Difference between revisions of "Firewall"

From SME Server
Jump to navigationJump to search
 
(17 intermediate revisions by 6 users not shown)
Line 1: Line 1:
==Firewall==
+
{{usefulnote}}
 
The server manager is the GUI front end for the firewall. The firewall is modified automatically in response to changes you make in the configuration, such as enabling/disabling services, marking them public/private, forwarding ports, etc.
 
The server manager is the GUI front end for the firewall. The firewall is modified automatically in response to changes you make in the configuration, such as enabling/disabling services, marking them public/private, forwarding ports, etc.
  
 
If you wish to make changes beyond those provided for by the server manager, you can do so by setting DB records or providing custom templates. Only make these changes if you are sure you know what you are doing, '''incorrect settings will compromise security on your server.'''
 
If you wish to make changes beyond those provided for by the server manager, you can do so by setting DB records or providing custom templates. Only make these changes if you are sure you know what you are doing, '''incorrect settings will compromise security on your server.'''
  
===FAQs===
+
==FAQs==
 
*I want to have two WAN addresses; one for the SMESERVER and another that needs to be treated like a "Local Network". I can't set any address from the WAN subnet as a "Local Network".
 
*I want to have two WAN addresses; one for the SMESERVER and another that needs to be treated like a "Local Network". I can't set any address from the WAN subnet as a "Local Network".
  
 
This is intended behaviour as SMESERVER is secure by design. If you need to do something like this, you should know what you are doing and understand what to poke under the covers.
 
This is intended behaviour as SMESERVER is secure by design. If you need to do something like this, you should know what you are doing and understand what to poke under the covers.
  
===DB Settings===
+
==DB Settings==
*How do I allow public access to a service I've added to SME Server 7?
+
*How do I allow public access to a service I've added to SME Server?
The procedure has changed and is now much simpler in SME Server 7. For this example the service you have installed is called 'manta' and 'nnn' is the TCP port number that needs to be opened. Watch your capitalization with the command below:
+
For this example the service you have installed is called 'manta' and 'nnn' is the TCP port number that needs to be opened. Watch your capitalization with the command below:
 
    
 
    
 
   config set manta service access public status enabled TCPPort nnn
 
   config set manta service access public status enabled TCPPort nnn
Line 32: Line 32:
 
  signal-event post-upgrade
 
  signal-event post-upgrade
 
  signal-event reboot
 
  signal-event reboot
 +
===Additional information on customizing iptables===
 +
Create a custom-named service definition in the configuration database. you can see the [[DB_Variables_Configuration#Additional_information_on_customizing_iptables|DB configuration]]
 +
 +
db configuration set <servicename> service
 +
 +
Apply your desired firewall restrictions to any existing SME 'service' or to a custom-named service that you have created. Combine a custom-named service with port-forwarding to create customized firewall rules.
 +
 +
db configuration setprop <servicename> TCPPort <portnumber>
 +
db configuration setprop <servicename> TCPPorts <portnumbers>
 +
db configuration setprop <servicename> UDPPort <portnumber>
 +
db configuration setprop <servicename> UDPPorts <portnumbers>
 +
db configuration setprop <servicename> status enabled|disabled
 +
db configuration setprop <servicename> access public|private
 +
db configuration setprop <servicename> AllowHosts a.b.c.d,x.y.z.0/24
 +
db configuration setprop <servicename> DenyHosts e.f.g.h,l.m.n.0/24
 +
 +
Effectuate the changes you have made
 +
signal-event remoteaccess-update
 +
 +
{| border="1" width="100%" cellspacing="0" cellpadding="5"
 +
|+Affected file: /etc/rc.d/init.d/masq
 +
!Variable
 +
!Target
 +
!Default
 +
!Expected values
 +
|-
 +
|TCPPort
 +
| --proto tcp --dport <Ports>
 +
|Pre-configured for default services; no default for custom services
 +
|empty or a numerical or coma separated numbers 
 +
|-
 +
|TCPPorts
 +
| --proto tcp --dports <Ports>
 +
|No default for custom services; Ranges of ports are defined with a : not a -
 +
|empty or a numerical or coma separated numbers 
 +
|-
 +
|UDPPort
 +
| --proto udp --dport <Ports>
 +
|Pre-configured for default services; no default for custom services
 +
|empty or a numerical or coma separated numbers 
 +
|-
 +
|UDPPorts
 +
| --proto udp --dports <Ports>
 +
|No default for custom services; Ranges of ports are defined with a : not a -
 +
|empty or a numerical or coma separated numbers 
 +
|-
 +
|status
 +
| enabled | disabled
 +
|AllowHosts is set to "" (an empty string) unless the status is 'enabled'
 +
|'enabled' or 'disabled'
 +
|-
 +
|access
 +
| public | private
 +
|AllowHosts is set to "" (an empty string) unless access is 'public'
 +
|'private' for localhost and local network only (Server and gateway mode), 'public' for everywhere, 'localhost' for localhost only
 +
|-
 +
|AllowHosts
 +
| --src ..... --jump ACCEPT
 +
|Pre-configured for default services; no default for custom services.  Default is '0.0.0.0/0' if service is ''enabled'' and ''public''.
 +
|IP and netmask  with this format 0.0.0.0/0, or coma separated list of these elements
 +
|-
 +
|DenyHosts
 +
| --src ..... --jump denylog
 +
|Pre-configured for default services; no default for custom services.  If 'DenyHosts' is empty or does not exist then there are no '... --jump denylog' entries created in /etc/init.d/masq.
 +
|IP and netmask  with this format 0.0.0.0/0, or coma separated list of these elements
 +
|}
 +
 +
==Custom templates==
 +
===Block incoming IP address===
  
