Topic: Wifi DMZ

[Neririn]

Is there a correct way to setup an "Internet Only" network via SME?  I have an SME box and would like to provide internet access to my Customers, but keep them out of my Local LAN.  I only have one IP and one interface from my ISP which is curently plugged into my SME box.  I am running SME 7.2.

Thanks in advance.  If anyone has seen this already in the forums, please point me to that thread.  I appologize if it is a double posting but my searches did not return anything of help.

[JoshuaR]

I have an SME box and would like to provide internet access to my Customers, but keep them out of my Local LAN.

Are you trying to use SME as a file server to a separate part of your network while providing internet access to all?  Or are you just using the SME server box as a gateway? 

It should be relatively simple, but a few more details (maybe a diagram) about your network setup would help (me at least  ).

This might be dumb, but off the top of my head, if you're running a peer-to-peer network, couldn't you set up SME as a gateway and put it in a separate workgroup as the computers that you don't want to have access to it?  It will still function as a gateway to them, but they won't see it...

[crazybob]

You don't have to make them users on your server to allow them to access the internet through the server. As long as they don't have a static ip on their computer, and you are serving up ip addresses, they should be good to go, and won't be able to access the shared folders. If they don't assign their computers to your work group / domain, they won't even see the server

Bob

[arne]

I guess it is right that the users does not have to have an acount or to be logged on to your server, but they still will be on your lan and inside your secure green zone.

I also guess that there is no standard way of setting up a seperate safe wlan segment using the SME server.

I have not tried, but I think it could be possible to modify the SME server using a third wlan network card and a scripts that configures the third card and apply a new rule set for a 3 way firewall with a safe wlan zone. (And possible also a DMZ server zone as well and any combination of 3-4 network cards.)

If I thought it would be a popular project I would at least have given it a try to see how things would work out. I belive that anything or any project that will involve modification of the existing firewall is a "not wanted project". (I have tried this suggestion before.)

The reason that I believe that it might be a practicall alternative to develop an alternative firewall and network configuration setup as a project separated from the other "sme server stuff" is that the firewalling and networking stuff allone wil be that complicated allone that it will need its own "light" and its own "separate thinking" to come up with a solution that might be working, and then when one know what can be working from "a firewall point of view". After this issue is clear, then it could be possible to see how it can or might be integrated into the existing "sme configuration/template system".

By the way I have not even tryed to boot a sme server with 3 cards and I don't know how it really would react, but I done it with some other Linux boxes. I guess It could be done with the sme server as well.

One problem is that "simple use and simple configuration" in some way is a oposite of "to have a fine grained control and a lot of options of a firewall". I thinkt that if a "firewall reconfiguration project" were done, it could include a fine grained firewalling controll and things like a secure wireless zone. I would believe that this is more a question of policy and what is considered to be a good project rather than technical limitations. (But as mentioned I have not tried the sme server with 3 cards yet.)


************************************************
************************************************

Inspired by this tread and this discussion (with myself ?) I made an experiment with the SME box just now and in the middle of this night ..

I put the NIC no 3 into my SME 7.2 server to see if this could work.

It did and it was, as far as I can see perfectly possible to controll the trafic between the internet, and the two lan/wlan segments.

There was actually two problems:

1. The dhcp server did not work (give out proper adresses) in the network segment no 3.

2. The dns server of the SME box did not work against network segment no 3. It was nessessary to use one external dns server for the third network segment.

What I would believe could be an easy solution to make the Wlan segment working in a proper way:

To use an wired network card no 3 in the sme box and then to connect this to a chep wireless router, that will contain its own dhcp server and eventually also a dns proxy. (Using an external dns server as deliverd by the isp should also work.)

It looks like it is perfectly possible to set up the SME server with a 3'rd wlan segment and to have the full controll of trafic to and from this segment, if there should be some positive interest of doing such a project.

(To use an wireless router as suggested should give a rather cheap and quite uncomplicated solution. The lan card no3 and the setup of the wireless router would have to be done manually. The wireless clients could/should be possible to configure automatically via dhcp (in the wireless router). The suggested soulution will give a "double nat" for the wireless segment, but this should not be a problem.)

**************************************

Just some ideas about a development project that should have been done a long time ago - the option og having 3 or 4 network adaptors (and security zones) and a fine grained controll of the firewall. WAN, LAN, WLAN and DMZ, I guess this should be perfectly possible.

What is needed ? SME developers have to believe that this could be an ok idea, and they have to be willing to leave out some information about sme server firewalling and security. If so, I think is should be perfectly possible to do such a modification. If such a mod works all right over time it can be evaluated for implementation into the basic sme server operating system.


