Topic: Linux - Firewall development project.

[TrevorB]

Dont know how I will contribute, but will try..

Testing and validating are the biggest ask from the developers.

Even if you can't change the code, you can test that it does what they expect and you can also validate someone else's tests.

Trevor B

[arne]

pfloor ->

Thanks for your friendly and well ment and well argued comments.

Your arguments does make sence and I have been thinking them trough, and my conclusion is the oposite of yours.

In general I think there is few persons inside the sme server environment, if any, that does agree with me at all, on how a "new" or improved firewall system might be developed.

It is not my idea that there should be one common firewall script for server installations, for 2 port installation, for 3 port installation etc.

The traditonal way of configuring a netfilter firewall is by using a firewall script for the configuration.

The logical place to start from a top down approach was just to make the structure of the most complicated variant that could be tested now, the 3 port, and from that as a basis fill inn with details and simplify it down to the level of a 2 port and a 1 port variant. Then the next logical step will be to develop some automated tools to generate these sctipt.

As the basic principle of development might be near something like the oposite of the traditional ways of doing thing in the SME Server project I will try to do this project as a contrib wia my own webpage.
http://www.linuxfirewalls.info/ (Not started yet, just made it today.)

I feel rather sure that there will come up solutions that will work on the SME server and on other Linux distroes as well, as I am using such a 3 port firewall on a SME 7.2 everyday, myself. There will also be at least some automated tools in this contrib for generating and executing these firewall configurations.

If anyone wants to test out and find things that does not work or that is not good enough or have some suggestion for improvement, I will be thankfull for that. The first framework (but not the end result) of a 3 port firewall is alredy posted and can be tested now.

By the way thanks for the link to the link to the devopers guide. I read it one year ago, and its a lot of things that I do not understand, yet, and I forgot the address where it was, so thanks a lot.

There is a lot of contribs done by private developers, and this firewall contrib is nothing more than any other contrib.

On the other hand a firewall contrib might need som mote testing and some more dicussions and some more feedback and ideas to be implemented that some other contrib might need to work in a good way.

The name of the contribs.org web forum is contribs.org and it should not be regarded to ba something negative or bad just to try to develop one other contrib.

[raem]

arne

The name of the contribs.org web forum is contribs.org and it should not be regarded to be something negative or bad just to try to develop one other contrib

I see no evidence that anyone said what you are doing is bad, so don't feel that way.
You do seem to have some strong/fixed points of view that no one else appears to agree with, that's a difference of opinion. Usually when more than one person is telling you the same thing, it's a good idea to listen and adapt.

The traditonal way of configuring a netfilter firewall is by using a firewall script for the configuration.

sme server is not a standard type of Linux OS that can be tweaked with standard tools or methods, things will break if you do that. It is a highly customised configuration implemented on a Linux OS that happens to be CentOS (it could well have been some other Linux OS).
sme server has it's own special set of tools & method of configuration, primarily revolving around the templating system (and the db command structure).

There is a lot of contribs done by private developers, and this firewall contrib is nothing more than any other contrib.

You can certainly treat your firewall project as a contrib, but you are very wrong to say it is just like any other contrib. Most contribs add functionality to what already exists, and utilise the existing code structure to do so, and many are web applications that will run on any web server (all without changing the underlying system).
What you are proposing is to replace a very important & tightly integrated part of the sme server with a completely different set of code & method of implementation, and without replacing/considering existing functionality in server manager. It's like saying I'm developing a project to replace qmail & qpsmtpd with sendmail and that it will just slot in fairly simply, but without considering all the other functions within sme that rely on qmail & qpsmtpd.

You also perhaps don't recognise that you have already been getting a lot of feedback, maybe not specifically on your code, but certainly on your approach. You have been asking for discussion, and I think there has been a fair bit of that already, but you don't seem to respond well to the advice you are being given that your project needs to be compatible with the existing sme system if it is going to be accepted.

It's a bit like the expression, "You can lead a horse to water, but you cannot make him drink".

[arne]

The horse might be a Whisky drinker that prefer his own homebrew stuff 

http://www.linuxfirewalls.info/

http://no.wikipedia.org/wiki/Whisky

[meanpenguin]

This issue has been discussed as far as I can remember.

If anyone wants to continue with a firewall "contrib," the best way I can see it working would be
integrate the shoreline firewall (ShoreWall) project http://www.shorewall.net/ into the SME.

Shorewall is a well tested and developed set of scripts by Tom Eastep and community...
Documentation and support on how to do some of the fancy firewalling can be
obtained from the Shorewall project community.

The contrib can be created to generate the text configuration files needed by shorewall.
Which is a perfect fit for the SME's templating system.
Adding firewall code for other contribs would be simpler as well (especially by non ipchains/netfilter experts).

This can be a true contrib since it can stay side-by-side with the exiting firewall code.
Hook it into the event system to start, stop, and reload the shorewall script.

