Topic: Linux - Firewall development project.

[arne]

People are different and I think there is rather few persons that does Linux firewall development just for the joy of making firewalls. But I do.

Trying to start some treads about firewall development on this forum has not been very successfull as there is allways somone that something like "please do not discuss anything about modifying the smeserver firewall".

I think it is a good idea to respect the contribs forum to be used for the intended purpose so that project that will not fit in should be moved somewhere else.

At the moment I am running a 3 port SME server with wan, lan and dmz/wlan that I think performs just fantastic, and I think it is just to bad not to work further on to such a project.

By the way the firewall is actually not a SME Server firewall it is a general Linux firewall implemtation that should be able to run wherever there is a Linux kernel.

But aren't there a lot of such firewalls allredy from before ? - yes and now - I think there is not many well structured and easy to handle of such firewalls.  When I say "firewall" I actually mean the configuration script for a Netfilter firewall. (That will set up the firewalling functions of the Linux firewall.)

To run "the firewall application" on a complex gatewayserver like the SME Server will be a project in one end. To run it an a minimalistic operating system like the floppyfw would be a project in the other end  http://www.zelow.no/floppyfw/ On the other hand the firewall application should be able to run on both systems (And other Linux distros like the Ubuntu, etc.)

What could the advantages be - well a lot more detailed control of the datastream and a more flexible use of the server function, and not at least the fun of doing it. Increased security as well ? - well I think so. Then there could also be an intersting thing to develop some automated system for generating the firewall configuration from a easy to overview user panel. (php and web based ?)

I think that the firewall should be made as 2 Nic (WAN/LAN) and a 3 Nic (WAN/LAN/WLAN) and possible also 4 Nic (WAN/LAN/WLAN/DMZ) (?) alternatives. and with full fine grained traffic controll between all network segments. (Yes it could also work on the SME Server or any standard Linux distro with or without server functions.)

If there is any interest for such a project it could be made a web page or some wiki for the project. If such a webpage is made everything will be open source so SME Server developers and anyone can use the stuff. If there is no-one that want to participate or do anything in such a project, I still will do it, but I will not take the additional work of doing a web page for the project.

If anyone should be interested they can leave a few words here on this tread or send a mail.

By the way no knowledge of firewall is required, but knowledge of firewalls is on the other side not a problem.   What it is all about, as I will se it, is user experiences and testing. A good firewall as I would see it is noting less and nothing more than the sum of all user testing, user requierements, discussions and feedbacks. (If there is any.)

If there is anything negative about using the SME Server as platform it could also be a Ubuntu, a Centos or anything with a Linux kernel.

To run the firewall on a SME Server will require absolutely no modifications except for eventually a 3'rd network adapter for dmz/wlan.

Posted via a 3 card SME server/gateway that seems to be working rather well 

Some good reading stuff to start out with (Chapter 14) http://www.linuxhomenetworking.com/wiki/index.php/Main_Page


 

[pfloor]

Moved to contribs section as it is more appropriate here.

[arne]

Thanks ! You are right.

[dmay]

You raise a lot of points however 'we' of course only care about SME, so please focus your discussion to enhancing the SME firewall services. If you feel you can build a better firewall, please do so. If you integrate your work into the SME template, db and server-manager it has a greater chance of being accepted by the core dev team. If you wish to communicate with the core dev team (I recommend you do so) open a firewall NFR bug.

Darrell

[arne]

I will do !

The only problem of creating something, is that you will have to go trough the prosess of creating it. It is difficult to come up with an end result of such a creative process, without doing the process.

If I could create a bether firewall ? - How can I know ? The idea was to try to do some co-development if anyone were interrested.

The question in the question is "what is a bether firewall" ? The one who knows the answer has actually allmost created it.

The idea was to take away the creative process of creating a firewall away from this forum to somewhere else, and then return with a more worked out suggestion at a later stage.