Possibly a strange post, but I have been thinking this so many time: Why does the SME server not have the option of having a separate wireless security zone, and fine grained controll of the firewall as an option or a mod, when it should be possible to make this in a relatively simple and easy way.

[cactus]

Inspired by this tread and this discussion (with myself ?) I made an experiment with the SME box just now and in the middle of this night ..

I put the NIC no 3 into my SME 7.2 server to see if this could work.

It did and it was, as far as I can see perfectly possible to controll the trafic between the internet, and the two lan/wlan segments.

There was actually two problems:

1. The dhcp server did not work (give out proper adresses) in the network segment no 3.

2. The dns server of the SME box did not work against network segment no 3. It was nessessary to use one external dns server for the third network segment.

What I would believe could be an easy solution to make the Wlan segment working in a proper way:

To use an wired network card no 3 in the sme box and then to connect this to a chep wireless router, that will contain its own dhcp server and eventually also a dns proxy. (Using an external dns server as deliverd by the isp should also work.)

Which you can also perfectly do on the second nic, as long as you buy a router with wireless and wired capability, it will save you a lot of hassle.

It looks like it is perfectly possible to set up the SME server with a 3'rd wlan segment and to have the full controll of trafic to and from this segment, if there should be some positive interest of doing such a project.

(To use an wireless router as suggested should give a rather cheap and quite uncomplicated solution. The lan card no3 and the setup of the wireless router would have to be done manually. The wireless clients could/should be possible to configure automatically via dhcp (in the wireless router). The suggested soulution will give a "double nat" for the wireless segment, but this should not be a problem.)

See above

Just some ideas about a development project that should have been done a long time ago - the option og having 3 or 4 network adaptors (and security zones) and a fine grained controll of the firewall. WAN, LAN, WLAN and DMZ, I guess this should be perfectly possible.

As there are more thing that need implementation I do not think you alone are in the position of telling the developers what need to be done.

What is needed ? SME developers have to believe that this could be an ok idea, and they have to be willing to leave out some information about sme server firewalling and security. If so, I think is should be perfectly possible to do such a modification. If such a mod works all right over time it can be evaluated for implementation into the basic sme server operating system.

SME Server is open source and is mainly driven by a small development team, they have their hands full trying to keep this system alive. They continue to request support and development by contributors, so you might as well try and work it out (together with them and the community) so more users can profit of your efforts.

Do not think lightly about having a solution as the integration and security with the system need to be implemented as well and I read no word about encryption, MAC address filtering and such others things. As there is a perfect working solution availalble already (suggested wired/wireless router to the second NIC) I doubt if the development team rates your issue as high as you do. Feel free to add your comments to the relevant bugs in the bugtracker as there are already a few reports/feature request about multiple (2+) NIC's and wireless interfaces.

[arne]

About setting up a wireless router in the ordinary lan segment: Of cource you can do that, but this will, I think, include the wireless clients in your green lan secure zone. Setting up a 3'rd zone could gice you full controll of the trafic to and from this security zone.

About open source and development: Open source some times means fre flow ot information and the free and open opertunity of learning a system. If you ask for certain things about the sme server it will be really hard to get an answer. Qustions about the firewalling and how this item works are amont those problems where it is, as I would see it, not to easy to get out information.

A project like integreating a wireless zone or a dmz zone into the sme server would not require any work from the sme development team at all, exept for leaving some small information, to save some workhours on that modification. If open source means free float of information anyone can be a devoloper and anyone could also have the oportunity of learning all parts of the system.

By the way my SME 7.2 is running with a 3'rd wireless zone right now and it's not really a problem at all. I am making som "cheating" as a temporary fix the dhcp and the dns problem, but I think it should not be to hard to fint a more "real soultion" to those problems.

I also tried to install my Atheros wireless adapter direct into the SME server, but for unknown reasons this did not work. (But it could be as easy as just loading the Atheros kernel mudule if it is compiled in to the kernel as a loadable module. I actually did not try that.)

Any how, installing a wireless card direct into the SME server will rice new questions about wireless network security, how to configure an access pont etc. To just apply a 3'rd wired security zone and then to use a wireless router or a wireless bridge on that segment is, I believe a rather easy soultion. (And a wireless router is the cheapest one and this will normally contain its own dhcp server.) 

Anyhow the 3'rd NIC could of course be configured to work as a (wired) access point for the wireless zone or as dmz for some other servers that is not included into the sme server. Then all the "wireless security problems" would be left to the wireless access hardware box.

