Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: esalkin on August 01, 2006, 08:12:03 PM
-
I currently have my PCs behind my D-Link router's built-in firewall. Will I loose/gain anything by using the SME server firewall and disabling the router's?
(Using 'Recommended Hardware Requirements' or better)
-
Tha depends on what are you trying to do with SME.
-
I'm setting up a 'vanity' web site with e-mail on my cable modem connection using a dynamic-DNS service. Behind the firewall will be a couple of WinXP-Home :oops: PCs running typical family-pc network apps.
-
I believe it is not considered to be the right answer in the sme server environments to say what I say, but my experience is that the sme server can work very good behind a standard nat router.
Personally I have "allmost allways" used it this way.
Main reason: I like to play and work and do a lot of testing with my server PC's and if this also is my gateway, this will mean that I now and then will loose my Internet connection.
My experience is that absolutely all server functions on the sme server and and other servers as well work quite OK behind a styandard nat router, if the nat router is configured the proper way.
Then I also aply one aditional firewall script on the sme server in the server only mode, as a double security, even though it might not be really required.
One of my other experiences is that the sme server itself should not be modified to much. Actually allmost 100 % of the bugs I have had with the sme server during the years has been related to the unstandard modifications I have made myself. Then the rule should be: Keep it as standard and unmodified as possible and there will be no problems. (An extra firewall on the server only is a minor modifications that normally will give no problems at all.)
If some more specialized server functions is needed like for instance a asterisk ip telephony server, do not build or modify this into the sme server, do rather set up a specialized extra box, with for instance astlinux or trixbox.
I believe that the sme server will work bether for the vpn function if it is set up in the gateway mode. This I have not really tested, because I have used other means for the vpn function.
Just my two cents ..
-
WinXP-Home
If you also had one XP-pro you could use windows remote desctop on one of the workstations, then you could use one of the workstations remotely, for things like for instence remote login to ssh or the server-manager. Then it will not be required to let these functions have internett access.
This will give a rather difficult access to the sme server for a potensial hacker.
-
What Arne says is fine and I have left a router/firewall in place sometimes but it can complicate setting up some progs as you may need to portforward on the sme and remember to open relevant ports on the router. Generally these days I put the router in dmz mode to forward traffic to the sme and rely on the sme firewall which I think is great.
Regards
Brian
-
My experience is that absolutely all server functions on the sme server and and other servers as well work quite OK behind a styandard nat router, if the nat router is configured the proper way.
The builtin dynamic DNS clients in general cannot work behind a nat router, as they do not know what the external IP address of the router is, or when it has changed.
Use of a NAT router also complicates making external services available because you need to set up explicit port forwardings on the router.
-
Use of a NAT router also complicates making external services available because you need to set up explicit port forwardings on the router.
It must also be remembered that a simple port-forward provides no additional security on those forwarded ports. If you forward SSH through the router without additional filtering, your SSH port is just as open to the world as if you were directly connected.
I've seen a lot of advice which says that such a setup is more secure, which it isn't. It's also very likely that the home router box is running a much older Linux kernel than in the SME Server.
Finally, we enable additional anti-spam rules when we know the external IP address. This is lost when you port forward.
Server-gateway is better than server-only. You should use it.
-
I understand that there is a few arguments for the gateway solution:
1. Built in dynamic dns client, if this function is needed.
2. Bether spam filtering.
3. Possibly bether/easier VPN connection (??).
On the other hand, what is concidered to be easy and what is complicated migt be a bit individual for each user.
I would personally say that the nat forwarding function of a standard nat router often makes everything easier, because it gives a presice, easy and clear picture of how the data flow are alloved to enter your network.
It is true that a forwarded port via a standard nat router has no security at all, from a firewalling point of wiew. On the other hand, there is nothing that prevent you from applying those filtering rules that you might wish on the open ports of the server only, if you apply an iptables script on the server only installation, behind the standard nat router, so that you get a double firewalling setup.
If the standard nat router just do forwarding, then you could quite easily set up your server only to do aditional filtering like preventing dos atacks, using rate and burst filtering, on the input chain, etc
On the other hand, it might be only a question of making things safe enough.
My SME servers has generally runned for years, without a problems, exept when I have been to clever with my modifications. Most of them have been a server only installation with an aditional firewall script, so there have been a double firewall setup. I guess that a server-gateway setup also normally would run for years without problems, so there is just two quite good alternatives.