I made one 3 port firewall today, as a revision zero, that I thought I also should simplify down to be a 2 port firewall tomorrow, as a start of a process. It contains a few functions that I think the standard sme server firewall does not have, rate and burst control to protect against dos attach and filtering of outgoing trafic. But rate and burst control means "trouble" and filtering of outgoing trafic certainly means "trouble",- and an increased level of security. How can I know if it is a bether firewall ? It is bether for me, but to know if it is bether for other people, they will have to try it and give some feedback and eventually come up with some suggestions.

I will try to come up with a suggestion as soon as I can. I think that the revision zero if the 3 port firewall works very good, until now and after some hors testing during the day but I dont know how such a disign could fit into the template system. I would believe that a simplified version with only 2 network adaptors would fit in more easy - but would things like rate and bust control and filtering of outgoing traffic fit into the existing sme server configuration environment ? That's another question.

To find out what is the good and not so good solution, there will be needed som activities "out in the open air" to do "the game and the play of firewalling", to come up with some creative solutions, where some of them might fit into the template system ,and some of them might not.

By the way thanks a lot for an excelent contrib, the sme version of phpmyadmin. I installed it yesterday.

[TrevorB]

I think that the revision zero if the 3 port firewall works very good, until now and after some hors testing during the day but I dont know how such a disign could fit into the template system.

Post what you did, and someone may be able to help define how to do it with the templating system.

But, as others have suggested, I'd would do this via a New feature Request (NFR) in Bugzilla. Stating what you are doing (just focus on one area per NFR). Then add what you have done, others can then guide you on the templating etc., or add the code themselves.

You'll find that you will get lot more support from the developers via this approach.

Trevor B

[arne]

Post what you did, and someone may be able to help define how to do it with the templating system.

Have really not get started yet, and there will bee neded to do a lot more before the templatesystem (I believe).

#!/bin/sh


#Enabeling and configuring the third NIC
ifconfig eth2 up
ifconfig eth2 10.0.1.1 netmask 255.255.255.0

LAN="eth0"
WAN="eth1"
DMZ="eth2"

EXTIP="80.90.100.110"
INTIP="10.0.0.1"
DMZIP="10.0.1.1"

# Moduler
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe ip_nat_irc




# Flush and reset old rules.
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F

#iptables -X rate-burst
#iptables -X rate-burst2

#iptables -F rate-burst
#iptables -F rate-burst2

# Setting policies, default rules.
# All ports to closed.
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#Limit on burst and rate for dos attach on internal servers.
#iptables -N rate-burst-input
#iptables -A INPUT -p tcp --syn -j rate-burst-input
#iptables -A syn-flood -m limit --limit 50/s --limit-burst 80 -j RETURN
#iptables -A syn-flood -j DROP


#Limit on burst and rate for dos attach on gateway processes.
#iptables -N rate-burst-forward
#iptables -A FORWARD -p tcp --syn -j rate-burst-forward
#iptables -A syn-flood -m limit --limit 50/s --limit-burst 80 -j RETURN
#iptables -A syn-flood -j DROP

# Filter out non valid tcp-flags
iptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# Filter out non valid tcp-flags
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP


# A outgoing nat connection via eth1
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE


# Openin up to the local processes on the firewall/gateway pc
iptables -A INPUT -i lo -j ACCEPT

# Drop packets from some certain bad source ip's
iptables -A INPUT -i $WAN -s 123.123.123.123 -j DROP
iptables -A FORWARD -i $WAN -s 123.123.123.123 -j DROP


#From internet WAN to the gateway processes:
iptables -A INPUT -i $WAN -d $EXTIP -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i $WAN -d $EXTIP -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i $WAN -d $EXTIP -p tcp --dport 443 -j ACCEPT

iptables -A INPUT -i $WAN -p udp --dport 5060 -j ACCEPT
iptables -A INPUT -i $WAN -p udp --dport 10000:20000 -j ACCEPT
iptables -A INPUT -i $WAN -p udp --dport 4569 -j ACCEPT



