Topic: Configuring Firewall

[sdpiowa]

Sorry, I'm just started using SME server recently, so this may be a ridiculous question.

Is there a way to incorporate a firewall into the server manager?  I want to have more control of the firewall system, but I really don't want to do it from a command-line interface.

[Stefano]

sdpiowa:

in short: no, you can't

but you could:
- tell us what are you trying to achieve
- use the 'search' link above as you question has been posted many times
- read carefully the documentation

if you need a more configurable firewall you should use a different distro.

ciao
Stefano

[sdpiowa]

Sorry, I forgot to search until AFTER I posted.

This is a home server, but I want to get a solid Linux firewall so we don't have to invest in a hardware firewall.

[Stefano]

you already have a strong firewall...

I repeat: what are you trying to do? why do you need a firewall panel? what do you need to configure?

ciao
Stefano

[sdpiowa]

Well, I guess I didn't know if there was a strong firewall built in.  I'm just thinking that if I need to open a port or something, it would be rather hefty to do it from the command line.  I didn't know if there is a plug-in to add a button to the server manager or not.

Also, does the firewall use SPI?  Does the server scan for viruses on incoming content?

[Stefano]

Well, I guess I didn't know if there was a strong firewall built in.  I'm just thinking that if I need to open a port or something, it would be rather hefty to do it from the command line. 

well... I think you have to read the documentation, now!

ciao
Stefano

[arne]

The SME server has basically a built in all automatic configured rather strong firewall arrangment when running in gateway mode. It now also has this firewall enabled when running in server mode, but then with a security level adapted to an lan environment.

The firewall of the SME server is basically the Netfilter firewall of the Linux kernel.

As an addition to the automated firewall configuration system of the SME server it is also possible to modify the firewall behaviour using a set of SME server specific commands. The SME server documentation contains more and deeper information on this subject. (Normally and for everyday use the built in automated firewall configuration tools will do a good enough job.)

Technically it is also possible to do a "manual iptables configuration", but this can normally not be recomended as such a "manual configuration" for practical reasons will require a rather deep knowledge og the Linux kernel firewalling to maintain security on an aceptable level. It is more difficult to do such a "manual firewall configuration" on a SME server, than on a standard Linux distro like Centos or Ubuntu.

If the prefered choice is an "all automatic firewall system" the SME server has this as built in, and it is possible, but normally not required, to use a set of SME server specific shell commands to do a "finer" configuration than the automated tools can do.

If the choice and the target is to learn Netfilter firewall and iptables configuration tools ("standard Linux firewalling") than it will be a bether choice to switch over to a standard Linux distro like Centos or Ubuntu.

http://wiki.contribs.org/SME_Server:Documentation:FAQ#Firewall

By the way "virus scanning" is not a part of Linux firewalling on a kernel and packet level. The SME server are capable of scanning mail for viruses. The Squid proxy is not capable of maintaining virus scanning on web traffic, as configured on the SME server. (But technically, on a standard Linux distro this can be done.)


 

[sdpiowa]

Thanks, that helps.  So there is no way to configure SME server to scan incoming information for viruses?  Can you scan incoming webmail for viruses (that's mostly what we use)?

[David Harper]

Dansguardian can do incoming virus scans on Internet traffic.

[sdpiowa]

OK.  Thank you all for your help.  I think I have an idea of what I need to do.

[janet]

sdpiowa

  So there is no way to configure SME server to scan incoming information for viruses?  Can you scan incoming webmail for viruses (that's mostly what we use)?

You need to be more precise about what "information" you want scanned.

sme does have very comprehensive virus scanning, spam filtering and executable content blocking of incoming email, as well as rejecting email from spam sources using RBL lists.
None of this is enabled in a default install of sme, but it is a simple matter to enable using the server manager Email panel without needing to use the command line.

As far as Internet browsing activity is concerned, ie by users on the local network behind the sme server which use sme as the web proxy server, then Dansguardian can do automatic scanning of content/downloads (if configured that way), as well as block access to web sites that are "undesirable". Dansguardian is an add on contrib, but easily installed. Squidguard is also a popularly used alternative to block web sites, but I think Dansguardian does a better job, and does everything that Squidguard does anyway plus more.

