Topic: Howto for 3 NIC, WLAN and other firewall stuff.

[arne]

I have made a 3 NIC firewall arrangement with a secure WLAN arrangement, remote access and remote control and ip telephony from restricted hotspors, etc. Project was done partly for fun and the challange, so I tried to include those questions I have seen in this forum about firewalling, wlan, etc for the last period, and to make an all-in-one soultion.

It looks like things now are working stable and without any serious issues.

As I have experienced when trying to get some basic info to do this project, that firewalling can be something rather controversial in this forum, so it might not be obvoius that a how to is the right thing to do.

When it comes to security it is my believe that the new firewall arrangement as I use it, is more secure than the original one. Reason: Less services is exposed to the Internet and a wireless router or accesspoint will not have to be connected to LAN but to a 3'rd safe zone. (But on the other hand users are free to arrange the firewall freely as they want to, so this will include the ability to build in more security, or more risks, as they like to.)

If approved by the moderators I will post a howto in this tread that will include the firewall setup, the arrangement around a wireless zone, how to set up clients for access from external secure wlans and hotspots, etc.

If there should be found security issues that I have not discovered myself, it would be very positive to get some feedback on this, so things can/might be improved.

[slords]

If your proposal is to disable the existing firewall and run your script then your proposal will meet with a lot of flames.  You need to take into consideration the database entries and template way of doing things or your proposal will never be accepted.

Firewalls are only as secure as the person running/designing them.  SME be default doesn't enable any ports.  EVERYTHING is closed.  What happens is different base packages are added on top of the firewall that open ports that they need to function.  If you don't want a port open then disable the service or change its visibility to internal.  For most common services this also includes a web panel to enable/disable and signal the correct events.  Most of the time there is more involved in closing down a service then just disallowing traffic to it.

Arne, you have been told over and over to go ahead and do your thing.  You have also been told to read the dev handbook and look at doing things the sme way.  Unless your script has changed quite a bit from the ones I've seen then it doesn't take into account anything but what you think should be on the box.  If I'm not running a VoIP server are you still going to open up the port for a VoIP server, including huge ranges of UDP ports?

The forum isn't the place to post howto's, the wiki is.  If you have something to show off that you feel meets with the above guidelines and doesnt' revert any of the existing functionality of sme then please post your howto on the wiki.  If not then please keep working until it does and then share.

[arne]

The reason that I mentioned the firewall the first time was basically that I needed some information to make some improvements that were important for me. (Full access from restricted wlan and hotspots.) Between all that so called "flaming" I also found that technical information that I needed to do the job.

The develop ment is now done and everything seems to be working stable and without a problem.

After doing a job on a open source software I find it natural to offer the publishing of how things can be done, to cheer the results with other that might be interested and possibly also to get some feedback on things that could work bether.

The strange things with the contribs.org forum is that people in some way seems to be emotional "connected" or "involved" with something little personal like a firewall.

The development of a firewall arrangement will neccessarly be a two step proccess. It will first be requied to do the step no 1 to implement an test out a optimised firewall arrangement. Then comes step no 2. When the specification for the optimised firewall is known, then this can be implemented into the template system. If there is no step 1, there can not be a step 2 either.

There is a lot of clever people working on the template system, but I believe that they have not made the 3 NIC solution yet.

I think that the job of impelemtning a more flexible firewall soulution into the template system can be done, but I believe that this will be a very difficult project, if it can not be devided into smaller step by steb sub projectes. I believe that if the requirement is that it is only leagal to start with the end, this will be a very difficult project to do.

If a more openminded attitude, first develop and testing out the firewalling part of it, and then implement into the template system, then I believe that the job could could positively be done.

The e-smith once used to be a very innovative product. Much of the basic structure, functions etc, is much the same as it used to be 8 years ago, and the firewall arrangement was actually developed for the 2.2.x kernel.

The world is changing and the IT technology does as well. I think today it is not something rather unusual to use a wireless network or a ip telephone or a hot spot at the airport. These were not issues when the e-smith was developed 8-9 years ago.

I think that to keep on to be a modern and updated product there will be needed some new ideas and some new functions to keep track with a changing world. 

By the way: 

Open port can be checked with at portscanner and a basic SME server gateway use to have a number of open ports related to the services running on the gateway. (More than one should believe.)

SIP telephony with asterisk is by default set up opening 10002 UDP ports, but it can be reconfigured to use only 4 ports. (I believe, I used it for a while with 8 open ports, to have some extras as spare.)

IAX2 telephony use only one UDP port. From hot spots I am using UDP port 53, as this port is often open.

Arne.

[raem]

arne

When the specification for the optimised firewall is known, then this can be implemented into the template system......I think that the job of implementing a more flexible firewall soulution into the template system can be done, but I believe that this will be a very difficult project, if it can not be divided into smaller step by steb sub projects.

The concept of breaking down the project into smaller steps has been suggested previously.
It's good to see you talking of integrating your work into sme server using the templating system.

The place to do further development work is in bugzilla, please open a new bug, upload your code & test instructions, and call for assistance to implement it via templates.
Then add a link in this thread to the bug number.

[arne]

slords ->

If your proposal is to disable the existing firewall and run your script then your proposal will meet with a lot of flames.  You need to take into consideration the database entries and template way of doing things or your proposal will never be accepted.

Firewalls are only as secure as the person running/designing them.  SME be default doesn't enable any ports.  EVERYTHING is closed.  What happens is different base packages are added on top of the firewall that open ports that they need to function.  If you don't want a port open then disable the service or change its visibility to internal.  For most common services this also includes a web panel to enable/disable and signal the correct events.  Most of the time there is more involved in closing down a service then just disallowing traffic to it.