#From LAN to the gateway processes
iptables -A INPUT -i $LAN -d $INTIP -p tcp --dport 22 -s 10.0.0.0/24 -j ACCEPT #ssh
iptables -A INPUT -i $LAN -d $INTIP -p tcp --dport 80 -s 10.0.0.0/24 -j ACCEPT #http
iptables -A INPUT -i $LAN -d $INTIP -p tcp --dport 443 -s 10.0.0.0/24 -j ACCEPT #https
iptables -A INPUT -i $LAN -d $INTIP -p tcp --dport 3128 -s 10.0.0.0/24 -j ACCEPT #Squid
iptables -A INPUT -i $LAN -d $INTIP -p udp --dport 53 -s 10.0.0.0/24 -j ACCEPT #Dns
iptables -A INPUT -i $LAN -p icmp --icmp-type echo-request -s 10.0.0.0/24 -j ACCEPT #Ping

iptables -A INPUT -i $LAN -p udp --dport 5060 -j ACCEPT
iptables -A INPUT -i $LAN -p udp --dport 10000:20000 -j ACCEPT
iptables -A INPUT -i $LAN -p udp --dport 4569 -j ACCEPT


#From DMZ to the gateway processes
iptables -A INPUT -i $DMZ -p tcp --dport 22 -s 10.0.1.0/24 -j ACCEPT #ssh
iptables -A INPUT -i $DMZ -p tcp --dport 80 -s 10.0.1.0/24 -j ACCEPT #http
iptables -A INPUT -i $DMZ -p tcp --dport 443 -s 10.0.1.0/24 -j ACCEPT #https
iptables -A INPUT -i $DMZ -p tcp --dport 3128 -s 10.0.1.0/24 -j ACCEPT #Squid
iptables -A INPUT -i $DMZ -p udp --dport 53 -s 10.0.1.0/24 -j ACCEPT #Dns
iptables -A INPUT -i $DMZ -p icmp --icmp-type echo-request -s 10.0.0.0/24 -j ACCEPT #Ping

#iptables -A INPUT -i $LAN -j ACCEPT #OPEN FOR ALL TRAFFIC#######
#iptables -A INPUT -i $DMZ -j ACCEPT #OPEN FOR ALL TRAFFIC#######




#Statefull inspection for the input to the local processes on the gateway.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


#Control the datatraffic out from the gateway local processes
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

iptables -A OUTPUT -j ACCEPT #ALL OPEN#####

# Statefull inspection out from the gateway local processes
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT



# Outgoing trafick from Lan to internet:

# filtering from lan to internet
iptables -A FORWARD -i $LAN -o $WAN -p tcp --dport 21 -j ACCEPT #telnet
iptables -A FORWARD -i $LAN -o $WAN -p tcp --dport 22 -j ACCEPT #ssh
iptables -A FORWARD -i $LAN -o $WAN -p tcp --dport 23 -j ACCEPT #ftp
iptables -A FORWARD -i $LAN -o $WAN -p tcp --dport 53 -j ACCEPT #dns oppslag
iptables -A FORWARD -i $LAN -o $WAN -p udp --dport 53 -j ACCEPT #dns oppslag
iptables -A FORWARD -i $LAN -o $WAN -p tcp --dport 80 -j ACCEPT #http web
iptables -A FORWARD -i $LAN -o $WAN -p tcp --dport 110 -j ACCEPT #pop3
iptables -A FORWARD -i $LAN -o $WAN -p tcp --dport 119 -j ACCEPT #news
iptables -A FORWARD -i $LAN -o $WAN -p tcp --dport 143 -j ACCEPT #imap
iptables -A FORWARD -i $LAN -o $WAN -p tcp --dport 443 -j ACCEPT #https web

iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT #OPEN FOR ALL TRAFFIC########

#Incomming traffic from internet to lan server functions.

iptables -A FORWARD -i eth1 -p tcp --dport 4662 -j ACCEPT
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 4662 -j DNAT --to-destination 10.0.0.202

iptables -A FORWARD -i eth1 -p udp --dport 4672 -j ACCEPT
iptables -t nat -A PREROUTING -i $WAN -p udp --dport 4672 -j DNAT --to-destination 10.0.0.202



# Traffic from lan to dmz server funtions
iptables -A FORWARD -i $LAN -o $DMZ -p tcp --dport 25 -j ACCEPT #smtp mail

iptables -A FORWARD -i $LAN -o $DMZ -p tcp --dport 110 -j ACCEPT #pop3

iptables -A FORWARD -i $LAN -o $DMZ -p tcp --dport 143 -j ACCEPT #imap


# Statefull inspection for all traffic trough the FORWARD chain.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT



# Traffic from internet to DMZ:
iptables -A FORWARD -i $WAN -o $DMZ -p tcp --dport 25 -j ACCEPT #smtp mail server
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 25 -j DNAT --to-destination 10.0.1.2

iptables -A FORWARD -i $WAN -o $DMZ -p tcp --dport 110 -j ACCEPT #pop3 server
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 110 -j DNAT --to-destination 10.0.1.2

iptables -A FORWARD -i $WAN -o $DMZ -p tcp --dport 143 -j ACCEPT #imap server
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 143 -j DNAT --to-destination 10.0.1.2

iptables -A FORWARD -i $WAN -o $DMZ -p tcp --dport 465 -j ACCEPT #ssl-smtp server
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 465 -j DNAT --to-destination 10.0.1.2

iptables -A FORWARD -i $WAN -o $DMZ -p tcp --dport 993 -j ACCEPT #ssl-imap server
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 993 -j DNAT --to-destination 10.0.1.2

iptables -A FORWARD -i $WAN -o $DMZ -p tcp --dport 995 -j ACCEPT #ssl pop3 server
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 995 -j DNAT --to-destination 10.0.1.2



# Traffic from dmz to internet:
iptables -A FORWARD -i $DMZ -o $WAN -p tcp --dport 21 -j ACCEPT #ftp client
iptables -A FORWARD -i $DMZ -o $WAN -p tcp --dport 25 -j ACCEPT #smtp mail
iptables -A FORWARD -i $DMZ -o $WAN -p tcp --dport 53 -j ACCEPT #dns client
iptables -A FORWARD -i $DMZ -o $WAN -p udp --dport 53 -j ACCEPT #dns client
iptables -A FORWARD -i $DMZ -o $WAN -p tcp --dport 80 -j ACCEPT #http client
iptables -A FORWARD -i $DMZ -o $WAN -p tcp --dport 110 -j ACCEPT #pop client


# aktiverer ip forwarding #
echo 1 > /proc/sys/net/ipv4/ip_forward

[arne]

Forgot one thing ..

Procedure:

1. Intall a standard sme gateway installation with 2 network adapters. eth0 and eth1 will then be configured.

2. Add the third netvork card. (That will automatically be eth2 and should be used for dmz/wlan)

3. Run the script and you are up and running with a 3 port SME server gateway with a detailes and finegrained controll of trafic in all of the traffic directions pluss dos protection if you want to use it. (If you do some editing of the script and rerunn it.)

There is some issues with the dhcp and the dns clients on the dmz segment. I just configuring manually for the testing. (But if a wireless router were used connected to the dmz card this could be easy overcommed.)

************

And one other thing:

And all the ports and protocoll definitions is not set right for a "universal use" at the sme server, as this (above) was an result of a one day's work in an "inspired moment". But the structure should be there so it should only be to fill the proper datas inn.

To fill in the right ports and protocolls it will be a major thing to understand how the ip packets traverses the Linux kernel:
http://www.linuxguruz.com/iptables/howto/iptables-HOWTO-5.html
http://www.linuxguruz.com/iptables/howto/


************

And a third thing as well:

The way I control traffic directions on is by specifying the traffic directions between network adapters. (eth0, eth1, eth2)

I wonder if this method could have som hidden dissadvantages. (During the years I have not found them).

For reasons that I do not completely understand this method does not work if you run the Linux firewall in bridge mode (but I wonder if that what really happen is that the Linux kernel translates adapter adresses like eth0 to a netvork ip address. Actually I believe that this is tha case (??).

