Zimbra

Bill Brock · #1 (**permalink**) 08-16-2008, 09:06 AM

I have read posts where users whose servers are sitting on the Internet, ie. public IP NOT behind a NAT router, that are getting advice to turn their firewall off. This can not be good advice. Every service listening on the machine then becomes open to the world, unless specifically configured to listen on the LAN and lo only.

Is this the general consensus to disable the firewall on a public WAN?

bdial · #2 (**permalink**) 08-16-2008, 09:34 AM

differnt os' and distributions have differnt default firewall configs. it can often be useful when trying to fix problems with zimbra to disable the firewall and rule out that as the cause. of course it is beyond the scope of zimbra to secure the whole system so anyone who is bringing up a zimbra server should have their own plans for security be it a hardware firewall or reenabling the firewall after things are up and running and figuring out what needs to be opened for successful operation.

phoenix · #3 (**permalink**) 08-16-2008, 09:46 AM

Quote:

Originally Posted by Bill Brock

I have read posts where users whose servers are sitting on the Internet, ie. public IP NOT behind a NAT router, that are getting advice to turn their firewall off. This can not be good advice. Every service listening on the machine then becomes open to the world, unless specifically configured to listen on the LAN and lo only.

Is this the general consensus to disable the firewall on a public WAN?

No it's not the general advice and it's not the advice I've given in these forums. My advice has been to disable the firewall and/or SElinux on a Zimbra server that's behind a NAT router or a corporate firewall.

It is, of course, up to each person that installs software on an internet facing server to decide for themselves the best course of action for protecting their server.

dijichi2 · #4 (**permalink**) 08-16-2008, 03:08 PM

Firewalls should, generally speaking, be far beyond the scope of Zimbra forums other than what ports zimbra binds to that need protecting. However as Zimbra has a much greener audience than traditional for server software the first piece of advice is usually to switch selinux+firewall off. This is good advice in that it eliminates a common problem and allows the software to run. I think it however should always come with a stern warning to configure a firewall once everything is up and running, whether it's behind a firewall/NAT or not.

Bill Brock · #5 (**permalink**) 08-16-2008, 06:20 PM

I agree with your last statement about warning those who have been advised to turn their firewall off to be sure it is back on.

Here is just one post where user was told only to turn off firewall. He is not behind a NAT router.

http://www.zimbra.com/forums/install...end-email.html

I'm not trying to offend anyone. But care needs to be taken. An unprotected server can result in irreparable damage.

phoenix · #6 (**permalink**) 08-16-2008, 11:37 PM

Quote:

Originally Posted by Bill Brock

I agree with your last statement about warning those who have been advised to turn their firewall off to be sure it is back on.

Here is just one post where user was told only to turn off firewall. He is not behind a NAT router.

http://www.zimbra.com/forums/install...end-email.html

I'm not trying to offend anyone. But care needs to be taken. An unprotected server can result in irreparable damage.

I think you need to reread that post of mine. There was no advice to turn the firewall off and the words 'Have you' at the beginning of that sentence indicate it was a question, do they not? That, and the question about the NAT router were to determine what the state of his set-up was as the o/p had provided little information.

I think I also replied to you in another thread that I didn't recommend there was 'no firewall' just that a firewall should not be enabled on the zimbra server. No advice has ever been given in these forums to leave an internet facing server without any firewall or NAT protection.

Bill Brock · #7 (**permalink**) 08-17-2008, 06:03 AM

The user answered Yes to your question. He obviously took it as advice.

You can twist the subject any way you want. But there are users out there with their firewalls turned off because of your suggestions.

phoenix · #8 (**permalink**) 08-17-2008, 06:08 AM

Quote:

Originally Posted by Bill Brock

I'm not trying to offend anyone.

Funny how people who post this sort of comment usually mean the exact opposite.

Quote:

Originally Posted by Bill Brock

The user answered Yes to your question. He obviously took it as advice.

You can play silly games all you like. Let me start the ball rolling - how, for instance, do you know he didn't have it disabled already?

Quote:

Originally Posted by Bill Brock

You can twist the subject any way you want.

The subject isn't twisted any way, I have never given advice to anyone to turn off the firewall on an internet facing server or have a machine unprotected. Care to send me the details of where I've posted that sort of advice or which users have done because I've told them to disable the firewall on an internet facing server?

Quote:

Originally Posted by Bill Brock

But there are users out there with their firewalls turned off because of your suggestions.

... and you know that how?

phoenix · #9 (**permalink**) 08-17-2008, 06:58 AM

Just so we're all clear on this matter and you don't think it's some strange foible of mine. I assume you've read the product documentation? Specifically this page where it mentions Firewall an SELinux configuration.or perhaps P16-17 of the Admin Guide which is also on the Wiki: ZCS System Architecture - Zimbra :: Wiki The set-up described in those documents has always been the position I've taken on this question of a firewall on the Zimbra server.

Bill Brock · #10 (**permalink**) 08-17-2008, 08:02 AM

Like I said, twist it any way you want. Your posts speak for themselves.

Zimbra

Downloads

Product Information

Toolbox

Why Join?