The request for the 3'rd network card for dmz or a wireless zone have been mentioned, quite a lot of times during the years, I think, and it could be quite easily solved. It's actually working quite all rigt when posting this post just now.
 

[arne]

Do not think lightly about having a solution as the integration and security with the system need to be implemented as well and I read no word about encryption, MAC address filtering and such others things. As there is a perfect working solution availalble already (suggested wired/wireless router to the second NIC) I doubt if the development team rates your issue as high as you do. Feel free to add your comments to the relevant bugs in the bugtracker as there are already a few reports/feature request about multiple (2+) NIC's and wireless interfaces.

No I think this is inncorrect. If implementing a 3'rd wireless zone is done via a 3'rd wired card there will not be any questions related to MAC filtering, encryption of packets in the wireless zone etc. (But problems regarding limiting and controlling the trafic between the LAN zone and the Wireless zone has to be solved, but that should be an easy one.)

How can I or anyone else learn this enhoyable open source system by leaving all the interesting and funny and enjoyable questions to some "bugtracker" ?

If a free and open flow of information in this open source project then different solutions could be devloped here end there and if they are working ok they might be included more or less into "the official main distro".

It's actually only a question of leaving some of the fun to others as well 

If a "free float of fun" in this open source project there could easily contains some options of a fine grained controll of the firewall, one or two aditional adapters etc.

To the original question holder:

If a wireless router or a wireless access pont is connected to a switch after the LAN NIC on the server, this can give a solution thar works perfectly well for a private home. (I have used it myself that way for some time.) For some office network I think this would give a to poor security as the wireless networked clients would be part of the green lan zone.)

 

[Stefano]

Is there a correct way to setup an "Internet Only" network via SME?  I have an SME box and would like to provide internet access to my Customers, but keep them out of my Local LAN.  I only have one IP and one interface from my ISP which is curently plugged into my SME box.  I am running SME 7.2.

IMHO the best solution is to use something like m0n0wall.. a cheap old pc or a appliance like soekris with 3 or more nics..

so you have a real firewall (more configuration options, no users or data ecc) and your lan and dmz are physically separated.

My 2c

Stefano

p.s. with "real firewall" I don't mean that SME is not a good one; but sme's fw is not easy to tune, fw and users' data on the same server it's not the best solution for security and sme can only work with 2 nics.

[arne]

Any soultion will allways be a trade off between security and fuctionality. It depends as I woulds se it who the user is and what kind of datas it is a question about.

It is true that books about firewalls and firewalling says things like "newer run server process on a firewall", but in real life, and as I will see it I have used e-smith or sme server allmost as long as I can remember, ant until now there has been zero insidents with hacking etc.

The problems that has been has allways been after and as a result of my own modifications of the sme server. (But how can one learn without some small accidents ?)

If using a standard sme server with a standard wireless router on the lan segment with wpa/wpa2 encryption will give a simple solution with only one "big box" that will be good enough for a lot of purposes.

By the way I tested a setup with Monowall and one with Smoothwall not long ago. As I would see it the latest release of Smothwall is a very good and updated one with options like priority of trafic etc a lot of logging oportunities etc.

A rather safe firewall setup could be done like this:

1. A smoothwall firewall is set up in front of a dmz sone containing the wireless access pont and eventuelly some servers.
2. The sme server is set up between the dmz zone and the LAN zone.

Such an arrangemant would require a hacker to first brake trough first the Smoothwall and then the SME gateway. (Exept when hacking trogh port 80 or other open ports.)

The question is just: What is a good enough and practical solution for one certain installation and one certain use.

In my home I have used one gateway (Smoothwall) and one iptelephony server (Astlinux) and one or two Linux servers pluss a BSD (SME, Ubuntu and FreeBSD) for a while.

Just now I just buldt it all into one box, the SME server, and for my home use I do not worry for the security og this one single second. (But it will be nice to be off with some boxes so they are leleased for some new projets  .)

A standard unmodified SME installation with a wireless router or accesspoint on the lan segment. This works perfectly well for a lot of practical purposes - my 2 cents.

[MSmith]

This is just another one of those "wouldn't it be nice if SME did (bla)" threads.  No wonder the developers don't read these forums much anymore!  It would be nice if SME would wax my car, take my pets to the veterinarian and put my groceries away too but it doesn't, it just sits there and protects me from the big bad internet, keeps my files and allows my Macs and PCs to print to its shared printers. 

And I'm OK with that.

