Thanks for nice and friendly comment.
If you try to dicuss anything about firewalls on the contrib forum, comments will very easy be like this:
Arne, your word count on this topic was 4142 - just imagine if that was SME code
The underlaying fact is that the SME Server installation does not contain a firewall at all.
Because there does not exist any SME Server firewall at all it is rather difficult to break dependies or destroy anything that at the first time does not exist at all.
The firewalling of the SME Server is done by configuring some basic functions that is built into the Linux kernel.
This is done by default by running a configuration script. (/etc/rc.d/init.d/masq)
The SME Server contains this configuration script and some automated routines for modyfying this configuration script.
You can compare it with an autopilot on an airplane. "The firewall autopilot."
Neither the pilot or the autopilot does the fying themself, they only gives some instructions to the airplane (in this case the Linux kernel) that does the flying.
As far as I can se there is nothing special abot the firewalling done by the SME Server at all. It's just standard Linux packet filtering anno year 2000/2001. If one compare tne SME Server rev 5.x, 6.x, 7.x i belive that the firewalling itself is basically much the same. There has been few changes and the configuration and datatransport trough the Linux kernel is much the same.
If there have been developed any major changes it would be interresting to know.
To applying a reviced firewall "tuning" or "configuration" to the Linux can be done in two different ways:
1. One can do som redisign of minor adjustments to the "autopilot".
2. You can leve it as an option to teporarely turn the autopilot "off" and leave the controls to the Pilot.
The option of turning off the Autopilot and to do the manuall controll has actually allways been there trough sme 5.x, 6.x, 7.x It is as I belive only a question of using this oportunity.
When developing some firewall tools this tool could work against the autopilot or it could contain the operunity for the user to tell the autopilot: "You are swithced off, I am now flying, my controls".
The cost of building in a effective option of "My controls" should be only a small fraction of the cost of modifying up the autopilot. (Lets say a factor as an example 1:1000)
A configuration tools could actually contain those "pushbuttons": "Autoconfiguration", "Restricted manual control", and "Full manual control".
To design the perfect autopiilot you wil have to do and perform flying and then in the end build in the experiences from all your nice and bad trips int the automated control.
If you can not discuss the flying itself (the firewalling) you can not do the perfect automated control either as there will be no nice and bad flying experiences to bulid into the system.
Except for being much simpler and much more easy to devlop a manual control can also have the option of being operated safer and more restrictive than an automated control. There could also be some restriction build in so it can not tuned up to be to unsafe. A manual control could be set up with aditional security functions as an example protection for dos attach, filtering against scanning (so the firewall locks of and hides the open ports when scanned, filtering of outgoing trafic from LAN (this would be an major improvement for the over all network security)
As I will see it a SME Server with the option of having a full and finegranid control over the traffic is a much more enjoyable and useful than a SME Server that has only the option of running on the automated firewall control.
These things could be done via a text based shell a web shell or with 2 or 3 or more network interfaces.
When you are doing "the manual control" the automated control system can run unaltered and unmodified in the background to be there as a backup control that can be switched on at any time.
If you try to suggest something new or inovative about firewalling and SME Server feedbacks will not allways be only positive, and discusuons about the firewalling itself very easy turns over to be a discussion of anything else.
To avoid discussions that will only produce a lot of words that might not be listened to (4242 from me now ?), I will try to do the project as an independent contrib from a new inependent web site
http://www.linuxfirewalls.info/Any info of what negative things that might happen when you take over the manual control would be positive as it then can be built into the contrib.
I just want to have an SME Server that does the optimal job, and for me this also includes full control of the firewall, the ability to compile sourcecode and a Asterisk server installation. I do not need a 3'rd network adapter, and some configuration tool for this, but I think I will try to do it as well, just for the fun and joy of doing it.
As I would see it a detailed and finegraded control of the firewall is the major homemade improvement of my Asterisk server just now.
For me this is only a project based on fun, and the enjoyment of doing the things, and if could be usable for anybody else it's just OK.
54 Replies
15719 Views