===Custom templates===
 
====Block incoming IP address====
 
 
*I want to block All traffic from some ip-addresses to my server.
 
*I want to block All traffic from some ip-addresses to my server.
 +
 +
====Manual Method====
 +
 
Create a custom template and list the IP's
 
Create a custom template and list the IP's
 
  mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
 
  mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
 
  nano -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff
 
  nano -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff
 +
 +
Now add the IP's you wish to block to the newly create file in the following format.
 +
 
  /sbin/iptables -A INPUT -s 69.212.12.76/32 -j DROP
 
  /sbin/iptables -A INPUT -s 69.212.12.76/32 -j DROP
 
  /sbin/iptables -A INPUT -s 88.28.215.11/32 -j DROP
 
  /sbin/iptables -A INPUT -s 88.28.215.11/32 -j DROP
Line 45: Line 118:
 
  /sbin/e-smith/expand-template /etc/rc.d/init.d/masq
 
  /sbin/e-smith/expand-template /etc/rc.d/init.d/masq
 
  /etc/init.d/masq restart
 
  /etc/init.d/masq restart
 +
 
 +
To check the new block use the following command and look for the IP address you just DROP'ed. It should be listed in the "source" column.
 +
  iptables -L INPUT -v -n
 +
 +
====Automated method====
 +
 +
The above can be automated slightly.
 +
 +
First lets create a key where we can add IPs that we want to block:
 +
 +
config set ipblock configuration status enabled DenyHosts 208.100.26.0/24 logging disabled
 +
 +
As above, create the following template:
  
====Block outgoing IPs or mac addresses====
+
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
 +
nano -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff
 +
 
 +
Paste this code:
 +
 
 +
{
 +
    use esmith::ConfigDB;
 +
    my $db = esmith::ConfigDB->open_ro
 +
        || die 'Could not open configuration database';
 +
    # Completely block any riff raff
 +
    if ( ( my $status = $db->get_prop( 'ipblock', 'status' ) ) eq 'enabled' )
 +
    {
 +
        my $DenyHosts = $db->get_prop( 'ipblock', 'DenyHosts' ) ||  <nowiki>''</nowiki>'';
 +
        if ( $DenyHosts ne  <nowiki>''</nowiki> ) {
 +
            my $logging = $db->get_prop( 'ipblock', 'logging' ) || 'disabled';
 +
            foreach my $host ( split( ',', $DenyHosts ) ) {
 +
                $OUT .= "\n";
 +
                $OUT .= "# Simple ipblock for riff raff\n\n";
 +
                if ( $logging eq 'enabled' ) {
 +
                    $OUT .= "/sbin/iptables -A INPUT -s $host -j denylog\n";
 +
                }
 +
                else {
 +
                    $OUT .= "/sbin/iptables -A INPUT -s $host -j DROP\n";
 +
                }
 +
            }
 +
            $OUT .= "\n";
 +
        }
 +
        else {
 +
            $OUT .= "# ipblock no DenyHosts set\n";
 +
        }
 +
    }
 +
    else {
 +
        $OUT .= "# ipblock disabled\n";
 +
    }
 +
}
 +
 
