| 1 |
On Thu, Mar 30, 2017 at 2:59 AM, Peter Humphrey <peter@××××××××××××.uk> |
| 2 |
wrote: |
| 3 |
|
| 4 |
> Hello list, |
| 5 |
> |
| 6 |
> I've been using shorewall happily for many years, but now I have a LAN |
| 7 |
> setup |
| 8 |
> that the docs seem not to cover. The new web-server box I mentioned |
| 9 |
> recently |
| 10 |
> has two Ethernet ports, which I want to connect as follows: |
| 11 |
> |
| 12 |
> Port 1 (enp1s0) will be connected to a spare port on my vDSL modem/router |
| 13 |
> and be accessible from outside. An HTTP hole* will be opened in the router |
| 14 |
> for this. |
| 15 |
> |
| 16 |
> Port 2 (enp2s0) is connected to my LAN switch, which is connected in turn |
| 17 |
> to |
| 18 |
> another port on the vDSL modem, which has no holes open to this port. Once |
| 19 |
> the server goes into service this interface will be down most of the time. |
| 20 |
> |
| 21 |
> I want to ensure that no bridging occurs between the two ports in the web |
| 22 |
> server. |
| 23 |
> |
| 24 |
|
| 25 |
The term "bridging" implies layer 2 forwarding, like what a hub or switch |
| 26 |
does. You have to do a little work to set that up, so it wont happen by |
| 27 |
accident. |
| 28 |
|
| 29 |
Routing, at layer 3, just requires /proc/sys/net/ipv4/ip_forward to be set |
| 30 |
to 1. However since you're allowing connections to the webserver, any |
| 31 |
compromise of that webserver means that any network connected to the |
| 32 |
webserver is available without restriction. This is why webservers are |
| 33 |
typically put in a DMZ, and a firewall used to connect the outside, the DMZ |
| 34 |
and the inside. |
| 35 |
|
| 36 |
For HTTPS, get a LetsEntrypt cert. |
| 37 |
|
| 38 |
FWIW i'm running my home system pretty much the way you propose, and AFAICT |
| 39 |
i haven't been compromised...but there's little of value there. |
Archives