Why would the SME developers go over territory that is well-covered already -- by Smoothwall, m0n0wall and others -- instead of refining and improving the unique strengths of the SME server?  There isn't anything quite like SME and I don't see any reason to dilute that.

[arne]

But is'nt the SME project an open source project ?

If leaving out information about firewall related stuff, security etc in an openharted way, "SME devolpers" would not need to think about the devlopment of an more flexible firewall soluion at all.

Why should all fun and challange be restricted to a a restricted group of "SME developers" ?

Why shouldn't a open souce project be based on a free float of information and a free float of fun and exitment ..?

There is a number of "contribs" projects but with more and more easy information access it could be even more.

[Stefano]

Arne.. you can always tune and modify YOUR SME, but after that it's not SME..

SME is open source, and that's why you can modify it and you'll always can do it.

but what you should not do is come here, asking why SME's developers don't do this and that etc.

SME is a project, there is a community around it but a small team of developers..
do you want something new/different?

well, submit your modifications, your code, join developers.. this is the only right way

Ciao

Stefano

[okepc]

Don't forget the most important thing in an open source project is in fact the community.
And the community has sometimes need for nfr.
And i realyse that the developers have limited time.
But these things need to be discussed by the community so a contrib maker or a developer that has the time can maybe implement it.
And if there is sufficient need by the community developers could consider to take such a thing to the base.
Maybe implement a feature request poll could be the awnser.

Regards

Dirk

[okepc]

Forgot to say i have an accesspoint(linksys) in my lan only to provide internet to a laptop and a pda and no need to use the lan.
Would be nice to put that in a DMZ for security reasons.

regards

Dirk

[arne]

Arne.. you can always tune and modify YOUR SME, but after that it's not SME..

SME is open source, and that's why you can modify it and you'll always can do it.

but what you should not do is come here, asking why SME's developers don't do this and that etc.

SME is a project, there is a community around it but a small team of developers..
do you want something new/different?

well, submit your modifications, your code, join developers.. this is the only right way

Yes, thats how it uses to be argumented.

But the problem is that it is bether to start with the start and not to try to start with the end of a project.

The main thing about firewalling, as I will see it is that it is about the datacommunication issues an not much else.

To design a firewall solution there will be a need for discussion and experinces related to data communications only.

How does it work, how should it work, whitch problems do I experience, how do I want it changed etc.

Actually this discussion would have been the firewall design.

As needs requirements and experiences are obtained trough testing and communicated via discussion this could easily be impemented into the technical solution from day to day.

There would not be any need for assitanse from developers at all the only thing that would be needed would be a open a free float of information, as the sum of the discussion would be the firewall.

No discussion will be give no stuff for making the firewall, as the firewall would be a result of the dicussion.

Arne.. you can always tune and modify YOUR SME, but after that it's not SME..

Well the point is that you do not neccesarly need to make a modification at all to make a new firewall design.

Only discussions and exange of experiences about the communication issues is needed. The technical part of it is next to nothing (when it comes down to the basic packet firewalling.)

The sum og the discussions is tranlated into Netfilter instructions via iptables, and then you have a new firewall without one single modification of the sme server. (You just edit a script that you implement to the Netfilter part of the Linux kernel like this ./behappy  and if you reboot the server it will be like it was before.)

I think if you run a minor kernel configuration script on a SME server or any other Linux distro it will not be destryed or loose its identity as a distro because of that.

The only thing is that little shell script that configure the kernels firewallings rules need to have some user experiences and user requirements and some discussions behind it.

but what you should not do is come here, asking why SME's developers don't do this and that etc.

What would be the role of the SME developers when it comes to making such a little script ?

Well the result of the script could be tested by the developers and implemented if it is usable, but that would be their own dessition.

[arne]

Forgot to say i have an accesspoint(linksys) in my lan only to provide internet to a laptop and a pda and no need to use the lan.
Would be nice to put that in a DMZ for security reasons.

Of cource it can be done, and it would require anly a minor modification, if any at all, but to make a script of a few lines to do that is not that easy, as such a project of making such a small configuration script, might not be to popular.

[raem]

But is'nt the SME project an open source project ?

Yes, but you overlook the fact that a huge amount of commercially funded  development has gone into making sme server what it is today.
Further to that there is ongoing commercial funding in the form of sponsorship to develop specific new code/functionality, without which we would be missing many of the good parts that the existing sme server has in it.
Further to that there are voluntary monetary donations, that help fund contribs.org and development.

