Topic: SME as Internet Server Only

[dhalliday]

I would like to deploy SMESERVER as internet servers only. That is without a local network only the network on the Gateway side active.

Is there a HowTo to get this to work correctly with only one NIC in an internet application. In the past I have resorted to adding a second NIC with a fake local network that is never using it but this is not possible for most hosting providers. (It also seems wrong to have services such as SAMBA running that would never actually be used).

Thanks,

Dave.

[guest22]

Probably this is what you want on SME9


http://bugs.contribs.org/show_bug.cgi?id=7200


But it has not been designed for SME9 and the way SME9 handles networking is also different. Maybe I'll give it another go on SME9

Disabling services can be easily done via db commands. e.g. 'config setprop smb status disabled'.

guest

[mab974]

hi,

I am also interested in this topic. I have a server working this way on SME8 and upgrade to SME9 should be considered these days.
I hope that this solution will persist.

Regards.

[Stefano]

the only way to achieve it, ATM, is to setup SME as server only, set its IP as public and disable useless services via db commands (remember to reboot the server after that)

please be aware that some services can't be shut down (dns for example) and so they are reacheble form the "private" lan.. for example, let's say your IP is 11.22.33.44/24, your dns service will be reachable from every IP of that subnet.

you could modify, via template, services' behaviour to make them listen on localhost only.. I remember I tried some time ago, but I didn't spend much time and I didn't get anything usefull

IIRC there's a NFR about it

[dhalliday]

The big problem I see with going Server only on the internet is that the firewall rules will be wrong, this will leave the server much less secure.

Dave.

[guest22]

The big problem I see with going Server only on the internet is that the firewall rules will be wrong, this will leave the server much less secure.

Hence the "1 NIC" patch for SME8 which allow SME Server to run in Server-Gateway mode and thus respecting the firewall rules.


If more people respond to this thread, I will consider adapting it for SME9, and hopefully it will be incorporated into the core one day. The cloud and hosting is a big thingy, where providers expect you to implement your own security.


guest

[dhalliday]

Correct, but it is a patch and very hard to install on things like Virtual Private Servers etc. What is really needed is a third true mode "Internet Server" that is designed to install for a single internet facing interface.

To this end. Is there a definitive list of the differences between Server Only and Server and Gateway mode? It has been a very long time since I actively looked at any of the code in SMEServer (back when it was esmith).

Dave.

[guest22]

Correct, but it is a patch and very hard to install on things like Virtual Private Servers etc. What is really needed is a third true mode "Internet Server" that is designed to install for a single internet facing interface.

It is exactly what the patch does, adding an extra "internet server" mode, and for that exact reason. It installs just fine as long as you install SME Server in "server only mode" and then patch and reconfigure.


guest

[johnp]

Just wanted to reply in hopes that HF does consider adopting this for V9. I think it would be a benefit to the community.