Topic: Firewall - is there a GUI front end for SME

[byte]

I though giving some ideas could help but sadly it seems they are not very welcome without money.

Idea's are great especially when raised as a NFR, they are most welcome, but as we have a small dev team there is not enough man power to cope with the NFR demands so any that you/anyone else may need for business use then "sponser" a dev team to develop this.

Please do raise your NFR's - Thanks.

[CharlieBrady]

Well, I'm just a young tech, I don't have lot of money and I try to do what I can to enhance this already great OS. I though giving some ideas could help but sadly it seems they are not very welcome without money

The problem is that ideas is the one thing that there is no shortage of. Ideas are welcome, but not enough.

What is needed is working code, and that either needs someone to contribute the code, or someone to offer money so that a programmer can be coaxed from doing other paid work to develop the code that you want. Nothing else will create working code.

[judgej]

Well, I'm just a young tech, I don't have lot of money and I try to do what I can to enhance this already great OS. I though giving some ideas could help but sadly it seems they are not very welcome without money

Ideas are great, but people here do not have time to implement every idea suggested. If you want someone else to go out of their way to implement something that only you need, then you are going to have to reward them in some way. If you cannot afford to to pay for it, then you either make do with what you have, do it yourself, or get a team together of like-minded people who do want the feature.

[nicolasdiogo]

hi,

apologies for the delay.
i red your comments, the first two, and i have found the port forward feature but it only works from external to internal flow and i still not able to find any way configuring things like enabling certain ports/services via web-interface.

i have also noted some of the argument is around having much of ideas but no funds.
i agreed.

how about bounts? the community sets the goals AND raises the cash and let the developers work with support.

many thanks

[zatnikatel]

You have the wrong idea about money the options you want you can do with iptables and the command prompt also remember SME server is an email server samba and print server as the other ones you talked about are only a firewall/routers nothing else SME server does a lot more and there is a lot of work gone into SME server with the templetes setup
and don't forget thr DEV'S do a lot of work and they do deserve money for what they do if every person that used SME server just gave 10 dollars then more options could be added don't forget they have families as well as working on the SME server
if you want to have a look at the iptables setup at the shell type iptables --list
not flameing you down but before you say they are not very welcome have a good read though the forms first every one here is willing to help as much as they can and the DEV'S want to keep SME server simple and the firewall rules are very tight on the SME server i have never been hacked and i have been useing SME server before version 5 when it was called e-smith it is the most stable linux OS around and is simple enough for a person who does not even know linux to install it

Well, I'm just a young tech, I don't have lot of money and I try to do what I can to enhance this already great OS. I though giving some ideas could help but sadly it seems they are not very welcome without money

[raem]

nicolasdiogo

>... i have found the port forward feature but it only works from external to internal flow...

That's what it is designed to do.
Note you can forward to localhost, see this example
http://wiki.contribs.org/PortRedirect

What more were you expecting/wanting ?


>... i still not able to find any way configuring things like enabling certain ports/services via web-interface

Server manager does that for the services (& corresponding ports) that can be configured in server manager eg ftp, ssh etc.

If you want control beyond the functionality within server manager, then you would use the command line.
You have two options, to use db commands where the existing code supports the functionality for the services you require to adjust, or if not supported that way, then use manually configured iptables rules with custom templates.

Again you need to be specific as to what you want to do, so that you can be advised whether that is supported and by which one of the techniques mentioned or whether you need to write your own code/rules.


I suggest you carefully read the FAQ & the Developers manual they cover by example how to enable services and associated ports.

http://wiki.contribs.org/SME_Server:Documentation:FAQ#Firewall.2FPort_Forwarding.2COpening.2CBlocking

http://distro.ibiblio.org/pub/linux/distributions/smeserver/contribs/gordonr/devguide/html/devguide.html#AEN2072

[Daniel B.]

