Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Disabling firewall.

  1. #1
    Bill Brock is offline Outstanding Member
    Join Date
    May 2007
    Location
    Oklahoma
    Posts
    703
    Rep Power
    9

    Default Disabling firewall.

    I have read posts where users whose servers are sitting on the Internet, ie. public IP NOT behind a NAT router, that are getting advice to turn their firewall off. This can not be good advice. Every service listening on the machine then becomes open to the world, unless specifically configured to listen on the LAN and lo only.

    Is this the general consensus to disable the firewall on a public WAN?

  2. #2
    bdial's Avatar
    bdial is offline Moderator
    Join Date
    Jul 2007
    Location
    Baltimore
    Posts
    1,649
    Rep Power
    11

    Default

    differnt os' and distributions have differnt default firewall configs. it can often be useful when trying to fix problems with zimbra to disable the firewall and rule out that as the cause. of course it is beyond the scope of zimbra to secure the whole system so anyone who is bringing up a zimbra server should have their own plans for security be it a hardware firewall or reenabling the firewall after things are up and running and figuring out what needs to be opened for successful operation.

  3. #3
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,566
    Rep Power
    57

    Default

    Quote Originally Posted by Bill Brock View Post
    I have read posts where users whose servers are sitting on the Internet, ie. public IP NOT behind a NAT router, that are getting advice to turn their firewall off. This can not be good advice. Every service listening on the machine then becomes open to the world, unless specifically configured to listen on the LAN and lo only.

    Is this the general consensus to disable the firewall on a public WAN?
    No it's not the general advice and it's not the advice I've given in these forums. My advice has been to disable the firewall and/or SElinux on a Zimbra server that's behind a NAT router or a corporate firewall.

    It is, of course, up to each person that installs software on an internet facing server to decide for themselves the best course of action for protecting their server.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  4. #4
    dijichi2 is offline OpenSource Builder & Moderator
    Join Date
    Oct 2005
    Posts
    1,176
    Rep Power
    11

    Default

    Firewalls should, generally speaking, be far beyond the scope of Zimbra forums other than what ports zimbra binds to that need protecting. However as Zimbra has a much greener audience than traditional for server software the first piece of advice is usually to switch selinux+firewall off. This is good advice in that it eliminates a common problem and allows the software to run. I think it however should always come with a stern warning to configure a firewall once everything is up and running, whether it's behind a firewall/NAT or not.

  5. #5
    Bill Brock is offline Outstanding Member
    Join Date
    May 2007
    Location
    Oklahoma
    Posts
    703
    Rep Power
    9

    Default

    I agree with your last statement about warning those who have been advised to turn their firewall off to be sure it is back on.

    Here is just one post where user was told only to turn off firewall. He is not behind a NAT router.

    http://www.zimbra.com/forums/install...end-email.html

    I'm not trying to offend anyone. But care needs to be taken. An unprotected server can result in irreparable damage.

  6. #6
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,566
    Rep Power
    57

    Default

    Quote Originally Posted by Bill Brock View Post
    I agree with your last statement about warning those who have been advised to turn their firewall off to be sure it is back on.

    Here is just one post where user was told only to turn off firewall. He is not behind a NAT router.

    http://www.zimbra.com/forums/install...end-email.html

    I'm not trying to offend anyone. But care needs to be taken. An unprotected server can result in irreparable damage.
    I think you need to reread that post of mine. There was no advice to turn the firewall off and the words 'Have you' at the beginning of that sentence indicate it was a question, do they not? That, and the question about the NAT router were to determine what the state of his set-up was as the o/p had provided little information.

    I think I also replied to you in another thread that I didn't recommend there was 'no firewall' just that a firewall should not be enabled on the zimbra server. No advice has ever been given in these forums to leave an internet facing server without any firewall or NAT protection.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  7. #7
    Bill Brock is offline Outstanding Member
    Join Date
    May 2007
    Location
    Oklahoma
    Posts
    703
    Rep Power
    9

    Default

    The user answered Yes to your question. He obviously took it as advice.

    You can twist the subject any way you want. But there are users out there with their firewalls turned off because of your suggestions.

  8. #8
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,566
    Rep Power
    57

    Default

    Quote Originally Posted by Bill Brock View Post
    I'm not trying to offend anyone.
    Funny how people who post this sort of comment usually mean the exact opposite.

    Quote Originally Posted by Bill Brock View Post
    The user answered Yes to your question. He obviously took it as advice.
    You can play silly games all you like. Let me start the ball rolling - how, for instance, do you know he didn't have it disabled already?

    Quote Originally Posted by Bill Brock View Post
    You can twist the subject any way you want.
    The subject isn't twisted any way, I have never given advice to anyone to turn off the firewall on an internet facing server or have a machine unprotected. Care to send me the details of where I've posted that sort of advice or which users have done because I've told them to disable the firewall on an internet facing server?


    Quote Originally Posted by Bill Brock View Post
    But there are users out there with their firewalls turned off because of your suggestions.
    ... and you know that how?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  9. #9
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,566
    Rep Power
    57

    Default

    Just so we're all clear on this matter and you don't think it's some strange foible of mine. I assume you've read the product documentation? Specifically this page where it mentions Firewall an SELinux configuration.or perhaps P16-17 of the Admin Guide which is also on the Wiki: ZCS System Architecture - Zimbra :: Wiki The set-up described in those documents has always been the position I've taken on this question of a firewall on the Zimbra server.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  10. #10
    Bill Brock is offline Outstanding Member
    Join Date
    May 2007
    Location
    Oklahoma
    Posts
    703
    Rep Power
    9

    Default

    Like I said, twist it any way you want. Your posts speak for themselves.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. mail delivery queued after configuring linux firewall
    By infomate in forum Administrators
    Replies: 8
    Last Post: 04-03-2008, 06:12 PM
  2. Proper Firewall configuration
    By pavera in forum Installation
    Replies: 6
    Last Post: 05-30-2007, 04:22 AM
  3. LDAP auth working only when firewall stopped
    By brousky in forum Installation
    Replies: 1
    Last Post: 09-19-2006, 06:32 AM
  4. Firewall ports I have opened up
    By robroadie in forum Administrators
    Replies: 1
    Last Post: 11-10-2005, 08:42 AM
  5. Server behind firewall
    By VmarkV in forum Installation
    Replies: 3
    Last Post: 11-05-2005, 09:37 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •