I feel very shameful to admit that, for past several months, I left my server being wide open. She didn't receive any protection from any local firewall. Of course, the IT depts. of my university and my faculty have done great jobs in implementing the firewall. These protect me from outside threat but my server still sit idly feeling clueless of any person who has a chance to plug into university network. That's why I was trying to enable firewall on my server.

In my previous server, I used iptables exclusively, i.e., no front-end is being used. However, Ubuntu comes with ufw, a firewall-made-easy for Linux. With ufw, I could issue a command like "ufw allow 22" to let ssh (port 22) client to connect to my server. Ufw also saves and restore this rule automatically.

The only problem is that, as soon as I turned on ufw, my OpenVPN stop functioning. This is quite understandable because it override any previous rule I applied. However, the best things of ufw is that it is a non-degenerative front-end, meaning that it still retains all functionality of iptables. Users can add custom rules directly using the syntax of iptables. What the user has to do is to modify the /etc/ufw/before.rules and/or /etc/ufw/after.rules for any custom modification.

Here are the list of things I added to my /etc/ufw/before.rules, assuming that my OpenVPN clients are under the pool of 10.8.0.0/24

First, since we trust OpenVPN completely, I would accept all traffic to/from my OpenVPN. I added this lines at the beginning of the filter section .

-A ufw-before-input -i tun+ -j ACCEPT
-A ufw-before-output -i tun+ -j ACCEPT

Additionally, I must forward traffic to/from my OpenVPN. These lines was also added after the above lines.

-A ufw-before-forward -s 10.8.0.0/24 -j ACCEPT
-A ufw-before-forward -d 10.8.0.0/24 -j ACCEPT

Finally, I have to masquerade traffic from my OpenVPN. This can be done by adding a section of NAT table to the ufw. These lines were added to the top of the /etc/ufw/before.rules

# rules for NAT Table of iptables
# required line for ufw
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic from OpenVPN through eth0.
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

# tell ufw to process the lines
COMMIT

That's all.

Just tried the new Fedora 10 on my PC. The problem is that I want to export all my NTFS drives on F10 via Samba, so that any machine can still access my file even though I am not on Windows. NTFS-3G works quite well and setting up Samba is no longer a problem. Of course, firewall must be adjusted to allow samba protocol. Firestarter is a nice application for the simple thing such as allowing a specific port, a feat that actually requires several rules in iptables config to efficiently permit the protocol.

At that point, I was able to export my home directory via Samba and all NTFS drive can be read/written locally. However, whenever someone over the network tried to write something on the Samba NTFS share, an AVC happened, i.e., SELinux was preventing the write.

Checking the audit log yields something like this

node=raman type=<span class="caps">AVC</span> msg=audit(1229096296.441:676): avc: denied { write } for pid=8484 comm="smbd" name="dae" dev=sda5 ino=29 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir node=raman type=<span class="caps">SYSCALL</span> 

msg=audit(1229096296.441:676): arch=c000003e syscall=83 success=no exit=-13 a0=7f4aa5524b50 a1=1ed a2=7f4aa54dbd70 a3=2f31a70 items=0 ppid=8210 pid=8484 auid=500 uid=0 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null) 

The SETroubleShooter said that to allow such access, I have to
chcon -R -t samba_share_t but, of course, that is not of much help because the directory is actually the NTFS directory. After googling around, we just need to tell SELinux that we really trust samba to share the FUSE file system, which is used by NTFS-3G, the ntfs driver for Linux. Using the following command simply solves all the problems.

setsebool -P samba_share_fusefs 1