One alternative way is to specify the trafic directions by using ip based subnet adresses, which will produce some more volume of configuration script and make it slightly more difficult to read.

If anyone should know about advances for the one over the other (exept in bridge mode) I would be courious to know.

[raem]

arne

As has been suggested by me and others, you really need to submit this code to bugzilla, as a NFR. That way the core developers & other coders will get to read it.
All development is being done in bugzilla, rather than in the forums.
The developers are unlikely to respond to code presented in the forums as the forums have poor tracking & control mechanisms.
Create the bug and post a link to the bug back into this thread so future forum readers can easily link to the bug and read the progress.

[arne]

I will do, and I will not discuss or mention firewalls anymore on this forum. (Before 12 October 2008)

I have really not get started yet but I will try to come up with a 2 card and a 3 card suggestion.

(If I can find somhere where it can be done some testing and some discussion about the Netfilter firewall.)


To turn things around a litle bit:

"Is there anybody out there that would like to do some nice work and testing of a firewall contrib ?"

"Discussion board will be supplied for a free and openhearted discussion about the Netfilter firewall "

[pfloor]

I have really not get started yet but I will try to come up with a 2 card and a 3 card suggestion.

(If I can find somhere where it can be done some testing and some discussion about the Netfilter firewall.)

You have been told MANY MANY time where to discuss and test code enhancements/changes to SME.  USE BUGZILLA, it's that plain and simple.

Bugzilla has been in place for code development since 7.X (and another bug system before that) and that is where ALL code should be discussed/tested.  Trying to develop code in the forums does not work well, your discussion can get lost and forgoton, you can't attach code, you can't track problems or progress, etc.

http://bugs.contribs.org/

Create a new bug and ask for your own contrib section and you will have your own area to work in.  If your work is acceptable and enhances the core, it can easily be incorporated and moved into the base.

Bugzilla is the only way to do it correctly.

[shawnbishop]

Im in....

Dont know how I will contribute, but will try..

Lets register it in the bugzilla department...

[arne]

That's a nice thing. I have made Bug 3468. I will give it a try, event though I think such a firewall project is more a contrib than a "bug".

It is not difficult to help with the firewall contrib/bug.

It is not neccessary to know much about firewalls to make some firewall improvements.

If one have some ideas about how the server and the network and workstation really should work, this would be the most important information. Also, then to discover things does not work like expected is quite important. I believe that a firewall design, based on Netfilter, that is to have some basic ideas about how it should work and then to check if it does what it should.

There is a lot of contribs going on and I do not really understand why a firewall contrib should be diffrent from other contribs, exept for that a firewall project will need, by its nature more discussion and more testing around it, as a firewall will affect the whole functinality and properties of the gateway server, and possibly it could have some influence over the workstations as well..

By the way I don't know how this bug system work, but I give it a try.

[pfloor]

That's a nice thing. I have made Bug 3468. I will give it a try, event though I think such a firewall project is more a contrib than a "bug".

I guess this is where your misunderstanding begins.

Bugzilla is not just to report bugs (as the name implies).  It does track bugs AND IS ALSO a complete development tracking system for software development, testing and release of the core OS and contributions associated with SME.  Everything can be broken up into sections and sub-sections.  It is very flexible and does a good job tracking progress.  It allows you to create a bug (like you did) and then attach sub-bugs (as dependencies) so you can track multiple pieces of your work all at once.  You would use it as such:

1-Create main bug (like you did) and then break up each change/addition into smaller, more manageable bugs like so:
2-Create a new bug (like add abc) and make it a dependany of main bug.
3-Create another bug (like fix xyz) and make it a dependency of the main bug.
You can even create dependencies on other dependencies, etc, etc.

Then after you solve and close all the dependency bugs, you can close the main bug.

Other advantages to Bugzilla:

Unlike the forums, you can't edit, change, erase or delete anything in Bugzilla.  Everything is done in a time-line fashion and nothing gets lost or edited.  Everything done in the past can always be re-looked at and corrected if needed.  It tracks every change as they occur.

