Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: Gary WIlson on May 14, 2003, 08:34:13 PM
-
I have a spare machine which I've installed a copy of Mandrake Multi Network Firewall on. Looks like a good piece of kit, but under the hood it uses virtually the same components as SME 5.6.
Is it worth using this as a firewall in a network served by SME already? I understand it would take some strain of the SME server, but if it's just as secure in its configuration I'd rather save the pain on having yet another box to learn to administer / backup etc.
Any comments appreciated.
Gary
-
IPCop www.ipcop.org is MUCH better than Mandrake. There's a lot of info on both this list and the IPCop list on how get both systems working well together.
N.
:-)
-
Gary
sme is designed to do the job of firewall, so why not use it.
Opinions differ, on the security merits of a seperate firewall box, bu as you point out the software is no different, so is there really a security gain with a seperate box.
You will save yourself various configuration problems by not having a separate firewall, and I think a lot of sme uses wil agree with that. Also a lot less setup hassle if you use a (bridged) modem rather than a router, the ports are all set automatically by sme.
Ray
-
Good Afternoon,
I just had to jump in here on this topic. My opinion is that if your going to use SME as a firewall alone, it's great. If your going to combine tasks and run web, email, and other server programs/services, have a second box as your firewall. I guess it goes back to have too many eggs in one basket. I am going to separate my email/web server from my firewall so if I have trouble with my firewall, I can just reformat and go.
Welp, enough for now.
Walter "Wally" Padgett
-
Thanks for the comments - will look into ipcop. Scenario I have now has changed dramatically from the last few years - just taken on a leased line which is to be shared wirelessly woth adjacent businesses. Comes with a Cisco 1720 router so need to add that to the pot somehow. Was always simple before - just a few lin & win boxes serving web, print and file! Now I'm looking at DMZ's etc.
I think I will need a seperate firewall - just because of the load. I'm happy with the wireless side of things, have a building to building link at the moment and have some experience in that field - but going into deep network territory here, what with extra security etc.
Thanks again for the replies - will no doubt be posting a few more queries on here
-
I also use Ipcop as a firewall to an SMEserver acting as a gateway.
You get more easily configured port forwarding, DMZ, snort, traffic graphs, etc, all out of the box.
cheers
Brian
-
Good Afternoon,
With all the talk lately of firewall and SME being the right choice, is there any discussion of creating a small firewall type application from SME? Something kind of along the lines of IPCOP and/or Smoothwall to name a couple. I don't know the developer team but I would love to see a SME "firewall only" box as a separate application. I love SME and have used it since v3.x. I guess the thing I really like about it is all the add-ons with the different flavors. The more I've looked at setting up a DMZ, the more I like that idea. Having my eggs all in one basket has cost me a couple of times.
Thanks for all the information, I thoroughly enjoy the forum (even though I haven't received responses to a couple of my wordy postings).
Later
Walter "Wally"
-
I posted about this very subject a few days ago, but no one seemed interested. I ran port / vulnerability scans against my 'SME Firewall' and found with 1 open ports (except IDENT), (ICMPs are closed as well) using GFI Scanner, NESSUS and ISS 6.21. Look at http://forums.contribs.org/index.php?topic=17329.msg67463#msg67463 . It's running great with add-ons such as PORT OPEN, PORT Forwarding, DANSGuardian 2.6 Proxy Authentication , SARG and a dansguardian log viewer ) Currently testing at home and love it . My kids need to authenticate to proxy and protected by DANSGUARDIAN. On the same computer, if I authenticate to Squid, I am unfiltered by DansGuardian.
Bill
-
Bill
This may be of interest
http://www.e-smith.org/faq.php3#6q8
Ray
-
If you really want to go for an extra firewall (and it is for private use only) I would go for the Securepoint-Firewall, the business setup is free for private use, you can insert up to 8 nic's it supports DSL and ISDN dial up. It has a dedicated Windows-client to administer it and you can more easyly define groups of hosts, or ports.
You can find it here http://www.securepoint.cc/
For the Mandrake MNF I have found nearly no Info on the net ( I tested it for 4 weeks and trashed it then) regarding special setups. You can only open one port in each rule. If you need help, you must be a member of the mandrake club
(which costs money) as their forums only allow a certain total amount of messages beeing posted by nonmembers.
Maybe I prefer the Securepoint-Firewall because it more like the Checkpoint Firewall-1 I use in our Office ;-))
just my 2 cents (EURO)
jochen
-
With all the talk lately of firewall and SME being the right choice, is there any discussion of creating a small firewall type application from SME? Something kind of along the lines of IPCOP and/or Smoothwall to name a couple. I don't know the developer team but I would love to see a SME "firewall only" box as a separate application. I love SME and have used it since v3.x. I guess the thing I really like about it is all the add-ons with the different flavors. The more I've looked at setting up a DMZ, the more I like that idea. Having my eggs all in one basket has cost me a couple of times.
Sounds like re-inventing the wheel to me! IPCop/Smoothwall (gpl) do just that already. Better to support the existing projects which already do a fantastic job.
-
FAO Gary Wilson
If you are going for a leased line and the cost that involves I would suggest looking at other products than IpCop. Unless I am wrong IpCop is primarily aimed at the community / small business user - your set up sounds bigger than that and given that you have other parties data security to consider suggest you look at Astaro which is scalable from Community to Enterprise level. Its also very highly regarded and easy to setup & configure.
-
I agree with you guys about SmoothWall (using it since 0.9.9) and IPCOP,it has a DMZ feature which I like. Dansguardian site does not offer the gunzip package to his product anymore, only the RPM version (he in bed with Smoothwall and stopped posting the gunzip version). I did get DansGuardian to work on both IPCop and Smoothwall, but the lastest version I can use is DG 2.4.0. Also, I like to use squid Authentication. I'd like the best of both worlds, but I don't have the development skills to put it all together.
BTW Smoothwall came out with SW Corporate 3.0, but it cost $$
I did look at Securepoint, but you need a static IP and that may also go for Astaro's FW
Thanks
Bill
-
Re dans + IPCOP. Have you beeen here?...
http://www.dageek.co.uk/ipcop/addonz/dansguardian.htm
N
8o)
-
Re Static IP & Astaro
Astaro V4 accepts dynamic IP - the original poster was however talking leased line which implies static in any event
-
IPCOP 1.2, + Dansguardian (Free for schools/home)
Workstation (PII 450, 256M Ram)
avg 70+ concurrent users
throughput = 700Meg per (school) day
ADSL 1.5Meg
It works well, its free.
If I need more I'll buy better hardware not software