Arne, you have been told over and over to go ahead and do your thing.  You have also been told to read the dev handbook and look at doing things the sme way.  Unless your script has changed quite a bit from the ones I've seen then it doesn't take into account anything but what you think should be on the box.  If I'm not running a VoIP server are you still going to open up the port for a VoIP server, including huge ranges of UDP ports?

Well please take into consideration that there is a regular and correct way of closing down the existing firewall that is actually described in the official SME documentation wiki.

It it a problem that if you just flush out the existing firewall and replacing it with a new when the automated firewall is running this will lead to unwanted sideeffects. If you are doing it according to the procedure in the wiki there is not such unwanted sideeffects. (As far as I have been able to test out until now.)

The sme server runns perfectly well with the 3 NIC solution. During the years I have allways needed to have two different gateways, one SME server on regular basis, and one extra spare gateway to temporarely replace the SME server when I needed to do firewall arrangements that the SME server were not able to to. Finally in the end this is not neccessary any more and my SME server is now capable of doing any thing I need related to firewalling.

To do the job, I needed only one line of information from this board as I first didn't find it in the wiki. I got this single line of information mixed up with an unbelivable amounts of so called flames.

As things actually apear to be working, it should not be a to difficult process to implement some improvements into the existing template system.

Technically it should be possible to do it in the SME way.

Improvements og the firewall side and a 3'NIC soulution has been requested many times on this forum. It is a sad thing that it is not possible to post a howto or to make some discussions on that, as long as there is not neccessary to use anything else than standard documented procedures.

[byte]

It is a sad thing that it is not possible to post a howto or to make some discussions on that, as long as there is not neccessary to use anything else than standard documented procedures.

It's not sad as you've been asked quite a few times to post a NFR with your work attached so a core dev can have a look and see exactly what you've done and whether it would be good to include in to the base or if it needs abit/alot of extra work.

[arne]

The most active flamer as the job were done was a signature "byte".   

I am just now tired of flaming and negative feedbacks, just because making things working bether.

Case closed. 

 

[byte]

[..]just because making things working bether.

I never saw you do anything to make things work better.

Case closed. 

OK, no problem 

[arne]

I never saw you do anything to make things work better.

At least one thing to agree about. 

[arne]

byte ->

Could you help this person ? http://forums.contribs.org/index.php?topic=39303

[byte]

Could you help this person ? http://forums.contribs.org/index.php?topic=39303

Sure either you/"person" pay me as a consultant then I could assist.

[okepc]

Byte do you enjoy being rude?

Regards

Dirk

[Stefano]

Byte do you enjoy being rude?

Regards

Dirk

Hi..
IMVHO byte is not rude..

Arne isn't able to understand that yes, SME is linux, but it's a highly customized linux distribution.. so the only way to achieve results is sme's one: templates, dbs etc..

I agree with byte, slords, RayMitchell: Arne has been asked more and more times to modify his filewall script to be templated.. but the only thing he seems to do is barking about "open source, flush sme's firewall rules ecc"

My 2c

Stefano

[arne]

Not copletely right. There was actually some issues at the time I did flush out and replace the sme firewall.

After I found out how to close down the sme server firewall the right and proper way, as described in the SME server documentation, and applying a new firewall without breaking any of those rules mentioned in the documentation, everything seams to be working quite nice, and with no configuration restrictions or any problems, for the 2 port gateway, and for the 3 port gateway.

The thing is that the existing SME firewall configuration setup was, as far as I know, developed for the Linux 2.x kernel that needed a quite different kind of configuration. I beleive that some of the firewall configuration system of the SME server could be redesigned a bit, and simplified a bit, to use som of the benefits that is possible to obtain from newer kernel designs.

My personal point of view is that the firewall setup and firewall configuration should be kept into the template system, but still redisigned a bit to obtain a bether degre of modularity between the server functions and the firewalling functions. I think that the firewall configuration part of the template system should be a more independent part of the tempate system to open up for a more flexible way of handeling the firewall situation. To be able to run a 3'rd secure WLAN zone is, I think rather usable.

My personal point of view is also that to be able to come up with some suggestion what to implement and what not to implement, it is quite usable to run a free and no restricted firewalling configuration system for a while, to see how things will work as a whole and to pick up some ideas about what is usable or not. Without such an experience and such a test period it is difficult to come up with any reasonable suggestions.

Also I think that that it could be possible to implement some quite usable functions in the existing template system based on only minor modifications.

If someone claims that I do not understand the template system, it is copletely true. I does understand some of it but only some part of the upper surface, and I can do some testing to see if things works or fail.  On the other side I think this is also a basic idea about a modular consept, it could be possible to work on some part of the system without understanding, or thinking about all of it, all the time. (And I think this is also exactely what the newer generations of Linux kernels open up for, there don't need to be a tight integration between the server configuration system and the firewall configuration system any more.)

By the way, I am very pleased with my new 3 NIC SME Server gateway. It is the best Linux distro I have tried ever. It used to be a problem for me that the automated firewall config system could not do what I wanted or/and needed, but this was now the situation of yesterday.  

Considered how things worked out I'm just happy for the flaming, but if the basic SME distro were upgraded to keep track on spesialized firewall distroes like the Smoothwall, I would be even more happy. Actually I think it could be like that.   

[Stefano]

but if the basic SME distro were upgraded to keep track on spesialized firewall distroes like the Smoothwall, I would be even more happy. Actually I think it could be like that.   

IMHO you are wrong: one of the basic security rules says that a firewall is (and must be) only a firewall.. no users, no passwords, no data.. nothing.. if someone breaks your firewall he has everything in his hands.

I repeat.. sme is a great product, but it's not a firewall.. if you need a real firewall, there's a plenty of them out there..

my favourite is m0n0wall.. everything runs in ram.. no way to break in AND stay in.

ciao
Stefano