Wow, I didn't thought the discussion will turn this way. First, I apologize if if I said something the wrong way, I'm not english and sometimes, what I write is not exactly what I mean. In the first post of the topic, several people ask nicolasdiogo what he want to do with the firewall exactly, so I've listed some of the functionnality I though usefull. Then, I just wanted a discution arround that, are these functionnlity really usefull? Nobody else would like to see such features? What will be the + and the - of having features like that? etc...
Instead, everyone told me "so, you have to pay", "the developpers do not have time to implement every idea suggested" and things like that. I never said, you must implement that. Instead, I said that I'd find SME even better with features like that. I don't see the problem.
I can help with some code (I'm not a real coder, but I've already packaged some contribs for SME like openvpn, backuppc and trixbox), but first, I would like to know if some other people are interested, then, we can go in the bug tracker to discuss on the technical solutions.

Cheers

[nicolasdiogo]

thanks for the links,

i noticed that SME has a good firewall command lines, so that is i questioned whether someone had written a firewall front end.

if i want to enable traffic for eMule (used for research reasons only) into my network, i would have to ssh into SME and run the command rather than having an option on the front end.  it only seems lack on consistency from a user's perspective.

i am not trying to knock the dev team down, in fact i believe SME is a fantastic product as it is simple and robust which you guys should be proud of.

regards

[raem]

nicolasdiogo

if i want to enable traffic for eMule (used for research reasons only) into my network, i would have to ssh into SME and run the command rather than having an option on the front end.

Depending what you mean by "enabling traffic", that would be achieved using the Port Forwarding panel, which is actually a port forwarding and port opening panel.

[arne]

Basically and technically there is two ways of applying a new or modified set of firewall rules on a SME server.

Alternative 1. The diffcult one. You can learn the sme server into the deep where just a few nows it and do the modifications "the right way" as they should be done. (Yes there is some more eas shell config variants for the new 7.x but it is still rather difficult to get the complete overview of how your SME firewall really work.)

Alternative 2. The more easy, but I guess "the not so recomended one". That is to let your SME server boot up and apply its firewall, like normal, and without any modification of the underlaying operation system. Then after it is up and running you can flush out the existing sme firewall and apply a complete new set of firewall (and forwarding) rules.

Such a change can be done apying a firewall (iptables) configuration script.

I am using my sme 7.2 gateway server like this just now at the moment because the ordinary firewall stopped working for some unknown reason. Such a manual firewall script gives a fine grained detailed control of how things should work, but it also increase the risk of errors multiple time. It is rather easy to make misstakes that leaves your gateway completely open for attach. One single incorrect word in the configuration script is enough.  

Of cource it would be not so very complicated to work out a graphical shell that could set up such an alternative firewall based on the prinsiple that it is not integrated into the existing firewall setup, but rather in that way it flushes out the existing firewall. Web based could be one alternative.  One other way would be to make some text based interactive program that generates the firewall configuration script.

For reasons I don't know, it looks like the principle of flushing out the existing firewall, and replacing it with new rules works when the web proxy is disabled and does not work when it is enabled. At least it does not work for me when trying to use the web proxy.

At the moment it looks like that its possible to apply a standard iptables firewall configuration script on the SME 7.2, to obtain the full controll of the firewall behaviour and data streams to and from and trough the server, when the web proxy (Squid) is set to off.

By the way, I have just tested it a few days after the regular SME firewall were broken.  (But I have also tested it on earlier releases before.)

It is my impression that the SME server developers does not like to much the idea about ordinary users playing with the firewall, but I guess it can be done. (But with the risk of being hacked and punished.)

[raem]

arne

...you can flush out the existing sme firewall and apply a complete new set of firewall (and forwarding) rules.
I am using my sme 7.2 gateway server like this just now at the moment because the ordinary firewall stopped working for some unknown reason.

So you should have reported this as a bug.

It is my impression that the SME server developers does not like to much the idea about ordinary users playing with the firewall, but I guess it can be done. (But with the risk of being hacked and punished.)