 +
You can add multiple addresses separated by commas:
 +
 +
config setprop ipblock DenyHosts 208.100.26.0/24,1.2.3.4,5.6.0.0/16
 +
 
 +
You can disable this blocking with:
 +
 
 +
config setprop ipblock status disabled
 +
 
 +
If you want to log the dropped packets rather than just drop them:
 +
 
 +
config setprop ipblock logging enabled
 +
 
 +
Then expand and restart your firewall:
 +
 
 +
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
 +
/etc/init.d/masq restart
 +
 
 +
===Block outgoing IPs or mac addresses===
 
This section needs improvement.
 
This section needs improvement.
  
Line 76: Line 215:
 
  iptables -L
 
  iptables -L
  
====Block outgoing ports====
+
===Block outgoing ports===
 
*I want to block outgoing traffic from my server.
 
*I want to block outgoing traffic from my server.
  
Line 109: Line 248:
 
  /etc/init.d/masq restart
 
  /etc/init.d/masq restart
  
====Bypass Proxy====
+
===Bypass Proxy===
 
*You have Transparent Proxy enabled (the default) but want to allow this to be selectively bypassed.
 
*You have Transparent Proxy enabled (the default) but want to allow this to be selectively bypassed.
  
Line 151: Line 290:
 
  signal-event reboot
 
  signal-event reboot
  
===Open Ports in Private Server/Gateway Mode===
+
==Open Ports in Private Server/Gateway Mode==
 
*I want to hide all ports, so I put my SMESERVER in PRIVATE SERVER/GATEWAY mode. I can still see some ports are open.
 
*I want to hide all ports, so I put my SMESERVER in PRIVATE SERVER/GATEWAY mode. I can still see some ports are open.
  
Line 174: Line 313:
  
 
<noinclude>
 
<noinclude>
 +
 +
 
----
 
----
 
[[Category:Howto]]
 
[[Category:Howto]]
[[Category:Administration]]</noinclude>
+
[[Category:Administration]]
 +
[[Category:Security]]
 +
</noinclude>

Latest revision as of 12:30, 9 March 2022

Is this article helpful to you?
Please consider donating or volunteering
Thank you!

The server manager is the GUI front end for the firewall. The firewall is modified automatically in response to changes you make in the configuration, such as enabling/disabling services, marking them public/private, forwarding ports, etc.

If you wish to make changes beyond those provided for by the server manager, you can do so by setting DB records or providing custom templates. Only make these changes if you are sure you know what you are doing, incorrect settings will compromise security on your server.

FAQs

  • I want to have two WAN addresses; one for the SMESERVER and another that needs to be treated like a "Local Network". I can't set any address from the WAN subnet as a "Local Network".

This is intended behaviour as SMESERVER is secure by design. If you need to do something like this, you should know what you are doing and understand what to poke under the covers.

DB Settings

  • How do I allow public access to a service I've added to SME Server?

For this example the service you have installed is called 'manta' and 'nnn' is the TCP port number that needs to be opened. Watch your capitalization with the command below:

 config set manta service access public status enabled TCPPort nnn

For UDP services, use UDPPort instead of TCPPort.

If you need to open multiple ports for one service you can use TCPPorts and UDPPorts. Port numbers are seperated with a comma, but without a space. Note that ranges of ports are defined with a : between the numbers in this case, instead of a -.

Note that you can also set restrictions with AllowHosts and DenyHosts:

 config setprop manta AllowHosts 1.2.3.4,10.11.12.0/24 
 config setprop manta DenyHosts 16.17.18.18
 

Then, to activate, do:

 signal-event remoteaccess-update
  • I want to block traffic from some ip-addresses to my server on some port.
config setprop httpd-e-smith DenyHosts a.b.c.d,w.x.y.z
signal-event post-upgrade
signal-event reboot

Additional information on customizing iptables

Create a custom-named service definition in the configuration database. you can see the DB configuration

db configuration set <servicename> service

Apply your desired firewall restrictions to any existing SME 'service' or to a custom-named service that you have created. Combine a custom-named service with port-forwarding to create customized firewall rules.

