Topic: Firewall - is there a GUI front end for SME

[nicolasdiogo]

hi

just find out if there is some front end for the firewall (iptables)
in the forum there a number of posts and howtos asking explaining how to use the firewall.
it seems that it is only possible to amend the firewall via command-line.

many thanks

[byte]

There is no GUI for changing firewall settings, nor has there ever been.

What are you looking to do?

[raem]

nicolasdiogo

The GUI server manager has a number of panels that directly affect firewall rules.
There are also numerous command line "db commands" that directly affect firewall rules.
Just look at the forum posts of the last two days re blocking, AllowHosts & DenyHosts, also read the Developers Guide, FAQ & Wiki for additional info.

It really depends on what you want to do, as to which approach you take to make the changes.
ie it would be counterproductive (and possibly a security issue) to write special iptables rules when there is a db command or a server manager panel that can make the change you want.

What do you want to do ?

[nicolasdiogo]

thanks,

i am looking to redirect traffic for certain ports to particular local IP.
allow traffic for a certain port for only one desktop.

is there plans to create a front end for the firewall?

regards

[mmccarn]

i am looking to redirect traffic for certain ports to particular local IP.

This is already in the GUI under server-manager::Security::Port Forwarding

allow traffic for a certain port for only one desktop.

If this is different than the previous item then I don't understand what you're trying to say?

[CharlieBrady]

is there plans to create a front end for the firewall?

There is a front end for the firewall - it is the server manager, which has various policy settings and panels which affect the firewall.

There are no plans to have two different front ends.

[okepc]

Byte said

nor has there ever been

You are misinformed take a look at:

Masq Manager

http://www.muzo.homeip.net/wiki.php/SmeServer/Contribs

This wil PROBABLY NOT WORK with sme7 cause it is written for sme6

Regards

Dirk

[byte]

Byte said
You are misinformed take a look at:

Masq Manager

Misinformed ? I don't think so, thats bad advice to suggest something thats not even compatible with sme7, even when that package was compatible with sme6 it didn't work properly.

http://www.muzo.homeip.net/wiki.php/SmeServer/Contribs

This wil PROBABLY NOT WORK with sme7 cause it is written for sme6

So why even suggest this package in the first place if you say it will probably not work ? Bad advice again, have you even tried this package on sme7 ?

[Daniel B.]

Hi everyone. Maybe it wasn't a good advice to talk about the masq manager contrib, I never tried it. But I think a advanced firewall configuration tool would be a good thing. Even if there's no panel in the server-manager. I know we can already open some ports, and forward others but a lot of things are missing (IMHO) like:
- limit a port forwarding to a range of source addresses
- Forward port for both tcp and udp in a single rule
- Possibility to comment each forwarding rules
- possibility to forward a port range
- support others interfaces than Internal and External, this could be great for site-to-site VPN, or a DMZ, or a WiFi device
- Support forwarding rules between the different network if there are more than 2 interfaces
- possibility to disable NAT with a db key
- Block all the outgoing ports traffic (excluding an admin IP range) and allow just those we want
- Add some protection against ssh scan at least (it seams to be possible with simple iptables rules, but I haven't tested)
- Add shaping rules (the script from hancees based on HTB works great, I think it should be added in the base)

Something like the BOT (BlockOutTraffic) on ipcop would be cool, I know SME is not designed to be a complex firewall, but for small installations, it would be usefull to have some advanced firewall options, even for personnal use (I have a SME at home, and I'd need a third interface to connect a WiFi device and capture the traffic with chillispot. I'd even need a 4th interface for a site-to-site VPN with openvpn, and I don't want to disable the firewall on this interface like some people does, I'd just like to open some ports.)

I've started looking at the masq script, but implementing those functionnality needs a total rewrite (I think), and such a thing won't be integrated in the distro. That's why I haven't open bugs as NFR. I know it represent a lot of work, but these functionnality are really missing.

That was my advice

[raem]

VIP-ire

> ...I haven't open bugs as NFR. I know it represent a lot of work, but these functionnality are really missing.

Well if you think the OS needs the functionality, you should open NFR bugs, at least then your requests will be considered by the developers. If enough people ask, and the developers agree, and they have resources or are sponsored, then it may happen.

[jdavey]

VIP-ire said:
- limit a port forwarding to a range of source addresses
- Forward port for both tcp and udp in a single rule
- Possibility to comment each forwarding rules
- possibility to forward a port range
- support others interfaces than Internal and External, this could be great for site-to-site VPN, or a DMZ, or a WiFi device
- Support forwarding rules between the different network if there are more than 2 interfaces
- possibility to disable NAT with a db key
- Block all the outgoing ports traffic (excluding an admin IP range) and allow just those we want
- Add some protection against ssh scan at least (it seams to be possible with simple iptables rules, but I haven't tested)
- Add shaping rules (the script from hancees based on HTB works great, I think it should be added in the base)

Something like the BOT (BlockOutTraffic) on ipcop would be cool, I know SME is not designed to be a complex firewall, but for small installations, it would be usefull to have some advanced firewall options, even for personnal use (I have a SME at home, and I'd need a third interface to connect a WiFi device and capture the traffic with chillispot. I'd even need a 4th interface for a site-to-site VPN with openvpn, and I don't want to disable the firewall on this interface like some people does, I'd just like to open some ports.)

VIP-ire said it - use IP Cop or Smoothwall (or m0n0wall). As elegant and simple a solution as SME is, I've never been confortable with the server functioning as the gateway / firewall, it just seems... dirty. That said, I've never had a problem for the few folks I've helped out with SME as a firewall. It's just that Smoothwall / IP Cop and m0n0wall are so configurable out of the box. Why take a chance on breaking security on the SME (which ambitious folks tend to do when modifying).

If it's a small installation then typically they don't need advanced routing and customized firewall rules. Additionally, it's a pain to support those changes when something goes wrong (and it will go wrong). If they do need those features then it's really not a small installation. With Smoothwall, IPCop or m0n0wall if you break it, it's a ten minute reinstall from ISO and you're done.

[CharlieBrady]

VIP-ire said it ...

Ray also said it - if something should be there and isn't, open a New Feature Request in the Bug Tracker.

BTW, quite a few of the features that VIP-ire advocates already exist.

[Daniel B.]

Ok, I'll try to open bugs for the features I've listed.
I know that if I want just a firewall, I should use ipcop, and for some installation, I use ipcop. But SME has a lot of features, and just a few are missing (still IMHO), and I'd like to have everything in one machine as it will save energy and money.

If it's a small installation then typically they don't need  advanced routing and customized firewall rules

I install SME for some small company, and I'd need the advanced functionality. I can live without it, but it'd be much better with.

BTW, quite a few of the features that VIP-ire advocates already exist.

Maybe I've missed something, can you point me to some documentation on the features I'd like which exists?

[CharlieBrady]

I install SME for some small company, and I'd need the advanced functionality.

So pay someone to develop the functionality you need ...

[Daniel B.]

Well, I'm just a young tech, I don't have lot of money and I try to do what I can to enhance this already great OS. I though giving some ideas could help but sadly it seems they are not very welcome without money