# Samba, IPFW, and the internet



## nero (May 11, 2021)

I am looking for best practices and see if anyone else is successfully running a similar environment. 

Have FreeBSD server that is basically a LAMP environment. That is living on a public IP address and using IPFW to block everything except 80 and 443.

That is all working very well without issue.

Have an inhouse developer that was wondering if having direct access to a development directory from their PC would be possible. 

It definitely is using SAMBA. But my question I guess is if everything is configured properly; the server will stay safe. 

Internally we have our own firewall separating us from the server. We will have to configure that appropriately as well. 

Planning on using specific ips for all rules. 

What are other's experiences with such a set up? 

Thanks,
Tamer


----------



## SirDice (May 11, 2021)

nero said:


> Have an inhouse developer that was wondering if having direct access to a development directory from their PC would be possible.


Is there a LAN connection between the inhouse developer and the web server? Or is the web server somewhere else (VPS, datacenter, etc)?



nero said:


> Internally we have our own firewall separating us from the server.


Ok, so there's a LAN connection between the server and the developer? Something like this:

```
[Internet]---[FW]---[FAMP]---[FW]----[LAN]--[DEV]
```

Then yes, you can configure the firewall between LAN and FAMP (FreeBSD, Apache, MySQL, PHP) to allow the traffic _from_ the LAN _to_ the FAMP machine. Don't allow connections the other way around (from FAMP to LAN) except the statefull returns of the connections originating on the LAN. For SMB you really only need to allow TCP port 445. The NetBIOS ports 137,138,139, etc. are not required.


----------



## covacat (May 11, 2021)

smb protocol usually sucks over the internet (chatty and latency). and lots of isps block smb ports so you may need to use openvpn/ipsec/other kind of tunneling
probably a sftp based solution will be better


----------



## nero (May 11, 2021)

thanks for your responses. The server is on site. SirDice has almost the right environment set up w/ one simple change:

[internet][ipfw firewall - FAMP]
[SAME Internet][Firewall][developer]

Both networks live on our routing environment. Dev is only 2 hops away.

so, our in-house firewall and the FAMP server have external IPs that are same subnet and port.

I mean, I am thinking the most secure way would be to add another NIC to the [FAMP] box and have an internal NIC and external NIC. But I am trying to avoid that because we are upgrading the server later this year and don't really want to put any physical items in  the current box... Maybe just get one of those cheap WIFI USB connections for the server and put that on our internal WIFI...

Thanks,
T


----------



## SirDice (May 11, 2021)

nero said:


> [internet][ipfw firewall - FAMP]
> [SAME Internet][Firewall][developer]


Then no, don't open Samba up to the internet. Not even firewalled by IP addresses. In that case I'd probably use a VPN (OpenVPN or Wireguard is simple to set up and use and provides good protection) and force the SMB over the VPN.

Alternatively sshfs(5) might be a good enough solution. Or just a plain simple scp(1)/sftp(1), perhaps using rsync(1). WinSCP is a nice tool for SCP/SFTP on Windows. FileZilla for example should also be able to do SFTP.


----------



## nero (May 11, 2021)

thanks....I was thinking that is likely not the best set up.

Will check out OpenVPN.

Currently, they use WinSCP & SSH to access the box.

The next obvious question...What is the biggest difference between OpenVPN & Wireguard?

Thanks


----------



## SirDice (May 11, 2021)

nero said:


> What is the biggest difference between OpenVPN & Wireguard?


This explains it rather well: https://restoreprivacy.com/vpn/wireguard-vs-openvpn/

Short gist of it, OpenVPN is the "gold" standard, it's been around for years. Wireguard is a newer, supposedly faster, implementation using the latest cryptographic protocols.


----------



## covacat (May 11, 2021)

also look at webdav (no new ports to open, easy to set access control, built in windows/mac client)


----------



## nero (May 11, 2021)

k, will check out Webdav as well. Thanks for the info everyone...

T


----------



## nero (May 11, 2021)

SirDice said:


> This explains it rather well: https://restoreprivacy.com/vpn/wireguard-vs-openvpn/
> 
> Short gist of it, OpenVPN is the "gold" standard, it's been around for years. Wireguard is a newer, supposedly faster, implementation using the latest cryptographic protocols.



Thanks for the article. This maybe the path. I will have to look into that.


----------



## nero (May 11, 2021)

One last question about going the VPN route direction.

I guess I would have to create virtual network to use for the VPN connection. Perhaps I am thinking about it all wrong.

So, usually: 

PC on network 1 connects via VPN to network 2
PC is assigned an IP address that is local to network 2
PC sets up route to network 2 via the VPN interface

so, in my case, the FAMP server only has the external IP address.

I am probably missing something here. 

But will start trying to set up and see my mileage! 
THanks for the info.
T


----------



## covacat (May 11, 2021)

opevpn creates tunnel interfaces that have their own rfc 1918 ips
you can use those instead of lan ips
just start samba_server after openvpn and bind it only to loopback and tunnel ip


----------

