Koozali.org: home of the SME Server

Server only, firewall security and FTP server behind NAT

tias

Server only, firewall security and FTP server behind NAT
« on: February 28, 2007, 02:54:21 PM »
I wondering which kind of protection the SME 7 got in server only. I've got it connected to a router which is port forwarding the necessary ports to the server. The problem is to connect to the ftp server from internet. So I have made some thinking about setting the router to dmz and let all not specified ports go to the server.

Another solution to this is to configure the ftp server to accept PASV connections, but when I read a little about it, it seems like the server version av ftp in SME doesn't support that. I have to specify the exact port that SME will use to transfer data and that is the hard thing to do.

Any advice how to solve this? I can try to upgrade the ftp server, but my knowledge about Linux systems is limited. So therefore I started this thread.

Offline cool34000

  • *
  • 339
  • +0/-0
Server only, firewall security and FTP server behind NAT
« Reply #1 on: February 28, 2007, 03:29:24 PM »
SME can use PASV...

I did the following on SME :
Code: [Select]
echo > /etc/e-smith/templates/etc/proftpd.conf/06PassivePorts
echo "PassivePorts 30000 30005" >> /etc/e-smith/templates/etc/proftpd.conf/06PassivePorts
echo >> /etc/e-smith/templates/etc/proftpd.conf/06PassivePorts
expand-template /etc/proftpd.conf
No need to restart FTP service...

Then, on your router, you have to open then range of ports you picked (in my exemple from 30000 to 30005)... PASV uses TCP.

This is working fine for me.

Offline raem

  • *
  • 3,972
  • +4/-0
Server only, firewall security and FTP server behind NAT
« Reply #2 on: March 01, 2007, 03:33:51 AM »
tias

Alternatively you can configure your router/modem in bridged mode and use sme in server & gateway mode & let sme do all the work, and have an easier time managing your sme too !

The firewall in sme will be as good if not better than your hardware router. The sme kernel gets regularly updated and your hardware device stays at an old release (on chipset), it probably uses a Linux kernel too.

You have full control of services, ports & firewall iptables rules etc by using the combination of server manager settings, db commands & command line/custom template tweaks.
 
It's simple to enable ftp in the server manager, takes about 1 minute.
No need to open & forward ports as this happens automatically when you enable ftp ie services get enabled & the firewall rules get adjusted accordingly.
...