Topic: e-smith 4 firewall abilities

[J-L Boers]

I recently configured an e-smith 4 box and love the way it does it's job. I'll be receiving a static IP shortly and will be bringing the e-smith box online as my web/ftp/pop/webmail box to the outside world. I have read the manuals and forums here and really have not found a clear answer as to how secure e-smith is. They don't advertise e-smith as a firewall either. I know this.

Here's what i have:

DSL - (static IP)---- e-smith  with NAT/DHCP --------10/100 switch ---------local lan of 8 boxes.

Everything seems to be working well. Do I need to add some sort of firewall between the e-smith and the dsl modem? Or can I just add a firewall script such as PMFirewall and continue to use the e-smith as is? What are *YOU* using out there in the real world?

J-L Boers
jl@boers.cc

[Charlie Brady]

J-L Boers wrote:

>  Do I need to add some sort
> of firewall between the e-smith and the dsl modem?

That will be for you to decide, once you gather as much relevant information as you can.

> Or can I
> just add a firewall script such as PMFirewall and continue to
> use the e-smith as is?

I have a packet filtering add-on RPM which is based on PMFirewall, but "plays nicely" with the e-smith software, and will install without requiring any additional configuration. Adding a packet filtering firewall does not *necessarily* add any extra security - it will, however, add more "security in depth" - for instance, it will prevent any access at all to the services such as telnet or POP which already are protected by the TCP wrappers daemon.

Regards

Charlie

[Dan Brown]

My understanding is that the reason e-smith isn't advertised as a firewall is because the makers feel that a firewall inherently should be a separate box.  IP Masqing, though, is inherently pretty secure for the internal computers--there shouldn't be any way to access them from outside at all, unless you mess with the e-smith setup to do things like port forwarding.  As far as the e-smith box itself, it seems pretty secure.  Just for kicks, I ran SAINT against it (at the highest level), and the worst vulnerability it found was that the POP daemon sends passwords in clear text.  Far from a comprehensive security probe, I'm sure, but that's one data point for you.

[Dan York]

Dan Brown wrote:

> My understanding is that the reason e-smith isn't advertised as
> a firewall is because the makers feel that a firewall
> inherently should be a separate box.

As mentioned in the FAQ:

  http://www.e-smith.org/faq.php3#q4

we prefer to just be conservative in what we call e-smith server.
Many of us internally came from environments with high
paranoia (in a good sense of the word) about security, and a
many of the ultra-paranoid would argue that a true firewall
should have no user accounts, no file-sharing, no DNS,
no POP/IMAP... basically nothing but the
bare bones needed to protect a box and network.  Using this
very strict definition, we don't feel comfortable calling e-smith
a true firewall.

Having said that, as Dan Brown mentioned, e-smith *IS* very
secure and does provide many/most/all of the functions of
other products that vendors refer to as a "firewall".  Being
based on Linux, it can also be hardened further by those who
know about hardening Linux.

My 2 cents,
Dan

[Pierluigi Miranda]

Charlie Brady wrote:

> I have a packet filtering add-on RPM which is based on
> PMFirewall, but "plays nicely" with the e-smith
> software, and will install without requiring any additional
> configuration. Adding a packet filtering firewall does not
> *necessarily* add any extra security - it will, however, add
> more "security in depth" - for instance, it will
> prevent any access at all to the services such as telnet or POP
> which already are protected by the TCP wrappers daemon.

Would you care to explain your setup with more detail, please?

Could such a setup be released as a future E-Smith release component, or even as a supported addon?

Thanks!

--

Pierluigi Miranda

[Richard]

I also just ran e-smith through nessus.

www.nessus.org

Which is meant to be of a fairly high calibre.  It was recommended to be my one of my old lecturers who now works for linuxcare.  Along with many other academics here in Australia at the ANU that actually wrote core pieces of the system, samba is one example.

Anyhow - I digress.  I state them as a fairly authoritative source on what is up to the testing and what isn't.  As I have not used cops or satan, etc.

I am pleased the report that e-smith passed with possible flying colours.  Nessus found 2 potential holes, which may not even be holes at all.  

It all depends on how qmail works.  I hope to get an answer to this soon.  Apart from that there were only small things one could change if they were really paranoid as Dan said.  These same little observations were also made of all the other red hat servers I scanned.  The only server we had that came through 100% was our G3 web server running Mac OS X.  But that is a whole new kettle of fish - running many less services than e-smith - and is not really comparable.


Cheers,
Richard.

[Justin]

The vulnerabilities detected by nessus are false positives. A hand check of the ports in question will confirm this.

My security testing continues and e-smith is still standing strong.

[Richard]

That's good news.

I had a sneaking suspicion that qmail was fairly secure.

I just now need to throw all the DOS attacks at it.  I did not do that from home as I did not want to crash it and not be near by.

I am expecting no hassles either.  All the other red hat boxes passed 100% and the only thing I had done to them was to compile in some SYN option.

Cheers,
Richard.

[Richard]

Hi All,


Just did a full round of DOS attacks and not a scratch at all.... All services still up.  Concurrent attempts to use the services worked fine.  And CPU overhead barely flexed.


Cheers,
Richard.