Bugzilla also allows you to upload log files, patches, pictures, RPM's, etc.  The forum doesn't allow any of this.

[pfloor]

Arne,

Another thing you need to do is Study, Learn and Embrace the Configuration Database and Template Design philosophy of the SME Server.  Have you read the Developer's Manual?
http://mirror.contribs.org/smeserver/contribs/gordonr/devguide/html/devguide.html

Your script above may work for you but maybe I don't want 3 (or even 2) NICS.  Also, your script probably won't work if the server is set up to use pppoe on the external interface.  The template system takes those variables (and many, many more) into consideration and (in very simple terms) does the following:

If I want 1 NIC in server-only mode the template system prepares and writes the correct masq file to accomplish and accommodate my needs.

If I want 2 NICS in Private Server-Gateway mode, the templates give me what I need.

If I want Server-Gateway mode, the templates open up the correct ports.

And if I want 3 NICS then the templates should do the right thing in that instance.

You need to build on the templates to "do the right thing" when someone chooses a 3 NIC setup.

However, you need to do this in steps.  First you need to set up the templates and/or config DB to properly configure the server to use 3 NICs.  Then you need to modify the masq templates so they write the correct masq file when someone chooses to use 3 NICs. If you have multiple options for the 3rd NIC then you need to make sure the templates write out the correct masq file depending on what option is chosen for the 3rd NIC.

The structure is already there for you to add to it.  It's actually very easy once you understand how it works. 

Once you have the underlying code working then you need to decide if something belongs in the admin panel or even possibly in the Server-Manager GUI.

By design, hardware related changes belong in the admin panel as they are usually only needed upon the server's initial setup.  The 3rd NIC setup probably doesn't need to be there as it can be configured with some simple config db commands after initial installation.

If you want to control the masq settings in the Server-Manager GUI, you can then begin to write a manager panel to control the different settings if that's where you want the control to be.  You can make the manager panel as simple or as complicated as you like.

You can't just blow away the current masq script and templates and start over with a "one size fits all" script for the firewall, there are just too many configuration variables to consider and it's much, much more complicated than that.

Is this making any sense to you?

[TrevorB]

Dont know how I will contribute, but will try..

Testing and validating are the biggest ask from the developers.

Even if you can't change the code, you can test that it does what they expect and you can also validate someone else's tests.

Trevor B

[arne]

pfloor ->

Thanks for your friendly and well ment and well argued comments.

Your arguments does make sence and I have been thinking them trough, and my conclusion is the oposite of yours.

In general I think there is few persons inside the sme server environment, if any, that does agree with me at all, on how a "new" or improved firewall system might be developed.

It is not my idea that there should be one common firewall script for server installations, for 2 port installation, for 3 port installation etc.

The traditonal way of configuring a netfilter firewall is by using a firewall script for the configuration.

The logical place to start from a top down approach was just to make the structure of the most complicated variant that could be tested now, the 3 port, and from that as a basis fill inn with details and simplify it down to the level of a 2 port and a 1 port variant. Then the next logical step will be to develop some automated tools to generate these sctipt.

As the basic principle of development might be near something like the oposite of the traditional ways of doing thing in the SME Server project I will try to do this project as a contrib wia my own webpage.
http://www.linuxfirewalls.info/ (Not started yet, just made it today.)

I feel rather sure that there will come up solutions that will work on the SME server and on other Linux distroes as well, as I am using such a 3 port firewall on a SME 7.2 everyday, myself. There will also be at least some automated tools in this contrib for generating and executing these firewall configurations.

If anyone wants to test out and find things that does not work or that is not good enough or have some suggestion for improvement, I will be thankfull for that. The first framework (but not the end result) of a 3 port firewall is alredy posted and can be tested now.

By the way thanks for the link to the link to the devopers guide. I read it one year ago, and its a lot of things that I do not understand, yet, and I forgot the address where it was, so thanks a lot.

There is a lot of contribs done by private developers, and this firewall contrib is nothing more than any other contrib.