Once the "firewall contrib" has been tested there might be a good possibility to replace the
integrated firewall. 

A side effect of using the Shorewall will be to get some neat features
http://www.shorewall.net/shorewall_features.htm


Ed

[arne]

Thanks for your suggestion !

I downloaded the Shorewall (3.5) rpm and installed it on SME 7.2 to give it a try. It did install, and I applied the default configuration files, but it did not run completely as it should. Doing some googleling I found some examples og firewall configuration scripts generated by Shorewall. As I read them I think that they might be a bit more complicated than they need to be, to get the job done.

We are now 5 persons on a new project trying to develop a new general firewall configuration tool for Linux. (I use SME 7.2 for the develoment, but I think that the other project members will be using other Linux platforms.)

I think our first target will be to develop a some more "easy to use" user interface than the one of Shorewall. On the other hand I/we will deffinitly do some serious testing on Shorewall, a little bit later on, to see how it use principles and solutions that could be implemented into our project.

By the way, I was locked out from the contribs.org forums for a few days, and I have a warning 

[supersonico]

arne

I'm working with this proyect, but for reasons that I don't know, I can't make work the pptp service.

I can connect but no traffic.(I don't have a remote idea about it)

http://www.vuurmuur.org/trac/

If You can helpme installing and testing, this can be a good add-on for the SME-server; I'm so short of time to work with.

[arne]

Looks rather interresting. I will download and try to test it (Your firewall config tool).

Are you testing using the SME box or some other Linux distro ?

(I am wondering, this pptp issue is it a sme 7.2 related issue or is it a general Iptables/Netfilter/pptp issue ?)

(If it is a SME 7.2 issue I will try to test out on this platform.)

[supersonico]

Anre  the vuurmuur shutdown all the SME-Rules.

I'm working with it on a SME 7.2, at the moment I have blocked all the services to this map:

allow from firewall to any
allow from lan to world.inet firewall
allow from lan to world.inet smtp
allow from lan to world.inet pop3
allow from lan to world.inet https
allow from lan to world.inet pop3s
allow from world.inet to firewall smtp
allow from world.inet to firewall http
allow from world.inet to firewall https
allow from world.inet to firewall pptp

Then
I configured the DHCP to make it Windows friendly with "WPAD". (don't know how to make it with DNS, like the IPcop), and my initial idea was to don't depend on other machine (less electricity use and one just one machine to clean).

The result: no body is using P2P in my networks. in less than 10 minutes.  8-D

I have a beautifully interface to see "who is connected to" and it have a "connections manager" but I can't compile the conntrack tools so you can kill connections as you want.

You can add a PRE-VMR rules so You easily can add more "complicated stuff" To the murmur daemon. (i.e. HTB traffic shapping scripts)

The database of the rules is plain text so we can translate "db commands" to the vuurmur.

I was trying to make a rpm (but have no idea how to make it, sorry no time).

I don't clearly understand the the sintaxis for the rules but I'm trying to make it work the PPTP service. (works with SME with out vuurmuur)

[arne]

Hello !

Interresting ..

Have you done the "sme server shut down firewall" procedure ? (Just flushing out and resetting "the normal way" will not do it completely.)

I tried to install the Vuurmuur first using the fedora rpm and then from sourcecode. Had some messages about missing something ..

Do you have some tips how to get it up and running on the SME 7.2 ?

Arne

[supersonico]

Yes is already working on the sme-server ver 7.2

This is what I did:

Previous steps, search and install the libtool-1.5.6-4.EL4.1.c4.4.i386.rpm
(the yum command gave me a problem, I miss FreeBSD for that kind of problems )

Then

Code: [Select]

rpm --nodeps -Uvh libtool-1.5.6-4.EL4.1.c4.4.i386.rpm

2-Install the compiler.

Code: [Select]

yum --disablerepo=* --enablerepo=base --enablerepo=centosplus install automake autoconf autoconf gcc gettext gettext-devel libtool which gcc-c++ ncurses-devel

3-get the vuurmuur package

Code: [Select]

wget ftp://ftp.vuurmuur.org/releases/0.5.72/Vuurmuur-0.5.72.tar.gz

4-So uncompress and get in Vuurmuur folder
and
 

Code: [Select]

sh install.sh
5-the type in the console

#vuurmuur_conf

Then follow the documentation

http://www.vuurmuur.org/trac/wiki/Configuration

Have you done the "sme server shut down firewall" procedure ? (Just flushing out and resetting "the normal way" will not do it completely.)

The vuurmuur daemon do that, it cleans everything except the "stablished connections."

To start vuurmuur:

sh /usr/share/vuurmuur/scripts/vuurmuur-initd.sh start (I haven't setup the init.d script)

[slords]

We are getting into horrible advice on this thread.  If you want to coordinate development please take it to either private email or the development mailing list.  The forums aren't the place to coordinate development work.

Once you have something working then you are welcome to announce it on the forums.

This thread will be locked.  Take all followup comments to the development list please.