db configuration setprop <servicename> TCPPort <portnumber>
db configuration setprop <servicename> TCPPorts <portnumbers>
db configuration setprop <servicename> UDPPort <portnumber>
db configuration setprop <servicename> UDPPorts <portnumbers>
db configuration setprop <servicename> status enabled|disabled
db configuration setprop <servicename> access public|private
db configuration setprop <servicename> AllowHosts a.b.c.d,x.y.z.0/24
db configuration setprop <servicename> DenyHosts e.f.g.h,l.m.n.0/24

Effectuate the changes you have made

signal-event remoteaccess-update
Affected file: /etc/rc.d/init.d/masq
Variable Target Default Expected values
TCPPort --proto tcp --dport <Ports> Pre-configured for default services; no default for custom services empty or a numerical or coma separated numbers
TCPPorts --proto tcp --dports <Ports> No default for custom services; Ranges of ports are defined with a : not a - empty or a numerical or coma separated numbers
UDPPort --proto udp --dport <Ports> Pre-configured for default services; no default for custom services empty or a numerical or coma separated numbers
UDPPorts --proto udp --dports <Ports> No default for custom services; Ranges of ports are defined with a : not a - empty or a numerical or coma separated numbers
status disabled AllowHosts is set to "" (an empty string) unless the status is 'enabled' 'enabled' or 'disabled'
access private AllowHosts is set to "" (an empty string) unless access is 'public' 'private' for localhost and local network only (Server and gateway mode), 'public' for everywhere, 'localhost' for localhost only
AllowHosts --src ..... --jump ACCEPT Pre-configured for default services; no default for custom services. Default is '0.0.0.0/0' if service is enabled and public. IP and netmask with this format 0.0.0.0/0, or coma separated list of these elements
DenyHosts --src ..... --jump denylog Pre-configured for default services; no default for custom services. If 'DenyHosts' is empty or does not exist then there are no '... --jump denylog' entries created in /etc/init.d/masq. IP and netmask with this format 0.0.0.0/0, or coma separated list of these elements

Custom templates

Block incoming IP address

  • I want to block All traffic from some ip-addresses to my server.

Manual Method

Create a custom template and list the IP's

mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
nano -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff

Now add the IP's you wish to block to the newly create file in the following format.

/sbin/iptables -A INPUT -s 69.212.12.76/32 -j DROP
/sbin/iptables -A INPUT -s 88.28.215.11/32 -j DROP

expand and restart

/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart
  

To check the new block use the following command and look for the IP address you just DROP'ed. It should be listed in the "source" column.

 iptables -L INPUT -v -n

Automated method

The above can be automated slightly.

First lets create a key where we can add IPs that we want to block:

config set ipblock configuration status enabled DenyHosts 208.100.26.0/24 logging disabled

As above, create the following template:

mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
nano -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff

Paste this code:

{
   use esmith::ConfigDB;
   my $db = esmith::ConfigDB->open_ro
       || die 'Could not open configuration database';
   # Completely block any riff raff
   if ( ( my $status = $db->get_prop( 'ipblock', 'status' ) ) eq 'enabled' )
   {
       my $DenyHosts = $db->get_prop( 'ipblock', 'DenyHosts' ) ||  '';
       if ( $DenyHosts ne  '' ) {
           my $logging = $db->get_prop( 'ipblock', 'logging' ) || 'disabled';
           foreach my $host ( split( ',', $DenyHosts ) ) {
               $OUT .= "\n";
               $OUT .= "# Simple ipblock for riff raff\n\n";
               if ( $logging eq 'enabled' ) {
                   $OUT .= "/sbin/iptables -A INPUT -s $host -j denylog\n";
               }
               else {
                   $OUT .= "/sbin/iptables -A INPUT -s $host -j DROP\n";
               }
           }
           $OUT .= "\n";
       }
       else {
           $OUT .= "# ipblock no DenyHosts set\n";
       }
   }
   else {
       $OUT .= "# ipblock disabled\n";
   }
}

You can add multiple addresses separated by commas:

config setprop ipblock DenyHosts 208.100.26.0/24,1.2.3.4,5.6.0.0/16

You can disable this blocking with:

config setprop ipblock status disabled

If you want to log the dropped packets rather than just drop them:

config setprop ipblock logging enabled

Then expand and restart your firewall:

/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart

Block outgoing IPs or mac addresses

This section needs improvement.

