Difference between revisions of "Firewall"
(Presentation formating for FAQ) |
|||
Line 1: | Line 1: | ||
− | |||
The server manager is the GUI front end for the firewall. The firewall is modified automatically in response to changes you make in the configuration, such as enabling/disabling services, marking them public/private, forwarding ports, etc. | The server manager is the GUI front end for the firewall. The firewall is modified automatically in response to changes you make in the configuration, such as enabling/disabling services, marking them public/private, forwarding ports, etc. | ||
If you wish to make changes beyond those provided for by the server manager, you can do so by setting DB records or providing custom templates. Only make these changes if you are sure you know what you are doing, '''incorrect settings will compromise security on your server.''' | If you wish to make changes beyond those provided for by the server manager, you can do so by setting DB records or providing custom templates. Only make these changes if you are sure you know what you are doing, '''incorrect settings will compromise security on your server.''' | ||
− | + | ==FAQs== | |
*I want to have two WAN addresses; one for the SMESERVER and another that needs to be treated like a "Local Network". I can't set any address from the WAN subnet as a "Local Network". | *I want to have two WAN addresses; one for the SMESERVER and another that needs to be treated like a "Local Network". I can't set any address from the WAN subnet as a "Local Network". | ||
This is intended behaviour as SMESERVER is secure by design. If you need to do something like this, you should know what you are doing and understand what to poke under the covers. | This is intended behaviour as SMESERVER is secure by design. If you need to do something like this, you should know what you are doing and understand what to poke under the covers. | ||
− | + | ==DB Settings== | |
*How do I allow public access to a service I've added to SME Server 7? | *How do I allow public access to a service I've added to SME Server 7? | ||
The procedure has changed and is now much simpler in SME Server 7. For this example the service you have installed is called 'manta' and 'nnn' is the TCP port number that needs to be opened. Watch your capitalization with the command below: | The procedure has changed and is now much simpler in SME Server 7. For this example the service you have installed is called 'manta' and 'nnn' is the TCP port number that needs to be opened. Watch your capitalization with the command below: | ||
Line 33: | Line 32: | ||
signal-event reboot | signal-event reboot | ||
− | + | ==Custom templates== | |
− | + | ===Block incoming IP address=== | |
*I want to block All traffic from some ip-addresses to my server. | *I want to block All traffic from some ip-addresses to my server. | ||
Create a custom template and list the IP's | Create a custom template and list the IP's | ||
Line 52: | Line 51: | ||
iptables -L INPUT -v -n | iptables -L INPUT -v -n | ||
− | + | ===Block outgoing IPs or mac addresses=== | |
This section needs improvement. | This section needs improvement. | ||
Line 82: | Line 81: | ||
iptables -L | iptables -L | ||
− | + | ===Block outgoing ports=== | |
*I want to block outgoing traffic from my server. | *I want to block outgoing traffic from my server. | ||
Line 115: | Line 114: | ||
/etc/init.d/masq restart | /etc/init.d/masq restart | ||
− | + | ===Bypass Proxy=== | |
*You have Transparent Proxy enabled (the default) but want to allow this to be selectively bypassed. | *You have Transparent Proxy enabled (the default) but want to allow this to be selectively bypassed. | ||
Line 157: | Line 156: | ||
signal-event reboot | signal-event reboot | ||
− | + | ==Open Ports in Private Server/Gateway Mode== | |
*I want to hide all ports, so I put my SMESERVER in PRIVATE SERVER/GATEWAY mode. I can still see some ports are open. | *I want to hide all ports, so I put my SMESERVER in PRIVATE SERVER/GATEWAY mode. I can still see some ports are open. | ||
Revision as of 23:54, 11 February 2013
The server manager is the GUI front end for the firewall. The firewall is modified automatically in response to changes you make in the configuration, such as enabling/disabling services, marking them public/private, forwarding ports, etc.
If you wish to make changes beyond those provided for by the server manager, you can do so by setting DB records or providing custom templates. Only make these changes if you are sure you know what you are doing, incorrect settings will compromise security on your server.
FAQs
- I want to have two WAN addresses; one for the SMESERVER and another that needs to be treated like a "Local Network". I can't set any address from the WAN subnet as a "Local Network".
This is intended behaviour as SMESERVER is secure by design. If you need to do something like this, you should know what you are doing and understand what to poke under the covers.
DB Settings
- How do I allow public access to a service I've added to SME Server 7?
The procedure has changed and is now much simpler in SME Server 7. For this example the service you have installed is called 'manta' and 'nnn' is the TCP port number that needs to be opened. Watch your capitalization with the command below:
config set manta service access public status enabled TCPPort nnn
For UDP services, use UDPPort instead of TCPPort.
If you need to open multiple ports for one service you can use TCPPorts and UDPPorts. Port numbers are seperated with a comma, but without a space. Note that ranges of ports are defined with a : between the numbers in this case, instead of a -.
Note that you can also set restrictions with AllowHosts and DenyHosts:
config setprop manta AllowHosts 1.2.3.4,10.11.12.0/24 config setprop manta DenyHosts 16.17.18.18
Then, to activate, do:
signal-event remoteaccess-update
- I want to block traffic from some ip-addresses to my server on some port.
config setprop httpd-e-smith DenyHosts a.b.c.d,w.x.y.z signal-event post-upgrade signal-event reboot
Custom templates
Block incoming IP address
- I want to block All traffic from some ip-addresses to my server.