From a very theoretical point of wiev I think that a doble firewall setup with firewalling via the nat router and aditional firewalling on the server-only installation, that also include the open ports, can make the whole installation "more safe". On the other hand, for the real world both installations might be just safe enough.
If you like to have the full control where each packet go, how many packets that are alloved to arrive, from where, to where etc, this full control can be obtained by using a standard nat router with forwarding, pluss a rather easy firewall script on the sme server-only installation.
-
Finally, we enable additional anti-spam rules when we know the external IP address. This is lost when you port forward.
Gordon, could elaborate a bit on just exactly what is 'lost' in the SA config when running NAT to the SME (all routers on static IP)?
This is my default config for all my 50+ installs of SME 6 & 7 and provides me with a level of control that is not readily possible without the use of a NAT router; would hate to change this multi layer setup so need to know more about this.
Cheers
-
Finally, we enable additional anti-spam rules when we know the external IP address. This is lost when you port forward.
Gordon, could elaborate a bit on just exactly what is 'lost' in the SA config when running NAT to the SME (all routers on static IP)?
The most obvious one is helo spoofing. We reject any mail which says "HELO a.b.c.d" where a.b.c.d is your external IP address. I get a lot of that every day. We also allow postmaster@[a.b.c.d] as required by the RFC.
-
I understand that there is a few arguments for the gateway solution:
1. Built in dynamic dns client, if this function is needed.
2. Bether spam filtering.
3. Possibly bether/easier VPN connection (??).
On the other hand, what is concidered to be easy and what is complicated migt be a bit individual for each user.
Arne,
You have said many times that you use your own firewalling scripts and enjoy doing so. That's fine, and your choice. But since these don't exist in the standard configuration, it's somewhat irrelevant. If the base firewalling needs to be improved, raise a bug. If your scripts are better, raise a bug so we can compare. Otherwise, they remain your setup and your scripts.
This thread is about comparing the SME Server firewall and the D-Link firewall. Could we please stay on-topic? Thanks.
-
The most obvious one is helo spoofing. We reject any mail which says "HELO a.b.c.d" where a.b.c.d is your external IP address. I get a lot of that every day. We also allow postmaster@[a.b.c.d] as required by the RFC.
Hmm, any way this could still be available to the SME box (perhaps via a db entry that hold the static public IP)? If so I will add an NFR to the SME 7.0 bugtracker.
If this needs any further detailed discussion I'll open a new thread.
Cheers
-
Hmm, any way this could still be available to the SME box (perhaps via a db entry that hold the static public IP)? If so I will add an NFR to the SME 7.0 bugtracker.
Yes, NFR please. Thanks.
-
Arne,
You have said many times that you use your own firewalling scripts and enjoy doing so. That's fine, and your choice. But since these don't exist in the standard configuration, it's somewhat irrelevant. If the base firewalling needs to be improved, raise a bug. If your scripts are better, raise a bug so we can compare. Otherwise, they remain your setup and your scripts.
This thread is about comparing the SME Server firewall and the D-Link firewall. Could we please stay on-topic? Thanks.
I would say that it is not off-topic. If you use a dlink or any standard nat router, I will say it is a quite natural thing to apply a iptable script on the server-only installation, as there initially is no firewall at all. I would see it this way: To use the sme server in server-only mode will by default involve to apply a firewall script, as there is no firewall at all, by default original design. (And that's a very good thing !)
As I would see it the design of a firewall for a server gateway and the design of a firewall for a server only installation is two quite different things. To design some firewall functionality for a server-only installation to be used togeteher with a standard nat router is much more easy.
(Reason - there is only two trafic directions that has to be controlled in and out, not in-out server (local processes) and in-out lan like for a gateway server.)
I do not agree completely in that (linux) firewalls can be compared at all. It's more a question like "Do you like the coffe with milk or sugar ?". If you compare two linux firewall you will allways have the full freedom to transfer rules from firewall A to firewall B, so you get the exact design as you like it. You can actually add sugar and milk as you want for your own taste.
Firewall scripts for gateways will normally contain some parts where users that are not familiar with Linux firewalling very easy will do misstakes if one try to modify. Firewall scripts for server-only installation with no gatyeway function, can on the other hand be made so easy to read that anybody can modify them.