See this forum post for clues re doing this, based in part on the concept of blocking incming traffic from specific external IPs.

http://forums.contribs.org/index.php/topic,46036.0/all.html

Formulation of suitable iptables rules will be required, use

man iptables

The template fragment needs to be placed in the right order, so that other rules do not negate the rule eg

20blockIP

Example: To block access based on the mac address of the NIC of the wokstation (not on IP)

mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
pico -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/20Blockmac

Add the following code to the fragment and save

/sbin/iptables -A INPUT -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP

(Replace XX.XX.XX.XX.XX.XX with actual mac address)

expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart

Check that blocking works as expected

To see the iptables that are in effect on your server, issue the command

iptables --list

or

iptables -L

Block outgoing ports

  • I want to block outgoing traffic from my server.

These commands are based on http://bugs.contribs.org/show_bug.cgi?id=2977

Please check for the latest attachments (custom template fragments) to this bug.

At present, traffic is only blocked if it originates on the primary local network. No processing is performed on traffic addressed to the LAN IP, WAN IP or loopback address of the SME.

Download custom templates and configure ports with db command

mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
wget -O 91adjustPortBlocks http://bugs.contribs.org/attachment.cgi?id=1395
wget -O 42SetupPortBlocks http://bugs.contribs.org/attachment.cgi?id=1389

Create desired db entries to suit the ports & protocols you want to block

config setprop masq TCPBlocks address:port
config setprop masq UDPBlocks address:port

eg to block all outbound traffic except that passed by the smtp & httpd proxies

config setprop masq TCPBlocks 0.0.0.0/0:1-65535
config setprop masq UDPBlocks 0.0.0.0/0:1-65535

eg to leave open some ports ie 222 & 2000-2010, block in ranges

config setprop masq TCPBlocks 0.0.0.0/0:1-221,0.0.0.0/0:223-1999,0.0.0.0/0:2011-65535

Update the config changes and restart masq

signal-event remoteaccess-update
/etc/init.d/masq restart

Bypass Proxy

  • You have Transparent Proxy enabled (the default) but want to allow this to be selectively bypassed.

These commands are based on http://bugs.contribs.org/show_bug.cgi?id=2374

Please check for the latest attachments (custom template fragments) to this bug.

Download custom templates and configure ports with db command

mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
wget -O 35transproxy http://bugs.contribs.org/attachment.cgi?id=1410
wget -O 90adjustTransProxy http://bugs.contribs.org/attachment.cgi?id=2178

Create desired db entries for the clients or sites you want to allow

config setprop squid BypassProxyTo   162.23.23.125
config setprop squid BypassProxyFrom a.b.c.d,x.y.z.0/0
expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart

If the setting changes do not appear to take effect, do the following

signal-event reboot

To add a BypassProxyFrom IP & retain existing IPs without re-entering them, do the following

config setprop squid BypassProxyFrom a.b.c.d,$(config getprop squid BypassProxyFrom)
expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart

Followed if necessary by

signal-event reboot

To remove a specific entry but leave other existing entries unchanged

config setprop squid BypassProxyFrom \
$(config getprop squid BypassProxyFrom | \
sed -e 's/entry-to-be-removed//' -e 's/^,//' -e 's/,$//' -e 's/,,//')

where entry-to-be-removed is the IP to be removed

Note: The first sed is to remove the entry, the last second is to remove the comma at the beginning, the second for a comma at the end and the last to remove the double comma when an entry is removed at the middle of the list.

Disable bypass:

config delprop squid BypassProxyFrom
config delprop squid BypassProxyTo
expand-template /etc/rc.d/init.d/masq
service masq restart
signal-event reboot

Open Ports in Private Server/Gateway Mode

  • I want to hide all ports, so I put my SMESERVER in PRIVATE SERVER/GATEWAY mode. I can still see some ports are open.

Certain services are still open on the WAN interface in PRIVATE SERVER/GATEWAY mode. Those services can be set to absolute private from the command line by:

config setprop masq Stealth yes
config setprop ftp access private
config setprop smtpd access private
config setprop dnscache access private
config setprop httpd-e-smith access private
config setprop oidentd access private
config setprop modSSL access private
config setprop ssmtpd access private
config setprop sshd access private
config setprop imaps access private
config setprop ldap access private
config setprop pop3 access private
config setprop pop3s access private
config setprop nmbd access private
config setprop smbd access private
signal-event post-upgrade
signal-event reboot