I think you are unwise to continue to promote the concept of flushing out the firewall rules and replacing them with something you have created.
It suggests an underlying lack of appreciation and understanding of the complexities of the existing firewall rules and how these rule sets are interdependent, and the order in which certain rules get implemented depending on user selections etc etc etc. The existing firewall in a sme gateway server is based on a very complex set of reasoning and not something to be lightly played around with.
Changing the approach to firewall management that you propose, will dramatically alter the security model of sme server, and likely create an insecure server, unless of course, you are a firewall and a sme expert who really does know what you are doing.
The reality is that very, very few of us are sme & firewall experts, so the majority of us should therefore leave tweaking of the firewall rules to currently accepted methods as allowed for in sme server design scope ie server manager panel changes or a range of db commands or custom template changes.

To redesign or add an additional firewall GUI which implements a lot of fine tuning functionality, will only open up the possibility of more easily creating an insecure server by well meaning but unknowledgable admins, which is quite the opposite of the sme server design philosophy.

Developers have directly asked you to provide firewall code improvements to them via bugzilla and you have not done so.
If you want changes to the sme server to be implemented in the base code, then you need to work with the developers, not go off on your own promoting the blasting away of existing firewall rules and replacing them with something you have created, which appears to function independantly of settings within sme server and therefore is not in accordance with the design scope of user simplicity.

I would also suggest that changes get made in small increments on an as needed basis ie add this particular firewall rule capability as users seem to need this now, add another firewall rule as that has become important to end users etc etc. Small incremental changes are more likely to be adopted rather than large major rewrites of new or existing GUI panels etc.

You could contribute your knowledge of firewall rules to the sme project, but it appears you are not willing to do so.

[arne]

Well I think I would se it the other way:

The Linux Netfilter firewall is a really beautifull relly and easy understandable (when it comes to practical use) and well designed part of the Linux kernel. The work done by Rusty Russel (I think his name was) is really something great.

My point of view:

1. The logical function of the firwall is something that should be regarded as someting different from those problems related to the server functions, as this would relif more freedom and focus on the firewall design itself.

2. The firewall problems is easily separated (and should be separated) from the rest of the problems related to server security.

3. If both problem areas is considered as a whole and without a prinsiple of modularization or breaking up the problem into pices (the firewall part and the server part) the complexibility of the project will be on such a level that it will be rather difficult to do anything else than just small steps and minor modifications.

4. with a new approach and a bether modularization and a bether structure between firewall and server related problems, a lot more could be done.


The way that the Linux firewall works gives the situation where developers are free to work on the firewall problems as something different and separate from the server functions, which I think could reduce the complexity of the over all situation to just a fraction of what it is when all these problems are mixed into one bag. 


Of course I would contribute if I could, but I don't understand at all how this could be done.


My opinion is that the Linux firewall is something very easy and quite managable, if one just understand its siplicity and lack of complexities. as I would see it, the easier and the more well structured a firewall design is the more "safe" it will be. "Safe" will in this case mean that it is possible to predict how it will behave under certain situations and to deside how it did fail, if this should happen. The oposite way: The more complex a firewall design is, the more risk is it fore something unexpected to happen and the more diffcult will it also be to trace it out if it fails.

Bu the way I'm not selling or promoting anything at all. I'm just discussing, trying to learn a little bit more. (And I certainly does not have all the valid answers.)

As I will se it Linux firewalling is much like bicycling. You don't need to be an expert, but you need to understand what you are doing. It might be safer to take taxi or train to town but some of us might prefere bicycling and freedom of going where you want to go, and to have the full control.

If there should be developed bether and more flexible firewall solution I think that the first ting that would be needed were some discussion about how should a firewall work, why should it do this and this and this, and not that, and so on.

What actually normally happen if someone mention something about firewalling on this forum, is that someone from the development team posts a message that advices: "please do not discuss firewalling".

