Koozali.org: home of the SME Server
Legacy Forums => General Discussion (Legacy) => Topic started by: Howard on April 18, 2003, 07:29:58 PM
-
Hi,
Is this system secure using server only mode..? I have a router / NAT firewall that this will be plugged into, and only require the web server and web mail and the web server...
Will this be secuure?
Thanks
Howard
-
As long as it's behind a firewall. When in Server Only mode no firewall rules are in place.
-
Hmm,thanks for that.... Can I put it in the other mode and then use the one network card as internal and external to enable the firewall?
-
Howard wrote:
>
> Hmm,thanks for that.... Can I put it in the other mode and
> then use the one network card as internal and external to
> enable the firewall?
Not that I'm aware of, without tinkering with stuff.
If you have it behind a NAT router, it will only be accessible to the outside through port forwarding from the router. Just forward the ports you need and nothing else. Do you need a firewall between the SME and your LAN for some reason?
-
Thanks for the help...Sorry if im not very clear, but im new to any form of linux.. I have a cheap broadband 4 port router with built in NAT, port forwarding and DHCP... I would like to use all the funtionality of SME Server (webmail, web server, remote access, file server) but not use it as a gateway...
I haven't installed it yet.. I have a spare compaq evo 1.7 with only 1 network card. If using NAT, would all the files on the server and mail stores be safe?
Again,thanks for all your help.
Howard
-
Howard wrote:
> Thanks for the help...Sorry if im not very clear, but im new
> to any form of linux.. I have a cheap broadband 4 port router
> with built in NAT, port forwarding and DHCP... I would like
> to use all the funtionality of SME Server (webmail, web
> server, remote access, file server) but not use it as a
> gateway...
Why? Spend a bit of time searching this board and you might rethink. The router doesn't do anything that the server can't do, and setup will be a lot easier without the router complicating things.
Charlie
-
Thanks.. I thought about this, but the pc I have is a Ultra Slim Desktop with only one network card and I can't add more - and I doubt SME Server will detect a USB SB4100 modem
-
Howard wrote:
>
> Thanks for the help...Sorry if im not very clear, but im new
> to any form of linux.. I have a cheap broadband 4 port router
> with built in NAT, port forwarding and DHCP... I would like
> to use all the funtionality of SME Server (webmail, web
> server, remote access, file server) but not use it as a
> gateway...
>
> I haven't installed it yet.. I have a spare compaq evo 1.7
> with only 1 network card. If using NAT, would all the files
> on the server and mail stores be safe?
NAT (without any forwarding) will completely isolate the SME from the internet. No internet traffic at all will be able to pass to the SME. If you forward ports, from the router to the SME, only traffic coming in on those ports will make it to the SME. So long as you don't forward the Windows networking ports, nobody outside will even be able to tell it supports that.
I also second what Charlie said. Things will probably go a lot more smoothly if you can use the SME as the gateway too.
-
Thanks guys.. really appreciate the help..
Don't spose you know of a way to get SME server to recognise a Motorolla USB 4100 modem do you?
Thanks
Howard
-
I agree with Bill and Charlie. I ran my sme behind a Linksys router for about 3 months. I then decided to change and use my sme box as my gateway.
The sme box must handle NAT much better because I experienced an immediate noticeable increase in browser speed. This was most noticeable when multiple users were accessing the internet simultaneously.
I have also noticed that false "page not found" errors have decreased to almost nothing. This problem seems to be common on routers behind cable connections.
There are several people trying to get USB modems working. You can be patient and see if anyone comes up with a solution or try like heck to get a second NIC card into your computer.
Good Luck,
Paul
-
Howard wrote:
>
> Thanks.. I thought about this, but the pc I have is a Ultra
> Slim Desktop with only one network card and I can't add more
> - and I doubt SME Server will detect a USB SB4100 modem
I seem to remember some time ago that I was able to get an angle adapter and install a PCI device in a slim cased PC. Does this PC have any PCI slots or is everything built on to the board?
-
No PCI slots im afraid... everything is on board... I have seen USB to RJ45 adaptors,but you need to install a driver which I thinks is Windows only
-
Howard
If you are going to the trouble of setting up this system, why not do it with hardware that will support sme properly. Low end PC's wok quite fine and have plenty of expansion slots and 2nd hand would not cost very much.
Considering the time & effort you will spend setting it all up etc, you can easily justify some small outlay on correct hardware.
Your approach appears to be "lets make the software fit the hardware that I happen to have", but it should be "get compatible hardware and then instal the software".
You could sell the firewall device as sme does that job very nicely.
Regards
Ray Mitchell
-
Had a similar problem with nics and gateways and so one so I decided to put a firewall between SME and the internet. Try www.smoothwall.org if you have an old pc lying about. probably get it working no time with smoothwall. lots of support on the irc channel with guys as knowledgeable as on this forum.
-
okay, here's a soluton that will use your hardware. Use your 4-port router. Maybe you have some other PCs that you want to connect to it, so do that.
Connect the e-smith server to the router as well. Set up e-smith as public server. But then give it a fixed internal IP, e.g. 192.168.1.11 (make sure it's in the range that is allowed by the router). Also give it a fixed external IP, e.g. 192.168.1.12. Then tell the router to put 192.168.1.12 into a DMZ. This will eliminate all NAT for the e-smith box; in other words, it is connected directly to the outside world, and its own firewalling rules will protect it. Meanwhile, the router's firewalling rules will protect other PCs on the network.
I'm using a setup just like this (although my e-smith box has 2 NIC cards), and it seems to be working fine.