A good modern browser like Firefox will also scan file downloads at the workstation level.

As far as the firewall is concerned, sme has a very good one, but does not present the inner workings directly to the administrator. Ports are opened/closed as various services are selected/enabled in server manager eg if you enable public ssh access then the appropriate port eg 22 (or whichever you nominate for ssh) is opened in the firewall.
Same for many of the other services setup in server manager, they tweak the firewall as necessary. This removes the possibility of misconfiguring the firewall and having a server that is a security risk (when incorrectly configured by an inexperienced admin).

You can do some manual fine tuning to the firewall using db commands for specific functionality that has been coded into the base eg allow or deny access from specific hosts to specific services etc. See
http://wiki.contribs.org/SME_Server:Documentation:FAQ#Firewall

Further than that you have just about unlimited control of the firewall if you create your own custom templates for masq. This will require command line use. See the developers documentation
http://wiki.contribs.org/SME_Server:Documentation:Developers_Manual

There is a port opening and forwarding panel in server manager that allows you to open ports (and forward them eg to the sme server or to other servers behind sme), using a GUI interface. You only need to use this panel for ports/services not already controlled/configured by other existing server manager panels/settings or db commands. This panel takes care of many of the non standard configuration requirements re opening ports that you might need to do in a more complex network.


You really do need to read the documentation as much of the above would have been answered if you had done so. See the Manuals and the FAQ and various Contrib wiki pages, linked at the top of these forums. Also read the Howto wiki pages using this link
http://wiki.contribs.org/Category:Howto

The starting point for sme is here:
http://wiki.contribs.org/Main_Page

If you do read up and learn the "sme way", you will become impressed with what sme can do, and I think most of your concerns so far mentioned will all be met/answered.

sme won't do some advanced functionality that other specific "firewall only" releases can do, but if you really do need that sort of advanced functionality then you will be better off using a specialised firewall.

[arne]

mary or anyone ->

I did not know that it does exsist som reasonable simple way to establish web content virus control via dansguardian/clam amtivirus via the exsisting contribs and documentation system, but this now actually seems to be the case.

http://wiki.contribs.org/Dansguardian#ClamAV_support

This is, I think, quite interesting, as it it should open for the opertunity to use the SME server as an "all included" security devise maintaning both traditional packet filtering and datastream (http) data stream virus inspection.

Has any of the readres of this tread tested this solution and is there some interesting feedbacs about this theme ?

One other detail is that the https datastram still will go trough uninspected as it is encrypted, and I guess such an realtime datastream virus inspection will require a rather powerfull processor and some ram. (Packet inspection usually require rather little processing power, while a http data strem inspection will require quite much processor power to avoid the traffic to be slowed down, it's a bit more work to do.

I'm courious if anyone has tested such a reltime data stream virus inspection with the SME server and if there is some feedbacs. (It should be quite interesting to test out. I have tested with other devices but not with the SME server.)

[sdpiowa]

So if I install DansGuardian, I have to set all the computers up to use it as a proxy, correct?  One of the main things I'm installing SME Server for is to protect us from viruses and to filter incoming internet.  I'm really wanting to make sure that Confiker doesn't get installed.  If Confiker, for instance, were to get on the machine, would it also be forced to go through the proxy?

I'm running the system on a computer with a 1.4 GHz processer and 256 MB of RAM (I think).  Would that be enough for this system?  I know that it meets the basic requirements, but I don't know if it can handle all of this all the time.

[Stefano]

I'm running the system on a computer with a 1.4 GHz processer and 256 MB of RAM (I think).  Would that be enough for this system?  I know that it meets the basic requirements, but I don't know if it can handle all of this all the time.

I strongly advise you to upgrade at least to 512 MB of ram

Ciao
Stefano

[sdpiowa]

OK.  It's a spare computer, so I'm sure I have extra RAM somewhere...