Topic: How to template modify the masq file correctly?

[compsos]

Hi
We have been trying to make openvpn link site to site but only been able to ping the internal IP of the remote server. The IPTABLES have been enforcing a denylog against the communications.

The masq file does not appear to have been templated so when we add a new template-custom masq entry and then expand-template the entry goes into the active file before the deny entries.

Would the config set <servicename> service AllowHosts remoteNetworkIP/24 do what we are trying to achieve? Would this modify the IPTABLES and allow network to network comms?

TIA

[mmccarn]

You might get what you want simply by adding the remote network to your "Local Networks" - this basically opens all services to access from the new "local network".

Otherwise, yes, you should be able to allow access service-by-service using

Code: [Select]

config setprop <service> AllowHosts a.b.c.0/0
config setprop <service> access public
signal-event remoteaccess-update[/tt].

Note that after running these commands, the selected service will be available [i]only[/i] to your 'Local Network' and to the IP addresses specified in 'AllowHosts'.

[compsos]

Thanks mmccarn

We had already tried that but it seems the panel will not add the network until it can "see" it fully. Also tried adding it from the command line signal-event network-create remoteip etc. The result did appear in the panel as a local network but the IPTABLES still denied access.

We have manually moved the lines in the masq file to below the deny lines and the system works as expected

[mmccarn]

I see what you mean about the panel - the router address specified must be accessible from your SME server. 

For a SME-to-SME VPN, you would use the LAN IP of your SME as the 'router'.

[compsos]

We have found a solution "of sorts" but it does not explain why the masq file is different or why this solution appears to have worked. Let me explain

• The masq file is in /etc/rc.d/init.d but has no template breakup
• There is a db entry for it which does not list Ports or Hosts
• It seems the system passes the configuration file and pulls Ports and Hosts entries from other "service" entries in the DB
• Putting, in our case a AllowHosts,  an entry in the openvpn section made no difference
• Doing a template as /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/15AllowOpenVPN, did not work as it entered the masq file before "deny" entries.
• Changing the template to 40AllowOpenVPN did work

So the question basically is
How do you determine the number required to cause the entry to be in the "right" part of the target file? Other conf files are templated, as standard, so it just a matter of sequence.
Or is this a bug that the AllowHosts entry should have worked and is the correct method of entry for now and into the future?

Just as a note the LocalNetwork panel will still not allow the entry of the remote network via the tunnel interfaces even though we have a working tunnel.

Any comments appreciated.

[CharlieBrady]

The masq file does not appear to have been templated  ...

/etc/rc.d/init.d/masq *is* templated.

The best place to ask for development advise is the devinfo mailing list.

[cactus]

/etc/rc.d/init.d/masq *is* templated.

Yep, and to save you some seaching, templates are located in the obvious location: /etc/e-smith/templates/etc/rc.d/init.d/masq/

[compsos]

Apologies, 2 of us completely missed the location.

Should these type of changes be done via templates or db entries?

[cactus]

Apologies, 2 of us completely missed the location.

Should these type of changes be done via templates or db entries?

If you can find a database entry in the template fragments use the database entry as that is the easiest solution, if that will not be applicable you will have to resort to custom templates.

[arne]

I have been doing modifications and customization of sme server firewalls for some years, and my experience from now, is that the SME server firewall can do and will be capable of doing all kind of firewalling and firewall modifications that the Linux kernel is capable of including also, of cource VPN arrangements, as required.

During the years I have changed and used different ways of doing these modifications.

One comman factor up trogh the years have been that giving advices or asking questions about how to make firewall solutions often leads to "no answer at all" or heated discussions with flaming, etc.

During the early ears I certainly did "brake the rules" by simply flushing out the template generated firewall configuration and applying a new firewall configuration, to be able to focus on the firewall side of the problem, and because I did not know the SME server well enough to do it in any other way.

Today I do not brake the rules any more technically, as they are described in the original e-smith design documents. Actually I use some the original e-smith design documents as basis for how I does the firewall modifications today. This will mean that the firewall modifications is done via the template system.

Even though the way I does the firewall modifications might be correct enough according to the original e-smith design documents, it still might not be considered to be "ideological correct" for the sme server of today. (As it open up for the option that the local administrator can take the full controll of the firewall behaviour and apply any kind of modifications, including bridge mode firewalling, more than two network adapters, impementation of wireless cards and wireless card firewalling, all kind of VPN arrangements, etc, etc.)

There are arguments, I think, why local administrators should not have such a freedom. One of them is that such a "full control" og the firewall nessesarely will lead to a situation where a number of SME servers will be incorrectely configured so that an adequate security level is lost. One other argument is that incorrect configured firewall often will lead to a incorrect believe that it is something wrong with the server configurations, so there will be a number of "false positive" bug reports, where the real bug is only an incorrect firewall modification.

So the situation is that anything that can be done without any "limitation" and with the full freedom can also be done wrong. With a firewall this will often be "bad".