On the other hand a firewall contrib might need som mote testing and some more dicussions and some more feedback and ideas to be implemented that some other contrib might need to work in a good way.

The name of the contribs.org web forum is contribs.org and it should not be regarded to ba something negative or bad just to try to develop one other contrib.

[raem]

arne

The name of the contribs.org web forum is contribs.org and it should not be regarded to be something negative or bad just to try to develop one other contrib

I see no evidence that anyone said what you are doing is bad, so don't feel that way.
You do seem to have some strong/fixed points of view that no one else appears to agree with, that's a difference of opinion. Usually when more than one person is telling you the same thing, it's a good idea to listen and adapt.

The traditonal way of configuring a netfilter firewall is by using a firewall script for the configuration.

sme server is not a standard type of Linux OS that can be tweaked with standard tools or methods, things will break if you do that. It is a highly customised configuration implemented on a Linux OS that happens to be CentOS (it could well have been some other Linux OS).
sme server has it's own special set of tools & method of configuration, primarily revolving around the templating system (and the db command structure).

There is a lot of contribs done by private developers, and this firewall contrib is nothing more than any other contrib.

You can certainly treat your firewall project as a contrib, but you are very wrong to say it is just like any other contrib. Most contribs add functionality to what already exists, and utilise the existing code structure to do so, and many are web applications that will run on any web server (all without changing the underlying system).
What you are proposing is to replace a very important & tightly integrated part of the sme server with a completely different set of code & method of implementation, and without replacing/considering existing functionality in server manager. It's like saying I'm developing a project to replace qmail & qpsmtpd with sendmail and that it will just slot in fairly simply, but without considering all the other functions within sme that rely on qmail & qpsmtpd.

You also perhaps don't recognise that you have already been getting a lot of feedback, maybe not specifically on your code, but certainly on your approach. You have been asking for discussion, and I think there has been a fair bit of that already, but you don't seem to respond well to the advice you are being given that your project needs to be compatible with the existing sme system if it is going to be accepted.

It's a bit like the expression, "You can lead a horse to water, but you cannot make him drink".

[arne]

The horse might be a Whisky drinker that prefer his own homebrew stuff 

http://www.linuxfirewalls.info/

http://no.wikipedia.org/wiki/Whisky

[meanpenguin]

This issue has been discussed as far as I can remember.

If anyone wants to continue with a firewall "contrib," the best way I can see it working would be
integrate the shoreline firewall (ShoreWall) project http://www.shorewall.net/ into the SME.

Shorewall is a well tested and developed set of scripts by Tom Eastep and community...
Documentation and support on how to do some of the fancy firewalling can be
obtained from the Shorewall project community.

The contrib can be created to generate the text configuration files needed by shorewall.
Which is a perfect fit for the SME's templating system.
Adding firewall code for other contribs would be simpler as well (especially by non ipchains/netfilter experts).

This can be a true contrib since it can stay side-by-side with the exiting firewall code.
Hook it into the event system to start, stop, and reload the shorewall script.

Once the "firewall contrib" has been tested there might be a good possibility to replace the
integrated firewall. 

A side effect of using the Shorewall will be to get some neat features
http://www.shorewall.net/shorewall_features.htm


Ed

[arne]

Thanks for your suggestion !

I downloaded the Shorewall (3.5) rpm and installed it on SME 7.2 to give it a try. It did install, and I applied the default configuration files, but it did not run completely as it should. Doing some googleling I found some examples og firewall configuration scripts generated by Shorewall. As I read them I think that they might be a bit more complicated than they need to be, to get the job done.

We are now 5 persons on a new project trying to develop a new general firewall configuration tool for Linux. (I use SME 7.2 for the develoment, but I think that the other project members will be using other Linux platforms.)

I think our first target will be to develop a some more "easy to use" user interface than the one of Shorewall. On the other hand I/we will deffinitly do some serious testing on Shorewall, a little bit later on, to see how it use principles and solutions that could be implemented into our project.

