Hi everyone. Maybe it wasn't a good advice to talk about the masq manager contrib, I never tried it. But I think a advanced firewall configuration tool would be a good thing. Even if there's no panel in the server-manager. I know we can already open some ports, and forward others but a lot of things are missing (IMHO) like:
- limit a port forwarding to a range of source addresses
- Forward port for both tcp and udp in a single rule
- Possibility to comment each forwarding rules
- possibility to forward a port range
- support others interfaces than Internal and External, this could be great for site-to-site VPN, or a DMZ, or a WiFi device
- Support forwarding rules between the different network if there are more than 2 interfaces
- possibility to disable NAT with a db key
- Block all the outgoing ports traffic (excluding an admin IP range) and allow just those we want
- Add some protection against ssh scan at least (it seams to be possible with simple iptables rules, but I haven't tested)
- Add shaping rules (the script from hancees based on HTB works great, I think it should be added in the base)
Something like the BOT (BlockOutTraffic) on ipcop would be cool, I know SME is not designed to be a complex firewall, but for small installations, it would be usefull to have some advanced firewall options, even for personnal use (I have a SME at home, and I'd need a third interface to connect a WiFi device and capture the traffic with chillispot. I'd even need a 4th interface for a site-to-site VPN with openvpn, and I don't want to disable the firewall on this interface like some people does, I'd just like to open some ports.)
I've started looking at the masq script, but implementing those functionnality needs a total rewrite (I think), and such a thing won't be integrated in the distro. That's why I haven't open bugs as NFR. I know it represent a lot of work, but these functionnality are really missing.
That was my advice