Hi
Interesting approach! Not exactly "best practices" or the "pure firewall theory", but usable and workable.
I do use a few SME Servers at clients and friends due to either space / heat / budget restrictions as firewall, mostly with OpenVPN - and all work great so far!
I've also installed VMWare Server on a few clients Windows 2003 Server running Exchange 2003, and installed SME in VMWare as a Spam-Pass-Thru-Filter. Also works great and get's happy clients due to vastly reduced spam. Here, there is usually a hardware box doing the firewalling and port-forwarding (25 for smtp new to VM-SME instaed of Exchange...), in most cases a SonicWall. Here the main reasons are the same as above, space / heat / budget...
I do prefer and advise using a dedicated box as SME, and a dedicated firewall (Yes, I know that the Spam test for your own external IP won't work...), but it is a secure, stable and flexible solution that doesn't cost the world.
A combined box is popular for Home or SoHo environments, where space, noise, heat, power consumption, budget, waf (wife acceptance factor
can be issues, but - for somewhat secure environments, the following should be given some thought:
- Are stuff like Appletalk File Server or Windows File Server really a good idea on a firewall?
- Do I really want to offer a potential hacker the opportunity of hiding behind my own proxy server?
- Was I simply too lazy to remove GCC?
On the other hand, best practices suggest using a rather spartan box as firewall, only accessible from the inside using secured connections or none at all. No DHCP / DNS server or other stuff not really needed in a firewall. And - most important of all - no uncontrolled access to the outside from a PC client. That means:
- Web and FTP access only via a secured proxy server.
- No SMTP / POP3 / IMAP access to the internet except by the In-House mail server (SME, of course!).
- No outgoing traffic from clients (Skype, P2P, IRC, DNS), not even ping.
The in-house server might be excempted from part of the rules, to allow for diagnosis and other things.
Just my 2 cents on security issues...
Andy