Topic: Firewall locked

[arne]

Hello !

I have used the SME server for years and I have mormally never had a problem.

Yesterday I made a new fresh installation of SME 7.2 and then a restore from a 7.0 that had been running in server only mode. I then made reconfiguration for the server gateway mode. External IP comes into the 7.2 gateway via a ADSL modem working in bridge mode.

After restore of backup from the old server I also made a instalation of the Selintra Asterisk package for iptelephony (But without the configuration panel. Im doing the config manually.)

I then made some mod of the firewall useing the prosedures as described in the online admin manual, to open up for the telephony server.

Everything works perfeclty from the lan side and the Asterisk server is performing really superb.

But then the strange thing: The web server is locked from the outside on port 80 and 443, but it is accessable from the lan side.

Actually I think all the ports is closed from the outside exept for the ports for the Asterisk server.

Does anybody know how to reset the firewall ? (Reboot has been tested. So has also a reconfiguration login on from shell as admin.)

From earlier editions of the SME server I have experienced that the firewall could lock in a strange way if you are running "unauthorized" private firewall scripts, but this time I think I have done nothing else than according to the manual ..)


********************

I just now made a security scan using ShieldsUP to get confirmed what I blieved. All ports tcp ports from 1-1056 is completely stelth. It looks like that the server runs in some kind of "private mode". I did not configure it like that, I think or believe ..

I's good to be safe, but it don't need to be that safe with not a single visible port. Anybody who got an idea ? (How to open it up.)

********************

And then later on this night, I made a firewall script to flush out the old noworking (locked) firewall to replace it with a new one. It works, but I would be quite interested if anyone knows a more proper way to reset the firewall.

[arne]

Hmm .. Nobody who knows how to reset the firewall ??

When I think it over, I wonder if the Selintra Astrix rpm I installed was marked with something like "only suitable for SME 7.0". I wonder If that could be the reason for the blocked firewall ??

My main target is to run Asterisk on the SME 7.2 gateway, and it should be an intallation with manual text based configuration. (The Selintra rpm works good for that).

The way I do the firewalling now is to flush out the original sme firewall and to apply my own rules. It works when the Squid Proxy is disabled but not when it is enabled. (Dont know why I had this problem. Later testing showed everyting was working OK also with the squid proxy running.)

Would be interesed in any info that could put some light on this problem, how to get the original SME firewall working with tha Asterisk server, without blocking the other server functions.

[mmccarn]

SME 7 supported a 'private server and gateway' configuration option that disabled all remote access to all services - but only by changing the default settings in the various configuration databases.

I do not think this setup mode is still supported in 7.2 - but if you restored the config from an older system it might have the various services with 'access=private' instead of 'access=public'.

Check the access mode on the services you want exposed to the internet:

config show httpd-e-smith
config show modSSL

[arne]

It's really strange. if i do, it shows:

[root@sme72 ~]# config show httpd-e-smith
httpd-e-smith=service
    TCPPort=80
    access=public
    status=enabled

[root@sme72 ~]# config show modSSL
modSSL=service
    CipherSuite=ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
    TCPPort=443
    access=public
    status=enabled

But scanning it from the outside shows all ports stelth until I run my own firewall script to open it.

It looks like it has this "private mode" but I do not understand why. I made a new shell logon as a admin just to do some minor changes of configuration to secure that I had not selected private mode, but it did not help.

Services show "public" and "enabled" but they are actually closed, all or them.

[arne]

Posted for futher refference:

This appear to be the file where all the sme firewall rules are stored:

/etc/rc.d/init.d/masq

By browsint this file it is possibly to see the exact firewall rules.

The strange thing that apear is when I execute the configuration file as a script like this

/etc/rc.d/init.d/masq

Nothing happen. No rules take effect ..

************************
************************

But this worked:
 
./masq start

Result: All ports closed.

The error is inside the firewall configuration file as generated by the template system. (Incorrect it was the get ExtrenalIP procedure that missed.)
Strange as there is no custom templates.

Address to custom templates:

/etc/e-smith/templates-custom/etc/rc.d/init.d/masq

And the templates itself:

/etc/e-smith/templates/etc/rc.d/init.d/masq



 ./masq restart  Result still closed

In some strage way it looks like there is an damage to the ordinary templates in such a way that there is generated an incorrect /etc/rc.d/init.d/masq file, or possible more likely to believe: The configuration file receive a system variable that has an inncorrect value that makes the firewall block off (That system variable that identifies a private server gateway installation ?)