Some of the readers suggested just using the e-smith server as your gateway as well. That means you have to buy more hardware, which you may not want to do. But also, it means that all network traffic goes through the e-smith box; if it's an older CPU, it may be a bottleneck. Connecting your other machines to a router may speed things up for them. And then the e-smith box only has to serve up web pages.
hope this all made some sense.
Stewart in Calgary
-
Just a question, can you actually assign 2 different IP addresses to the same NIC? Remember, Howard only has 1 NIC to work with.
Paul
-
Wow such a lot of help... Thanks Guys..
Stuart, your suggestion sounds like the one I will go for... If I set up SME as a public server (ie server only mode), I was under the impression that the firewall / security would not be active...Is this incorrect?
Also, if I didn't put the server in a DMZ and used NAT / port forwarding on the router, I guess this would work as well? Although I would need a dynamic DNS updater that gets my external IP address rather than the internal network one... Maybe the DMZ is the way to go - (you may have noticed I'm security paranoid)..
Again, thanks for all the help guys..
-
Howard wrote:
>
> Stuart, your suggestion sounds like the one I will go for...
> If I set up SME as a public server (ie server only mode), I
> was under the impression that the firewall / security would
> not be active...Is this incorrect?
His suggestion actually was for a Server-Gateway, with two separate interfaces. The Server-Only mode assumes it's already on a secure LAN, so yes, the firewall is disabled.
> Also, if I didn't put the server in a DMZ and used NAT / port
> forwarding on the router, I guess this would work as well?
> Although I would need a dynamic DNS updater that gets my
> external IP address rather than the internal network one...
> Maybe the DMZ is the way to go - (you may have noticed I'm
> security paranoid)..
Yes, with PAT (Port Address Translation, aka NAT with port forwarding) you will be using the router as a firewall and the SME will be open. The router will decide which stuff gets through and which stuff is blocked. The DMZ idea may work, but you'd need to assign a second IP to your SME. I have a HowTo on contribs.org about assigning multiple IPs to one interface. To actually make it useful though, you need to also duplicate all the firewall rules (basically copying the templates and changing one line in each), but I don't have that HowTo done yet.
-
Setting second IP for the Interface via eth0:1 is not hard, but I don't think it will work in this case as both IPs are in the SAME network. You need two DIFFERENT networks for routing to work.
You shouldn't do it by using your public/private IP either. I have number of installations where SME set up as a server-gateway with single NIC using eth0-private, eth0:1-public and public pages served via public address and samba and other private services listen on the private IP of the same NIC. , but I do it only if I have full control other phisycal LAN, otherwize, your neigbours (in case of the cable Internet) or ISP, can spoof your private IP and attempt to connect to trusted private IP. They still need to login to the server for some services, but not to lets say spam via SMTP.
I run my home server behind small router/firewall and only forward few ports to it. For the small home net it works well and that (if I understand it right) was the intendent purpose of this anyway. Some routers have nowdays dyndns client builtin and it works. Other solution is to play with dyndns addons or install client on the windows computer behind the same router. They share the same public IP.
Good luck.
-
My idea WAS to use a router for the other PCs, and put the SME server behind this router. If you put it in server-only mode, as Bill says, it won't protect itself, so you are relying on the router's firewall rules. So instead, I put it in server-gateway mode (since it has two NIC cards already), but just didn't hook anything up to eth1.
My scheme worked well for web server, but for some reason I've had problems with mail. I can send mail out from the rest of the network (traffic goes out through the router, then down into the SME server to the mail server before turning around and going back out into the net), but I could not receive any mail. Looks like SME server isn't set up to operate behind a router, and modifying the templates looks to be byzantine in its complexity - at least from my perspective.
I've actually given up and gone back to my previous configuration: SME server working as server - gateway, connected to cable modem. On the internal side, it connects to a 5-port hub to which my workstations are connected.
I tried using a Linksys router instead of a hub, but I cannot get my workstations to see the outside world. Probably has to do with the fact that my SME server is on 192.168.224.x, while my router (and connected workstations) are on 192.168.1.x - some routing is required (I think) to get from that network to the SME server network, and isn't obvious to me how to accomplish it. If anyone has any tips, please let me know.
cheers
Stewart in Calgary
-
stewart wrote:
>
> My scheme worked well for web server, but for some reason
> I've had problems with mail. I can send mail out from the
> rest of the network (traffic goes out through the router,
> then down into the SME server to the mail server before
> turning around and going back out into the net), but I could
> not receive any mail. Looks like SME server isn't set up to
> operate behind a router, and modifying the templates looks to
> be byzantine in its complexity - at least from my perspective.
The SME shouldn't require any changes. Do you have the router forwarding the incoming mail on port 25 to the SME? If you're giving the LAN PCs IPs that aren't in the SME's local network, you'll need to use the authenticated SMTP contrib at pagefault.org so that valid users can log on from outside the SME's LAN. In your case, defining a local network should work also.
> I've actually given up and gone back to my previous
> configuration: SME server working as server - gateway,
> connected to cable modem. On the internal side, it connects
> to a 5-port hub to which my workstations are connected.
>
> I tried using a Linksys router instead of a hub, but I cannot
> get my workstations to see the outside world. Probably has
> to do with the fact that my SME server is on 192.168.224.x,
> while my router (and connected workstations) are on
> 192.168.1.x - some routing is required (I think) to get from
> that network to the SME server network, and isn't obvious to
> me how to accomplish it. If anyone has any tips, please let
> me know.
I'm guessing you don't have it setup properly for this. In this setup, the SME is assigning a NAT IP to the router's WAN interface, and the router is then NAT-ing that to other private IPs for the PCs. If the SME is already providing NAT, there's no reason to do this, and you're just adding one more step of processing into the mix. The SME+hub is doing the same thing as your router's ports...