have looked into the problems how to implement a 3 port firewall (or any firewall) into the template system. A text based configuration tool for two or tree nic's could have been up within days. Some kind of web based configuration tool could have been there within a month or two. 

But things are not that easy, I guess. 

[gbentley]

Out of interest, has anyone ever had any kind of intrusion, even on a 'mis-configured' SME ?

Ive read these forums alot over the last few years and never heard of any.

[arne]

True, neiter my SME server or my other Linux firewalls has ever got hacked, as far as I know.

But on the other hand have anybody ever heard about a Windows client or some other clients that has got hacked or infected ?

Does the standard sme server firewall protect against such an infection of an Windows client ? Could it protect against this ? What about hacking of clients ? Could or should it protect againt that as well ?

If some revision of the firewall configuration and possibly some configuration tool like a GUI could increase the overall security, for server and the clients, would it then still be negative ?

[raem]

arne

You are free to create a firewall script and run it on your server, and anyone else is free to use it if they choose.
A firewall script like you propose is not likely to be accepted by the developers as a viable alternative to the current system.
Non standard firewall scripts may create problems when doing upgrades.


If you really want to make a contribution to the sme server project, I strongly suggest you take an alternative approach which is different to the attitude you have now.
Develop code (for new functionality) that adds fragments to the existing masq structure (as custom templates for now), and upload them to bugzilla as part of a New Feature Request (NFR). These will be reviewed by developers & peer group coders, modified if necessary, and may then be incorporated into the existing code base.
As the code is compatible with sme server, then all upgrades will work OK.

I will refer you again to these two links as a good example of how that process works.
http://forums.contribs.org/index.php?topic=36855.0
http://bugs.contribs.org/show_bug.cgi?id=2977

If you are unsure about how the current system works and how to integrate your ideas and new code into the system, you can ask questions at the devinfo list or in specific bugs.
http://lists.contribs.org/mailman/listinfo

The forums are not really the place to discuss advanced firewall design.

[arne]

I will try to take away the firewall project to somwhere else, or alternatively try to do it allone, not to disturb with this firewall talk anymore.

I am thankfull for all your frendly and well ment advices, but there is only one nag:

Inovative and new firewall design can not be done like that.

For the energy and time of discussing if firewall development is difficult or not it could have been produced hundreds of altenative firewall desigs, to have a collection, to test out from, to find out which is the best one to be implemeted into the template system.

A firewall script like you propose is not likely to be accepted by the developers as a viable alternative to the current system.
Non standard firewall scripts may create problems when doing upgrades.

But the developers has alredy made such a firewall script themself ? /etc/rc.d/init.d/masq

A non standard or in more general terms a "standard Linux firewall configuration script" should normally not affect the future upgrades of the sme server in any way, as it does not require any kind of installation on or modification to the server. The original firewall script can just be there as it is, and there is no need to change or modify anyting at all, to apply a new firewall. (Thats the beauty of Netfilter and Linux )

I will try to not mention the word "firewall" for at least a year now as I believe that mentioning it, will not produce any new firewall designs.

But it's a good thing that anyone can use the benifit of Netfilter/Linux, the capability of applying a completely new firewall, and to rearrange it and do all kind of testing, without the need of doing any (zero !) modifications to the underlaying operating system.

In the same way it is also be possible to use and test out a number of graphical firewall configuration tool front ends, without affecting the underlaying operatins system, at all, if they are designed to work like that.

The differece between firewall design and other contribs and suggestions is that a good firewall design will have to be based and created out of the free and open discussion about how to design and use the firewall in a best possible way.

My personal opinion is that the SME server could be even bether as a technical product if it took the full advantages of the options that is given by the Netfilter design.

I think that the SME Server is the best gateway server there exist for its intended use, but as times is changing, and it could be even bether. Firewalling is not just "firewalling", on a Linux platform it can increase usability and performace of a product, without the need of doing one single modifcation.

OK I will try to remeber: "Do not mention the word firewall on Contribs.org Forum until the 12 October 2008."
 

[gbentley]

Arne, your word count on this topic was 4142 - just imagine if that was SME code

[CharlieBrady]

... as I believe that mentioning it, will not produce any new firewall designs.

I'm glad that you have finally realised that.

When you come back, please contribute your ideas and code via the Bug Tracker. Thanks.

[CharlieBrady]

Arne, your word count on this topic was 4142 ...

Did you count in all four threads, or just this one?

[arne]

Arne, your word count on this topic was 4142 - just imagine if that was SME code

Yes but I also made a 3 port sme firewall in the middle of it all, with the other left arm, that works quite well, I think.

The firewall script is also posted on this forum.

I have posted the issue on the bugtracker, to see how it work, even though I think it is actually is a contrib and not a bug.

I think that the contribs.org forum also should be about contribs and the ability to develop some contribs including also some contribs related to firewalls. Don't know if it exist to many of them related to firewalling ?

[raem]

arne

I have posted the issue on the bugtracker, to see how it work, even though I think it is actually is a contrib and not a bug.