Why not set up a tread on the forum about modifications with some examples and some discussion about a firewall script for the server-only installation ? I'm on vacation now, but I'm vondering if I could / should do that when I come home .. (so I first can do some testing.)
By the way one main reason that I use the server-only alternative in my home is that my isp deliver a adsl conection with only one alternative, a nat router. (Well I have modified it to run in bridge mode as well, but that's a hack.) I think that there is a lot of users that does not have the alternative to receive the external ip to the sme box at all.
-
I would say that it is not off-topic
You appear to have missed my point which was that this thread is a comparison of the merits of using a D-Link home router in front of an SME Server versus simply using the SME Server in server-gateway mode directly connected to the Internet.
There are endless things you can do to change the SME Server, including adding additional firewall scripts. But they do not exist in a standard installation and so they are not a choice most people have. A very small subset of the community has the skills to write a firewall script and we do not expect people to have such skills.
That's why server-gateway mode exists and I will state once again that I firmly believe that server-gateway is better than a home router plus server-only.
Why not set up a tread on the forum about modifications with some examples and some discussion about a firewall script for the server-only installation ?
I've asked quite a few times that you raise this in the bug tracker so we can discuss it there. The bug tracker provides the ability to attach versions of the scripts for comment and potential inclusion in releases - the forums do not. You have talked about your firewall scripts - attach them to the bug tracker entry for discussion.
The forums are not the best place to discuss critical code such as firewalling scripts. The forums provide no version control history, no method to "obsolete" attachments and no upgrade path for posted scripts. There is a very real danger that people will simply copy code from the forums and assume that it is correct. If a bug is found, what then?
By the way one main reason that I use the server-only alternative in my home is that my isp deliver a adsl conection with only one alternative, a nat router. (Well I have modified it to run in bridge mode as well, but that's a hack.) I think that there is a lot of users that does not have the alternative to receive the external ip to the sme box at all.
And one way to deal with that problem is to have a configuration setting which lets the server know the pre-NAT IP address. Then you could use the SME Server in server-gateway mode behind your NAT router. And better still would be to automatically determine what the pre-NAT address is by querying some external box which can tell you what they see as your source address,
-
I'm very interested in this firewall discussion. I don't normally read bug tracker for server configuration discussions. How do we put the discussion out there so that others can readily see it, participate and learn?
Btw, I run a wireless nat router with gateway-server mode. I connect into my internal SME network via OpenVPN. Yep, I'm paranoid. Small inconvenience for added security.
-
I'm very interested in this firewall discussion. I don't normally read bug tracker for server configuration discussions. How do we put the discussion out there so that others can readily see it, participate and learn?
The bug tracker is not the place for configuration discussions. But it is the place for new feature requests. And it is the way in which things make it into future releases once either a developer gets an itch to implement it or someone pays them to do so.
There are a number of issues here, but they boil down to "What additional features might be required?" and "Who is going to implement them or pay for their implementation?".
Discussion is fine - let's decide what needs to be implemented. But that needs to be backed with someone writing the code. Arne has suggestions - let's see the code.
-
The bug tracker is not the place for configuration discussions. But it is the place for new feature requests.
I would consider to apply a firewall script to a server-only installation to be nothing more than a minor configuration issue. The firewall is allready there and it is just a question of activating is.
When the alternative is no (activated) firewall at all, or some firewalling capability, it does not need to be that complicated, to give some improvements.
I will try to set up some more or less easy suggestions in the relatively near future. Then users can suggest changes or improvements, if they want.
One very intersting problem that is mentioned above is the problems related to running wireless nettwork on lan. This might be a bit of a security issue. To modify the sme server with a third network adapter for the wireless lan will not be a very easy modification I believe (but of cource it could be done.)
And one way to deal with that problem is to have a configuration setting which lets the server know the pre-NAT IP address. Then you could use the SME Server in server-gateway mode behind your NAT router.
If you do it like thatm you could also solve some basic security issues related to running wireless lan, if you connect the wireless access point on a less secure zone (dmz) between your first nat router and the sme gateway, and then leave the inner zone between the sme server as a safe zone accessable only via local cabeling.
-
http://forums.contribs.org/index.php?topic=33147.msg140911#msg140911