Create a custom template and list the IP's
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/ nano -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff
Now add the IP's you wish to block to the newly create file in the following format.
/sbin/iptables -A INPUT -s 69.212.12.76/32 -j DROP /sbin/iptables -A INPUT -s 88.28.215.11/32 -j DROP
expand and restart
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq /etc/init.d/masq restart
To check the new block use the following command and look for the IP address you just DROP'ed. It should be listed in the "source" column.
iptables -L INPUT -v -n
Block outgoing IPs or mac addresses
This section needs improvement.
See this forum post for clues re doing this, based in part on the concept of blocking incming traffic from specific external IPs.
http://forums.contribs.org/index.php/topic,46036.0/all.html
Formulation of suitable iptables rules will be required, use
man iptables
The template fragment needs to be placed in the right order, so that other rules do not negate the rule eg
20blockIP
Example: To block access based on the mac address of the NIC of the wokstation (not on IP)
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/ pico -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/20Blockmac
Add the following code to the fragment and save
/sbin/iptables -A INPUT -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP
(Replace XX.XX.XX.XX.XX.XX with actual mac address)
expand-template /etc/rc.d/init.d/masq /etc/init.d/masq restart
Check that blocking works as expected
To see the iptables that are in effect on your server, issue the command
iptables --list
or
iptables -L
Block outgoing ports
- I want to block outgoing traffic from my server.
These commands are based on http://bugs.contribs.org/show_bug.cgi?id=2977
Please check for the latest attachments (custom template fragments) to this bug.
At present, traffic is only blocked if it originates on the primary local network. No processing is performed on traffic addressed to the LAN IP, WAN IP or loopback address of the SME.
Download custom templates and configure ports with db command
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq wget -O 91adjustPortBlocks http://bugs.contribs.org/attachment.cgi?id=1395 wget -O 42SetupPortBlocks http://bugs.contribs.org/attachment.cgi?id=1389
Create desired db entries to suit the ports & protocols you want to block
config setprop masq TCPBlocks address:port config setprop masq UDPBlocks address:port
eg to block all outbound traffic except that passed by the smtp & httpd proxies
config setprop masq TCPBlocks 0.0.0.0/0:1-65535 config setprop masq UDPBlocks 0.0.0.0/0:1-65535
eg to leave open some ports ie 222 & 2000-2010, block in ranges
config setprop masq TCPBlocks 0.0.0.0/0:1-221,0.0.0.0/0:223-1999,0.0.0.0/0:2011-65535
Update the config changes and restart masq
signal-event remoteaccess-update /etc/init.d/masq restart
Bypass Proxy
- You have Transparent Proxy enabled (the default) but want to allow this to be selectively bypassed.
These commands are based on http://bugs.contribs.org/show_bug.cgi?id=2374
Please check for the latest attachments (custom template fragments) to this bug.
Download custom templates and configure ports with db command
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq wget -O 35transproxy http://bugs.contribs.org/attachment.cgi?id=1410 wget -O 90adjustTransProxy http://bugs.contribs.org/attachment.cgi?id=2178
Create desired db entries for the clients or sites you want to allow
config setprop squid BypassProxyTo 162.23.23.125 config setprop squid BypassProxyFrom a.b.c.d,x.y.z.0/0 expand-template /etc/rc.d/init.d/masq /etc/init.d/masq restart
If the setting changes do not appear to take effect, do the following
signal-event reboot
To add a BypassProxyFrom IP & retain existing IPs without re-entering them, do the following
config setprop squid BypassProxyFrom a.b.c.d,$(config getprop squid BypassProxyFrom) expand-template /etc/rc.d/init.d/masq /etc/init.d/masq restart
Followed if necessary by
signal-event reboot
To remove a specific entry but leave other existing entries unchanged
config setprop squid BypassProxyFrom \ $(config getprop squid BypassProxyFrom | \ sed -e 's/entry-to-be-removed//' -e 's/^,//' -e 's/,$//' -e 's/,,//')
where entry-to-be-removed is the IP to be removed
Note: The first sed is to remove the entry, the last second is to remove the comma at the beginning, the second for a comma at the end and the last to remove the double comma when an entry is removed at the middle of the list.
Disable bypass:
config delprop squid BypassProxyFrom config delprop squid BypassProxyTo expand-template /etc/rc.d/init.d/masq service masq restart signal-event reboot
Open Ports in Private Server/Gateway Mode
- I want to hide all ports, so I put my SMESERVER in PRIVATE SERVER/GATEWAY mode. I can still see some ports are open.
Certain services are still open on the WAN interface in PRIVATE SERVER/GATEWAY mode. Those services can be set to absolute private from the command line by:
config setprop masq Stealth yes config setprop ftp access private config setprop smtpd access private config setprop dnscache access private config setprop httpd-e-smith access private config setprop oidentd access private config setprop modSSL access private config setprop ssmtpd access private config setprop sshd access private config setprop imaps access private config setprop ldap access private config setprop pop3 access private config setprop pop3s access private config setprop nmbd access private config setprop smbd access private signal-event post-upgrade signal-event reboot