1 |
On Thu, Mar 30, 2017 at 2:59 AM, Peter Humphrey <peter@××××××××××××.uk> |
2 |
wrote: |
3 |
|
4 |
> Hello list, |
5 |
> |
6 |
> I've been using shorewall happily for many years, but now I have a LAN |
7 |
> setup |
8 |
> that the docs seem not to cover. The new web-server box I mentioned |
9 |
> recently |
10 |
> has two Ethernet ports, which I want to connect as follows: |
11 |
> |
12 |
> Port 1 (enp1s0) will be connected to a spare port on my vDSL modem/router |
13 |
> and be accessible from outside. An HTTP hole* will be opened in the router |
14 |
> for this. |
15 |
> |
16 |
> Port 2 (enp2s0) is connected to my LAN switch, which is connected in turn |
17 |
> to |
18 |
> another port on the vDSL modem, which has no holes open to this port. Once |
19 |
> the server goes into service this interface will be down most of the time. |
20 |
> |
21 |
> I want to ensure that no bridging occurs between the two ports in the web |
22 |
> server. |
23 |
> |
24 |
|
25 |
The term "bridging" implies layer 2 forwarding, like what a hub or switch |
26 |
does. You have to do a little work to set that up, so it wont happen by |
27 |
accident. |
28 |
|
29 |
Routing, at layer 3, just requires /proc/sys/net/ipv4/ip_forward to be set |
30 |
to 1. However since you're allowing connections to the webserver, any |
31 |
compromise of that webserver means that any network connected to the |
32 |
webserver is available without restriction. This is why webservers are |
33 |
typically put in a DMZ, and a firewall used to connect the outside, the DMZ |
34 |
and the inside. |
35 |
|
36 |
For HTTPS, get a LetsEntrypt cert. |
37 |
|
38 |
FWIW i'm running my home system pretty much the way you propose, and AFAICT |
39 |
i haven't been compromised...but there's little of value there. |