If firewalling could be discussed, and some poeople were interesed in this field of problems, I think it could be possible to come up with some alternative and new solutions.

If SME developers like to think that the firewall problems need to be tightly integrated into the server problems at the SME server, because it has allways been like that, they are free to do that. But if someone think that the area of firewalling has its own life inside the the Linux kernel they can do that as well, because if you tell the kernel and yourself that it is like that, from a technically view, actually it is like that.

So technically to flush out the existing sme firewall ruleset and replace it with a new one is one option, for a change to the bether or the worse.

As I would see it - It will be very difficult if not allmost impossible to make big changes in the SME firewall if not the firewlling and the server related problems is separated in an effective way. On the other way, it should be rateher easy to come up with new solutions if it is done. These could have graphical or non graphical front-ends.

If the SME server is an open source project there should be no reason why it should not be possible to also build in advanced firewalling functions like for the new version of Smoothwall. But I believe that this can not be done (in a practical way) via the existing template system of the sme server. (It will be nedded a some more or less independent fireall configuration mudule or system of some kind.)

Eventually building such a module will also include to experiment with security and to get hacked. (No hacking no learning - as for the bicycling.)

Alternative firewalls for the SME server could have been there alredy for a long time ago, if there were some positive will to have it.
These firewall configuration tools could also do all kind of fine grained firewalling control and also manage the problems related to a dmz zone, a wireless zone, outbound trafic control, inbound trafic control, etc, etc.

[CharlieBrady]

But I believe that this can not be done (in a practical way) via the existing template system of the sme server.

And there you are wrong. You can provide your own file /etc/e-smith/templates-custom/etc/rc.d/init.d/masq and do there absolutely anything you want.

[arne]

Well I know it I'm wrong as it can be done, and I know I am right as I have done it a number of times.

Modification of the template system is a to slow and a lot to complicated way to do an effective firewall design.

It could on the other hand be quite possible to first develop firewall rules and then apply them into the template systems after troubleshooting, testing etc.

And then one other issue:

If you compare the number of functions and the complexability in the configuration panel of a SME server and the new Smoothwall, one can se that the number of functions and the complexability is, I belive bigger on the Smoothwall, that is only a firewall.

As I will see it, It will be impossible to implement a really finegradeded and flexible firewall controll on the SME server without destroying it's main force as a server, its simplicity and ease of use.

As I would see it a more flexible and more fine graned firewall controll would require somecontrol panel or interacivity outside the ordinary server-manager panel. To sy it simple: It is not possible to do all the functions of the Smootwall and the SME server in one admin panel without messing it all up. This is one of the reason that I believe that an "aditional firewalling configuring thing" could be something, something with a relatively clear modular design.   

[jdavey]

In reality, if you want the fine grained configurability and control of smoothwall, then just use smoothwall. It's built, assembled and ready to run. It's what I use in numerous deployments. It is what it is built for. The new Express v3 looks interesting, but I am cautious. As Smoothwall founder Dick Morrell points out - it's a firewall/ security device - the more things you run on it, the more opportunity you expose yourself to having bad things happen.

I'll repeat again, SME as a Server and basic gateway / firewall is a wonderful product. But when you need to offer someone something more than basics in terms of firewall / gateway, I just feel  more secure with a standalone product. Something more than SOHO and perhaps approaching enterprise level. And folks who need that level of capability really need to look at two solutions and not a single appliance. We can debate the merits between single point of failure vs. multiple points of failure with services running on separate boxes (domain server, mail server, web server, gateway / firewall), vs. a single box, but to me, a need for advanced firewalling, QOS, and fine grained control call out for a dedicated solution. If you are at the level of "almost enterprise", then build to that level.

For a simple environment in a professional setting SME is fantastic, but when you are looking a regulated environment, with very specific demands, break it apart and put SME behind another firewall / gateway.