By the way, I was locked out from the contribs.org forums for a few days, and I have a warning 

[supersonico]

arne

I'm working with this proyect, but for reasons that I don't know, I can't make work the pptp service.

I can connect but no traffic.(I don't have a remote idea about it)

http://www.vuurmuur.org/trac/

If You can helpme installing and testing, this can be a good add-on for the SME-server; I'm so short of time to work with.

[arne]

Looks rather interresting. I will download and try to test it (Your firewall config tool).

Are you testing using the SME box or some other Linux distro ?

(I am wondering, this pptp issue is it a sme 7.2 related issue or is it a general Iptables/Netfilter/pptp issue ?)

(If it is a SME 7.2 issue I will try to test out on this platform.)

[supersonico]

Anre  the vuurmuur shutdown all the SME-Rules.

I'm working with it on a SME 7.2, at the moment I have blocked all the services to this map:

allow from firewall to any
allow from lan to world.inet firewall
allow from lan to world.inet smtp
allow from lan to world.inet pop3
allow from lan to world.inet https
allow from lan to world.inet pop3s
allow from world.inet to firewall smtp
allow from world.inet to firewall http
allow from world.inet to firewall https
allow from world.inet to firewall pptp

Then
I configured the DHCP to make it Windows friendly with "WPAD". (don't know how to make it with DNS, like the IPcop), and my initial idea was to don't depend on other machine (less electricity use and one just one machine to clean).

The result: no body is using P2P in my networks. in less than 10 minutes.  8-D

I have a beautifully interface to see "who is connected to" and it have a "connections manager" but I can't compile the conntrack tools so you can kill connections as you want.

You can add a PRE-VMR rules so You easily can add more "complicated stuff" To the murmur daemon. (i.e. HTB traffic shapping scripts)

The database of the rules is plain text so we can translate "db commands" to the vuurmur.

I was trying to make a rpm (but have no idea how to make it, sorry no time).

I don't clearly understand the the sintaxis for the rules but I'm trying to make it work the PPTP service. (works with SME with out vuurmuur)

[arne]

Hello !

Interresting ..

Have you done the "sme server shut down firewall" procedure ? (Just flushing out and resetting "the normal way" will not do it completely.)

I tried to install the Vuurmuur first using the fedora rpm and then from sourcecode. Had some messages about missing something ..

Do you have some tips how to get it up and running on the SME 7.2 ?

Arne

[supersonico]

Yes is already working on the sme-server ver 7.2

This is what I did:

Previous steps, search and install the libtool-1.5.6-4.EL4.1.c4.4.i386.rpm
(the yum command gave me a problem, I miss FreeBSD for that kind of problems )

Then

Code: [Select]

rpm --nodeps -Uvh libtool-1.5.6-4.EL4.1.c4.4.i386.rpm

2-Install the compiler.

Code: [Select]

yum --disablerepo=* --enablerepo=base --enablerepo=centosplus install automake autoconf autoconf gcc gettext gettext-devel libtool which gcc-c++ ncurses-devel

3-get the vuurmuur package

Code: [Select]

wget ftp://ftp.vuurmuur.org/releases/0.5.72/Vuurmuur-0.5.72.tar.gz

4-So uncompress and get in Vuurmuur folder
and
 

Code: [Select]

sh install.sh
5-the type in the console

#vuurmuur_conf

Then follow the documentation

http://www.vuurmuur.org/trac/wiki/Configuration

Have you done the "sme server shut down firewall" procedure ? (Just flushing out and resetting "the normal way" will not do it completely.)

The vuurmuur daemon do that, it cleans everything except the "stablished connections."

To start vuurmuur:

sh /usr/share/vuurmuur/scripts/vuurmuur-initd.sh start (I haven't setup the init.d script)

[slords]

We are getting into horrible advice on this thread.  If you want to coordinate development please take it to either private email or the development mailing list.  The forums aren't the place to coordinate development work.

Once you have something working then you are welcome to announce it on the forums.

This thread will be locked.  Take all followup comments to the development list please.