The code base that you or I use today is there only as a result of much commercial input, and as such there are many commercial decisions that affect what code will be developed.
There are simply not enough contributing developers to carry on this project as a purely free of cost open source concept.
Many small & not so small additions are as a result of direct commercial sponsorship by end user businesses who vitally need certain additional functionality and pay a developer to create the code.
I'm aware that at least one of the developers creates code that his clients need and effectively donates that monetary value in coding time to the sme server project.
I'm also sure that quite a few of the key developers contribute a huge amount of personal time freely to this project, to an extent that is much greater than any of us do.
You and I benefit from all of the above "paid for" & donated effort, as the code is open source.

[arne]

Well I think I understand in some way.

For me it is mostly the fun and the challange about is all that is the motivation, so that might be different.

By the way, I was doing some thinking on how the firewall anf the server issues could be simplified so that actually all development could be done more easy.

There will, as I will see it, be a need of a modularization between the "firewall stuff" and the "server stuff" to avoid "mixed stuff" that is to difficult to work with (If it should be an option to have more "radically" options for the firewlling part of it).

Actually I think a lot could be done within the framwork of the existing admin-panel.

Suggestion about how:

1. All firewall functinality is pulled out of the automated interaction with the server functions. (All the existing firewall configuration tool is removed or disabled.)

2. When first installed there is a fixed static basic firewall configuration script with some rather restrictive basic configuration. There should be no automated routines that will change this by thenself and without user interphere.

3. Then ther is build a completely new user panel in the admin-panel. The only sole purpose is to generate a new firewall configuration script based on user input.

4. The firewall configuration panel could then consist of an very easy setup with a red and a green fields wher you can hook of the ports you want opened for the red zone and for the green zone.

5. Also there could be an easy graphic interface for port forwarding.

6. The user panel could have such an easy design that the user could see imidiately what he have closed and what is open and which ports that are forwarded.

7. Then there could be some hook of for other funcrion like "answer to ping", "activate dos protection", etc.


When or if the firewall module does only have to deal with the firewll configuration then the complexity of "the firewall things" should be reduced to only a fraction of what it is in the existing system.   

It should be no (big) problem to give the user a graphical overview and a full controll all the time and it should also be easy to implement inn diverse netfilter specialities.

This should give a bether and increased user control and a more easy and flexible solution.

Seen from my point of view such a project would contain an easy part and a difficult part.

The easy part is to configure a 2 or 3 port firewall. Thats how I would see it the next to nothing part of it.

Then there is the difficult part: How to make a web page interacting with a perl script in such a way that it will generate a text file. (I have no idea, but I guess it should be more easy to just to only generate a text file than interacting with all kind of server functions..)

I believe that all off it can be easily done if things are just modularized a bit so there is a problem area related to the server functions, as one unit and a problems releted to the firewall area, as one unit, then divided int to subareas 1. The web shell for generating the firewall configuration script. 2. The content of the fireall script itself.

The difficulty today is not the firewalling itself, but the way all kind of problems it tightly integrated into each other. With some modularization espessially for the firewall stuff, I think that more could be done and it could be done a lot more easy.


*********
*********

If not any big protests, I think I will post a text based 3 port dmz solution and a fine grained trafic controll in all trafic directions in the relatively near future. The solution is up and running with the SME 7.2 just now, but I will just do some more testing first. Will possibly also make a 2 ports variant with 4 directions firewalling as well. There is only one way to develop a firewall, I think, and that is to test it out. If protests I will not post it.

[raem]

Well I think I understand in some way

I think you are not yet understanding.
Developers do not have time or resources to recreate something that is already working well, and would only be a LOT of work for little gain.
When something can currently be done another way with minimal effort, no one is going to spend hundreds of hours developing code, especially when it is not being funded by anyone.
If there is a commercial (ie monetary) incentive to develop a 3 port firewall configuration, then it is far more likely to happen, but I would guess that it would involve thousands of dollars of effort (to be compatible with the current design).
I think your suggestions of "five minutes here and there" and "fairly easy to do" are gross understatements.

When time/resources are minimal, then the only approach that is practically viable is smaller incremental steps. Small amounts of effort can tackle a big problem little pieces at a time.

...I think I will post a text based 3 port dmz solution and a fine grained trafic controll in all trafic directions in the relatively near future.

By all means submit your code, that's what has been asked of you many times.
I would suggest that you explore the viability of developers wanting to use this code before you do further development work.
Post the existing code you have now and then discuss improvements and the best direction to take, in the bug tracker.

[arne]

Well this was only one days work and I thought I should complete it a bit more ..

http://forums.contribs.org/index.php?topic=38812.msg176449#msg176449


(I havent set up all the ports etc right because it was not time for it, but the structure should be there.)