*****************************
*****************************

Problem diagnosed.

This line in /etc/rc.d/init.d/masq does not work:

    INTERNALIF=eth0
    OUTERNET=$(/sbin/e-smith/config get ExternalIP)

It does not get the external ip.

When editing in the ip adress like this the standard built in firewall works:

if [ -z "$OUTERNET" ]
    then
        OUTERNET=123.123.123.123 # Put in real external ip address, to ensure correct iptables functionality


************************************
************************************

One other thing:

The /etc/rc.d/init.d/masq file seems to contain a standard statefull inspection firewalling capability.

***********************************
***********************************

Open question:

I am using a ADSL modem in semi brige mode and the sme server is configured to receive the external ip via a dhcp server. Could this be a reason that makes the procedure that fethes the external ip for the firewall is failing ? "ifconfig eth1" shows correct values so it should not be the case ..

[shell]

does this work from the command prompt?

/sbin/e-smith/config get ExternalIP
even just:
config get ExternalIP

i think this will not work in server-only and if this is the problem then the specifics you have found may only be the tip of the iceberg - i would think the ExternalIP e-smith db value will be used in a number of places, not just in expanding the masq templates.

like you say the nic is working - has ip at least - ifconfig eth1 - just that as a server-only misconfiguration ExternalIP as a value is not populated or enabled.

any changes you make to the /etc/rc.d/init.d/masq file will (i believe) be overwritten during updates and other events that expand the template, so the change you suggest will only be temporary.

have you tried reconfiguring (using the admin console) back to server-only then rebooting and then reconfiguring back to server-gateway.  this should reverse all - sounds like a problem caused by the restore from server-only backup.

fingers crossed.  otherwise i would be looking at backing up data only not configuration and restoring onto a clean server-gateway install.

[TrevorB]

does this work from the command prompt?

/sbin/e-smith/config get ExternalIP
even just:
config get ExternalIP

From the command prompt you need

Code: [Select]

config show ExternalIPand can be set to the desired value by

Code: [Select]

config set ExternalIP nnn.nnn.nnn.nnnTrevor B

[arne]

Thanks a lot both of you !

It apeared that it is something here.

When I runned: "config show ExternalIP" it showed nothing.

When i runned: "config set ExternalIP nnn.nnn.nnn.nnn"

and: "config show ExternalIP" it showed the external ip.

With the external ip into the variable the build in firewall startet to work partly but not completely when running the standard configuration script /etc/rc.d/init.d/masq (It did not open port 80.)

I am avare that changes in the /etc/rc.d/init.d/masq  would be only temporary so I do not change that.
(I use another configuration script.)

At the moment I have tre network adapters in the PC just for testing out the wireless zone / dmz issue. (That could also be the reason why the ordinary firewall does not run completely like normal when applying the missing variabel.)

By the way the 3 adapter installation works actually bether than expected. The only issue is that if you do some changes on the server-manager panel you will have to do a manually reactivation og the firewall script fron console shell (as the connection fron the server to the lan is lost until the firewall is reactivated from console shell.) (Same issue might also occour when applying an alternative firewall script on a standard 2 port installation.

I will run the 3 port sme server gateway over some time to see how it behaves. So far no problems.

By the way, a command like this: "config set ExternalIP nnn.nnn.nnn.nnn" is this a Linux command or a built in sme server command ? (I guess it is the last) Is there somewhere an overview or a documentation for those reseved "special built in sme server commands" ?

[raem]

arne

Is there somewhere an overview or a documentation for those reseved "special built in sme server commands" ?

You have a bit of catching up to do Arne.

To see the usage syntax, at the command prompt type
db

The main document to cover the subject is
http://wiki.contribs.org/DB_Variables_Configuration

Also read
http://wiki.contribs.org/Useful_Commands

Also read the FAQ as there are lots of useful examples
http://wiki.contribs.org/SME_Server:Documentation:FAQ

Also search the forums (eg on db) as there have been a number of posts explaining the usage (by me).

[arne]

Thanks a lot 

Sorry I am not updated on the SME server at all (Have only been using it and not repearing or installing it for a year or more.)