| 1 |
On Thursday 30 Mar 2017 17:23:13 Adam Carter wrote: |
| 2 |
> On Thu, Mar 30, 2017 at 2:59 AM, Peter Humphrey <peter@××××××××××××.uk> |
| 3 |
> |
| 4 |
> wrote: |
| 5 |
> > Hello list, |
| 6 |
> > |
| 7 |
> > I've been using shorewall happily for many years, but now I have a LAN |
| 8 |
> > setup |
| 9 |
> > that the docs seem not to cover. The new web-server box I mentioned |
| 10 |
> > recently |
| 11 |
> > has two Ethernet ports, which I want to connect as follows: |
| 12 |
> > |
| 13 |
> > Port 1 (enp1s0) will be connected to a spare port on my vDSL |
| 14 |
> > modem/router |
| 15 |
> > and be accessible from outside. An HTTP hole* will be opened in the |
| 16 |
> > router for this. |
| 17 |
> > |
| 18 |
> > Port 2 (enp2s0) is connected to my LAN switch, which is connected in |
| 19 |
> > turn |
| 20 |
> > to |
| 21 |
> > another port on the vDSL modem, which has no holes open to this port. |
| 22 |
> > Once the server goes into service this interface will be down most of |
| 23 |
> > the time. |
| 24 |
> > |
| 25 |
> > I want to ensure that no bridging occurs between the two ports in the |
| 26 |
> > web |
| 27 |
> > server. |
| 28 |
> |
| 29 |
> The term "bridging" implies layer 2 forwarding, like what a hub or switch |
| 30 |
> does. You have to do a little work to set that up, so it wont happen by |
| 31 |
> accident. |
| 32 |
> |
| 33 |
> Routing, at layer 3, just requires /proc/sys/net/ipv4/ip_forward to be set |
| 34 |
> to 1. However since you're allowing connections to the webserver, any |
| 35 |
> compromise of that webserver means that any network connected to the |
| 36 |
> webserver is available without restriction. This is why webservers are |
| 37 |
> typically put in a DMZ, and a firewall used to connect the outside, the |
| 38 |
> DMZ and the inside. |
| 39 |
|
| 40 |
Yes, I understand that last. |
| 41 |
|
| 42 |
> For HTTPS, get a LetsEntrypt cert. |
| 43 |
|
| 44 |
Ah! Thanks for the pointer. I'll follow it up. |
| 45 |
|
| 46 |
> FWIW i'm running my home system pretty much the way you propose, and |
| 47 |
> AFAICT i haven't been compromised...but there's little of value there. |
| 48 |
|
| 49 |
A little confidence, then. Thanks for that too. |
| 50 |
|
| 51 |
-- |
| 52 |
Regards |
| 53 |
Peter |
Archives