Firewall

From SME Server
Jump to navigationJump to search

Firewall

The server manager is the GUI front end for the firewall. The firewall is modified automatically in response to changes you make in the configuration, such as enabling/disabling services, marking them public/private, forwarding ports, etc.

If you wish to make changes beyond those provided for by the server manager, you can do so by setting DB records or providing custom templates. Only make these changes if you are sure you know what you are doing, incorrect settings will compromise security on your server.

FAQs

  • I want to have two WAN addresses; one for the SMESERVER and another that needs to be treated like a "Local Network". I can't set any address from the WAN subnet as a "Local Network".

This is intended behaviour as SMESERVER is secure by design. If you need to do something like this, you should know what you are doing and understand what to poke under the covers.


DB Settings

  • How do I allow public access to a service I've added to SME Server 7?

The procedure has changed and is now much simpler in SME Server 7. For this example the service you have installed is called 'manta' and 'nnn' is the TCP port number that needs to be opened. Watch your capitalization with the command below:

 config set manta service access public status enabled TCPPort nnn

For UDP services, use UDPPort instead of TCPPort. Note that you can also set restrictions with AllowHosts and DenyHosts:

 config setprop manta AllowHosts 1.2.3.4,10.11.12.0/24 
 config setprop manta DenyHosts 16.17.18.18
 

Then, to activate, do:

 signal-event remoteaccess-update


  • I want to block traffic from some ip-addresses to my server on some port.
config setprop httpd-e-smith DenyHosts a.b.c.d,w.x.y.z
signal-event post-upgrade
signal-event reboot


Custom templates

Block incoming IP address

  • I want to block All traffic from some ip-addresses to my server.

Create a custom template and list the IP's

mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
pico -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff
/sbin/iptables -A INPUT -s 69.212.12.76/32 -j DROP
/sbin/iptables -A INPUT -s 88.28.215.11/32 -j DROP

expand and restart

/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart


Block outgoing ports

  • I want to block outgoing traffic from my server.

These commands are based on http://bugs.contribs.org/show_bug.cgi?id=2977

Please check for the latest attachments (custom template fragments) to this bug.

At present, traffic is only blocked if it originates on the primary local network. No processing is performed on traffic addressed to the LAN IP, WAN IP or loopback address of the SME.

Download custom templates and configure ports with db command

mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
wget -O 91adjustPortBlocks http://bugs.contribs.org/attachment.cgi?id=1395
wget -O 42SetupPortBlocks http://bugs.contribs.org/attachment.cgi?id=1389

Create desired db entries to suit the ports & protocols you want to block

config setprop masq TCPBlocks address:port
config setprop masq UDPBlocks address:port

eg to block all outbound traffic except that passed by the smtp & httpd proxies

config setprop masq TCPBlocks 0.0.0.0/0:1-65535
config setprop masq UDPBlocks 0.0.0.0/0:1-65535

eg to leave open some ports ie 222 & 2000-2010, block in ranges

config setprop masq TCPBlocks 0.0.0.0/0:1-221,0.0.0.0/0:223-1999,0.0.0.0/0:2011-65535

Update the config changes and restart masq

signal-event remoteaccess-update
/etc/init.d/masq restart

Bypass Proxy

  • You have Transparent Proxy enabled (the default) but want to allow this to be selectively bypassed.

These commands are based on http://bugs.contribs.org/show_bug.cgi?id=2274

Please check for the latest attachments (custom template fragments) to this bug.

Download custom templates and configure ports with db command

mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
wget -O 35transproxy http://bugs.contribs.org/attachment.cgi?id=1410
wget -O 90adjustTransProxy http://bugs.contribs.org/attachment.cgi?id=1411

Create desired db entries for the clients or sites you want to allow

config setprop squid BypassProxyTo   162.23.23.125
config setprop squid BypassProxyFrom a.b.c.d,x.y.z.0/0
expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart

Disable squid proxy bypass:

config delprop squid BypassProxyFrom
config delprop squid BypassProxyTo
expand-template /etc/rc.d/init.d/masq
service masq restart