You have ideas that have great potential, and there are probably many sme users who want the functionality you are discussing, but these ideas need to be turned into working code that is compatible with the current system.

The bug tracker is now being used for far more than lodging bugs against current code.
Specific bugs are created as placeholders for a variety of matters eg New Feature Requests, outstanding bugs that are holding up a new release, documentation improvements & more etc etc.

The bug tracker has been strongly pushed by developers as "the only place" to report any problems, and also the main place to carry on development work & discussions. In the past there was much more of this happening in the contribs.org forums & the devinfo mail list. Most people here have responded to the core developers requests to do development work in the bug tracker within a specific bug (or multiple bugs if there are distinctly different parts).

That is because the bug tracker has good tracking & monitoring features that far exceed the management capabilities of the forums.
Perhaps you perceive the bug tracker as the wrong place to use, but that is incorrect. It is the right place to use for what you want to do.

No one is driving you away, but it does seem that all of us are asking you to use the bug tracker for your project, as that is how it is done around here now, is that such a difficult request ?
You can still have a thread here in the forums that can announce major changes or improvements or keep people generally aware of what is happening in bugzilla with regard to your project.

I don't see your bug, can you provide a link to it.

[arne]

Thanks for nice and friendly comment.

If you try to dicuss anything about firewalls on the contrib forum, comments will very easy be like this:

Arne, your word count on this topic was 4142 - just imagine if that was SME code

The underlaying fact is that the SME Server installation does not contain a firewall at all.

Because there does not exist any SME Server firewall at all it is rather difficult to break dependies or destroy anything that at the first time does not exist at all.

The firewalling of the SME Server is done by configuring some basic functions that is built into the Linux kernel.

This is done by default by running a configuration script. (/etc/rc.d/init.d/masq)

The SME Server contains this configuration script and some automated routines for modyfying this configuration script.

You can compare it with an autopilot on an airplane. "The firewall autopilot."

Neither the pilot or the autopilot does the fying themself, they only gives some instructions to the airplane (in this case the Linux kernel) that does the flying.

As far as I can se there is nothing special abot the firewalling done by the SME Server at all. It's just standard Linux packet filtering anno year 2000/2001. If one compare tne SME Server rev 5.x, 6.x, 7.x i belive that the firewalling itself is basically much the same. There has been few changes and the configuration and datatransport trough the Linux kernel is much the same.

If there have been developed any major changes it would be interresting to know.

To applying a reviced firewall "tuning" or "configuration" to the Linux can be done in two different ways:
1. One can do som redisign of minor adjustments to the "autopilot".
2. You can leve it as an option to teporarely turn the autopilot "off" and leave the controls to the Pilot.

The option of turning off the Autopilot and to do the manuall controll has actually allways been there trough sme 5.x, 6.x, 7.x It is as I belive only a question of using this oportunity.

When developing some firewall tools this tool could work against the autopilot or it could contain the operunity for the user to tell the autopilot: "You are swithced off, I am now flying, my controls".

The cost of building in a effective option of "My controls" should be only a small fraction of the cost of modifying up the autopilot. (Lets say a factor as an example 1:1000)

A configuration tools could actually contain those "pushbuttons": "Autoconfiguration", "Restricted manual control", and "Full manual control".

To design the perfect autopiilot you wil have to do and perform flying and then in the end build in the experiences from all your nice and bad trips int the automated control.

If you can not discuss the flying itself (the firewalling) you can not do the perfect automated control either as there will be no nice and bad flying experiences to bulid into the system.

Except for being much simpler and much more easy to devlop a manual control can also have the option of being operated safer and more restrictive than an automated control. There could also be some restriction build in so it can not tuned up to be to unsafe. A manual control could be set up with aditional security functions as an example protection for dos attach, filtering against scanning (so the firewall locks of and hides the open ports when scanned, filtering of outgoing trafic from LAN (this would be an major improvement for the over all network security)

As I will see it a SME Server with the option of having a full and finegranid control over the traffic is a much more enjoyable and useful than a SME Server that has only the option of running on the automated firewall control. 

These things could be done via a text based shell a web shell or with 2 or 3 or more network interfaces.

When you are doing "the manual control" the automated control system can run unaltered and unmodified in the background to be there as a backup control that can be switched on at any time.

If you try to suggest something new or inovative about firewalling and SME Server feedbacks will not allways be only positive, and discusuons about the firewalling itself very easy turns over to be a discussion of anything else.

To avoid discussions that will only produce a lot of words that might not be listened to (4242 from me now ?), I will try to do the project as an independent contrib from a new inependent web site http://www.linuxfirewalls.info/

Any info of what negative things that might happen when you take over the manual control would be positive as it then can be built into the contrib.

I just want to have an SME Server that does the optimal job, and for me this also includes full control of the firewall, the ability to compile sourcecode and a Asterisk server installation. I do not need a 3'rd network adapter, and some configuration tool for this, but I think I will try to do it as well, just for the fun and joy of doing it.

As I would see it a detailed and finegraded control of the firewall is the major homemade improvement of my Asterisk server just now.

