1 |
On Thursday 30 Mar 2017 17:23:13 Adam Carter wrote: |
2 |
> On Thu, Mar 30, 2017 at 2:59 AM, Peter Humphrey <peter@××××××××××××.uk> |
3 |
> |
4 |
> wrote: |
5 |
> > Hello list, |
6 |
> > |
7 |
> > I've been using shorewall happily for many years, but now I have a LAN |
8 |
> > setup |
9 |
> > that the docs seem not to cover. The new web-server box I mentioned |
10 |
> > recently |
11 |
> > has two Ethernet ports, which I want to connect as follows: |
12 |
> > |
13 |
> > Port 1 (enp1s0) will be connected to a spare port on my vDSL |
14 |
> > modem/router |
15 |
> > and be accessible from outside. An HTTP hole* will be opened in the |
16 |
> > router for this. |
17 |
> > |
18 |
> > Port 2 (enp2s0) is connected to my LAN switch, which is connected in |
19 |
> > turn |
20 |
> > to |
21 |
> > another port on the vDSL modem, which has no holes open to this port. |
22 |
> > Once the server goes into service this interface will be down most of |
23 |
> > the time. |
24 |
> > |
25 |
> > I want to ensure that no bridging occurs between the two ports in the |
26 |
> > web |
27 |
> > server. |
28 |
> |
29 |
> The term "bridging" implies layer 2 forwarding, like what a hub or switch |
30 |
> does. You have to do a little work to set that up, so it wont happen by |
31 |
> accident. |
32 |
> |
33 |
> Routing, at layer 3, just requires /proc/sys/net/ipv4/ip_forward to be set |
34 |
> to 1. However since you're allowing connections to the webserver, any |
35 |
> compromise of that webserver means that any network connected to the |
36 |
> webserver is available without restriction. This is why webservers are |
37 |
> typically put in a DMZ, and a firewall used to connect the outside, the |
38 |
> DMZ and the inside. |
39 |
|
40 |
Yes, I understand that last. |
41 |
|
42 |
> For HTTPS, get a LetsEntrypt cert. |
43 |
|
44 |
Ah! Thanks for the pointer. I'll follow it up. |
45 |
|
46 |
> FWIW i'm running my home system pretty much the way you propose, and |
47 |
> AFAICT i haven't been compromised...but there's little of value there. |
48 |
|
49 |
A little confidence, then. Thanks for that too. |
50 |
|
51 |
-- |
52 |
Regards |
53 |
Peter |