If there is an agreement that it is ok to inform how to do firewall modifications with the full freedom and within the framework of the template system, and as discribed in the original e-smith documentation, I think I can mention it.

If the negative sides of such information is considered to be greater than the positive, I can also keep this information for myself.

As I in the end managed to get out the information I neded to do any kind of firewall modification I need, using the template system, and the automated configuration system, I don't need any more discussion on this subject for my own part.

There is on the other side a lot of new things that could be done, if it were a free and open discussion on this item, without any bad or negative feelings or emotions.

Such a discussion would lead to a situation where the sme server can do anything on "the firewall side" that the Linux kernel can do, while also it will lead to a situation where a nuber of sme servers might be incorrect configured, while local administrators are learning Linux firewalling the hard way, while some sme servers might be hacked due to reduced and even destroyed security.

I think that there is some good arguments not to have such a free and open discussion, and to keep the secret "how to take the full control over the firewall via the template system" as it is "a secret from the old e-smith days".

I simply don't know.

One thing that also is fore sure is that doing the modifications only as described in this tread, above, will lead to some situations with "no solution at all", while the solution actually and technically, easy could have been there. So will also the option of destroying the security of each of the sme server installations. That is the small dillemma.

So when administratior of this board are flaming or locking out such information, they actually have good reasons, but it is more easy to just say: "Don't post it."

Can any firewall modification be rather easily done, including any VPN adaption and configuration ? Yes and no, that depends on a number of factors.

On the other side it is a bit strange to se a firewall question that could easy be solved staying there as unsolved, because information can not be given, in an open source forum.


 

[cactus]

Arne, please, do not hijack topics on firewalls with you statements, time and time again. This is not the first time you are doing so, stop it.

Please stop your remarks on the mentality in the forums as, you are to blame for it mostly, as you seem to be unwilling to comply with the modus operandus of this community. You are free to dicuss your issues but you have been told over and over again what you should do with your information and where you c/should write it down. None of those will have mentioned  a forum thread of another user who is asking how to modify the masq template files.

Keep in mind that SME Server is not designed to be a system geared towards firewalling, like for instance Smotthwall and the like. Although it has a firewall inside and although it is based on linux, it is meant as a open source small businness server replacement.

Your post does not make any reference to this subject and is therefore considered off-topic. Please get back on this topic or open your won thread to do discussion on the pros and cons off sharing your experiences and knowledge on firewall related matter.

[arne]

Actually there should be no discussion needed as most unsolved firewall discussions in this forum should have a rateher easy solution.

The method described in the original e-smith document is to make a masq custom template for the firewall, as a text file, on one level up relative to the exsisting template fragments.

Technically this will make this new "custom master template" to take precidence over all existing firewall fragments so that the local administrator can do a completely new firewall design, inside the framework of the cunstom template system, but still with the freedom of designing a completely new firewall.

In this way VPN problem and all other firewalling questions can be solved within the framework of the netfilter firewall and iptables configuration tolls and only restricted by this, like amy other Linux distro, but anyhow still within the framwork of the custom template system.

This was not a hijack but an answer to the original question. The answer was to design a completely new firewall script as a custom template on a position one level up relative to the exsiting masq template fragments.

I guess it should be here:

/etc/e-smith/templates-custom/etc/rc.d/init.d/masq

The reason that I did not post this solution for a while was that I was afraid that this freedom of a "free firewall design" could make problems for the developers.

Of cource you will need to know how to make a completely new firewall configuration, but this can be done equally at the SME server as any other Linux distro, and it can be done within the framework of the custom template system.

[janet]

arne

I am pleased to hear that you have become familiar with the templating system and that you have apparently created code that "conforms" to the sme server templating system.

Improvements to sme and code that adds versatility to the "firewall" will be of interest to many users and to core developers.
Please open a bug report detailing your changes and code.
This has been asked of you many times, yet you still do not do so.
If you really wish to contribute to the sme server development, then please do so via a bug report.

The merits of your proposals and review of your code are best discussed in the bug report.

[compsos]

Thank you all for the responses.

Perhaps I should explain why we asked the question. There are a few contribs that work on linking outside users back to the LAN. We needed to link 2 LANS together and decided on the OpenVPN Site to Site Howto (routing rather than bridging). Other users have reported that it was working for them but we could only ping the internal IP each way and nothing else. So what had we done wrong? So when we found the deny entries we started to ask how is the what is best way to overcome the issue. We even tried the version of IPSEC and it failed I think for the same reasons. They had a 15AllowIPSEC template. So I guess we are not alone in trying to handle the IPTABLES correctly. Currently the modification we have done lies in the 40 to 45 range any earlier or later fails.

We did post here, rather than contribs, as it would seem to be a misunderstanding of how to handle the masq file rather than the actual contrib itself. I will take it back to the author and see if they want to update the Howto etc. In the end we are only looking for solutions to requirements for SME.
Thank you again for all the comments.