For me this is only a project based on fun, and the enjoyment of doing the things, and if could be usable for anybody else it's just OK.

[byte]

The underlaying fact is that the SME Server installation does not contain a firewall at all.

Wrong. The SME Server does provide a firewall.

As far as I can se there is nothing special abot the firewalling done by the SME Server at all. It's just standard Linux packet filtering anno year 2000/2001. If one compare tne SME Server rev 5.x, 6.x, 7.x i belive that the firewalling itself is basically much the same. There has been few changes and the configuration and datatransport trough the Linux kernel is much the same.

Wrong again the firewall has changed, but I don't have as much time to type as you do to tell you what the changes are.

If there have been developed any major changes it would be interresting to know.

Then I'd suggest trawling though the dev list and bug tracker.

I just want to have an SME Server that does the optimal job, and for me this also includes full control of the firewall, the ability to compile sourcecode and a Asterisk server installation.

SME Server already does a good job and securely, your words of "ability to compile by source code" are bad as anyone would know you never have build/compile tools on your production server.

[arne]

If the SME Server contains a firewall I would be courious to now which one that is.

I thinkt that the only packetfilter firewall that is there is the one supplied by Netfilter that is a part of the Linux kernel.

Because SME server has the Linux kernel it also has the firewall, but it does not supply any other packet firewall or an application level firewall by itself. Does it ?

It could be that it has some configuration options for some server functions like sshd and ftpd to prevent or allow access from external clients. I would guess it is like that, but I have not checked it.

The reason why I am curious abot this questions is because I am working at a firewall conrib that will do some new things just now.

I haven't have to much time for testing but it looks like it will come a new firewall setup option in the near future that will do the things for me that I at last I was dreaming about during all the years with SME 5.X, 6X, 7X. A third card will also be an option even though I actually do not need it to much myself. There will also be some simple web based configuration tool.

I think arguing in this forum will not help at all, but hopefully some "load thinking" wil give a result that can be used. Actually I am using it myself already, and it is just the SME Server I allways wanted to have. If anyone else wants to use the contrib they can do. Will be posted on this address  http://www.linuxfirewalls.info/

[CharlieBrady]

If the SME Server contains a firewall I would be courious to now which one that is.

You know very well what it is.

I thinkt that the only packetfilter firewall that is there is the one supplied by Netfilter that is a part of the Linux kernel.

Yes, of course.

It could be that it has some configuration options for some server functions like sshd and ftpd to prevent or allow access from external clients.

Yes, of course there are.

I think arguing in this forum will not help at all, ...

Indeed, but you keep doing it.

[p-jones]

Arne

The merits of combining a firewall with the main server are limited. Go google a bit and you will understand what I mean.

After giving consideration to the overall concept of what SME is about, ie the bigger picture, what is provided in SME is MORE than adequate.

If you want a full featured firewall, or maybe I should say a more-featured firewall, you should go to IPCop or Smoothwall. There you will find the same Linux Kernel features from 200/2001 that you have refered to, with a more extensive rule set and a GUI interface. Designed and dedicated to just that task- A firewall.

If you want specialised features, you need a specialist product...

[gbentley]

As an aside, I am constantly surprised at the increase in the wealth of features provided within relatively cheap ADSL routers these days, particularly within the firewall and security features. Even a £40 router can have Packet Filtering, Stateful Inspection, DoS Attack Prevention, Custom Rulesets, Stealth mode etc - and probably a Linux Kernel

[raem]

gbentley

..and probably a Linux Kernel

Which gets outdated & buggy, whereas the Linux kernel in sme server gets updated regularly.
That way, when using sme server in gateway mode (with the firewall functionality enabled), the firewall kernel remains up to date.

[gbentley]

Last two routers I bought you could do firmware updates on

[judgej]

If the SME Server contains a firewall I would be courious to now which one that is.

It's not a case of 'which one'. You have described the setup - the SME Server provides a firewall function for itself and for the network. You don't need an RPM with a big label "ACME Firewall" in order to provide that function.

Yes, it would be nice to have a finer level of control over how the firewall is configured and works. It would be nice to be able to enter IP ranges to block, to get reports on various types of attacks, to be able to set ranges of allowed IP addresses for certain ports. It would all be nice, but someone has to specify the requirements, someone has to code it up, and someone has to test it. Until that happens, we have a nice default "works out the box" firewall that is okay for the purpose it set out to solve.

[jfarschman]

54 posts....!!!

  Wow!

  Consider this.  Most problems with security are due to an administrator who poorly understands the concepts of security and applies firewall rules improperly.    Check out the stats on security breaches some time.  Sometimes its the fault of a kernel or a firewall, but the vast majority of breaches occur do to administrative mistakes.

  SME takes care of security for such users.  This is why I use it.  SME is brilliant at taking away user mistakes.

  If you need a hand with something more complicated because the only way to configure it is through the command line, then you probably fall into the 'poorly understands' category and should consider getting some advice/help from one of the developers.  Paid help.

  They can do the work quickly, cheaply and with quality.