Topic: Will SME work for this problem.

[p-jones]

Sal

What inputs does the MF device have ? Some multifunction devices are capable of being networked by an inbuilt NIC and a USB Jet Direct type device. Is this device one of those ?  Is it possible the device could then be multi-homed ?

Then as suggested by another contributor, email scans back via one or other of the SMTP servers ??

[arne]

But why should connecting two networks using a mutifunction device give any security at all ?

What control would you have to check out how the multiuction device would be leaking or routing between the networks ?

Why shouldn't these problems be bether and more secure maintained via the Linux kernel and netfilter firewall than anything else ?

Of course this question and most other questions of firewalling could have been solved, if there were a free and open athmosphere for dicussing such problems.

As I will see it there is a good starting point to start discussing or thinking about firewalling and security at all. This are the content of theses two books:

1. Hacking Exposed, we are waiting for the next revision:
 http://www.amazon.com/Hacking-Exposed-Sixth-SecretsAnd-Solutions/dp/0071613749/ref=sr_1_1?ie=UTF8&s=books&qid=1230548397&sr=1-1
2. Linuxfirewalls, second or third edition:
http://www.amazon.com/Linux-Firewalls-3rd-Novell-Press/dp/0672327716/ref=sr_1_2?ie=UTF8&s=books&qid=1230548512&sr=1-2

When these two books and contained excamples is passed, then you are at the level zero, you know absolutely nothing about firewals or network security, but you got begginning refference a starting point where it is possible to start discussing and learning something.

From such a attitude arguments should be with refference to literature or other simular sources and not in the form of flaming.

If argumentation were done, with refrence to literature, and not as flaming, this problem in this trad could have been solved, and practically all other questions related to firewalling, could have been solved, as well.

So the practical answer to the original poster would be something like: Yes, with refferene to the litereature on network scurity and Linux firewaling there is, this problem can be solved, the one way or the other. But on the other hand flaming will normally start long before anyone mention anything about literature or any other background refferences. Because of this the problem can not be solved.

It is allmost a funny situation how technically solvable problems can not be solved, in a open sorce community, because of the lack of fredom of free information.

If discussions can be done and if refferences can be used the problem can be solved.

By the way, when I remeber it .. while doing the little research on how to customize the sme server firewall, I also found some of the origianal documentation for the e-smith, issue year approx 2001, I think. These documents actually explained how to to do major firewalls revisons without breaking the sme server "design rules". I have tested this information, and things still works as decribed in this documentation.

To do such designs or modificaions would require it was fully legal to refere to these documents and the network security literature that is on the market.

There is on the other hand a strong argument against letting the "users" doing their own free firewall disign (from method as decribed in the e-smith document from 2001) and that is that some of these designs will for sure not be correct done. In the beginning actually most disegn will be incorrect done, until some practice have been obtained. In this way there migt occour a lot of incorrectely reported "server faults" that actually is firewall faults.

In some waya "do your firewalls as you like" attitude would make the development work more difficult for the sme developers, because there would be a lot of "noise" and incorrect reporting. Incorrect firewall configuration might also lead to a incorrect believe that the server itself it not secure enough.

On the other hand if 1 perscent of those ideas and those solutions that could be developed could be implemented in the "all automatic sme server" it might still be a good idea.

Basically there i does not exsist a single thing that the Netfilter firewall can do, that the sme server technically can not do bether. (Because it contains more software than just the kernel.)

"Alternative firewall disign" for the sme server could be a theme with allmost no limitations at all, if it just were allowed to discuss freely and without the flaming.

This is actually not a question of "technology" but of "policy".

By the way, I am quite happy with the development work that is done with the new sme server revision, so if those developers would not like to see a to free discussion about firewalling, it is really not a problem for me, as I now can do the firewalling functions I want, and as I like them to work. Because of the negative impact I can see that it might have on the "project", I will not publish anything without permission.

Technology some times says: "yes" while policy says "no".

I think I will send a few words to mr Bill Gates and ask him to make a few firewall revisions, just for me

[arne]

By the way..

If some hypothetical future change in "product policy" so anyone were free to make their own firewall designs, lets say there was a few wikie's on this theme, there would also be required with some other section: "How to make security revisions of your network, and how to see if your firewalls actually does what they should do."

In some way this break with a basic product philosophy as the "automated smart box that does it all" to a more "network oriented approach".

Personally I think this is a good idea as the world and the technology is changing.

That's the reason I also made and sendt in as a proposal, a configuration tool that should give the sme server the option of running not only as server-gateway or server-only but also with other preconfigured options like "local network server only" and "internet server only". In this way the sme server could act as not only "the old e-smith" but also as a more "general building block" for virtualization and network purposes.

Lets say as an excample: The network or the virtual server park "needs" just an other file server. You then just install the sme server and run the Samba server optimazion script, and you will have a otimized SME Samba server, that does it's job from lest say 64 Mb of RAM.

One other excample: The network or the virtual server park "needs" just another web server. Then you install the sme server and run the script that makes it optimized as a web server, with a hardened firewall layout and a closed down Samba server.

I have done and tested all those variants, and they works quite well.

A bit off-topic to the origial questions, - but still connected.

With the freedom of doing the requested firewall modification asked for in this tread, and doing and discussing other modifications as well, there could be available a lot of interesting alternatives, of where some of them might be interesting for the "official SME server release".

[cactus]

A bit off-topic to the origial questions, - but still connected.

Arne, please, if you really want to discuss stuff like this do it where your issues are supposed to be posted (you have been told to post them to the bugtracker or devinfo list more than once). Please refrain from ventilating wishes and desires in threads that are not your own or have a different subject, even though you might have the opinion you are mildly off-topic I think this is of no interest to the OP and is not in the line of answers he intended to receive.