Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 2nd October 2006, 14:55
latcarf latcarf is offline
Senior Member
 
Join Date: Jul 2005
Posts: 215
Thanks: 0
Thanked 1 Time in 1 Post
Default Server Testing

I am behind a router that is of course firewalled. Internally, in order to see my server and the web pages hosted I have had to add the server IP and alias's www, ftp... to each host file in the various cp's throughout the house. The problem I have encountered here is that my sites appear to be working fine for me but they could be totally unavailable to the world outside my network.

In the process of fixing an ftp problem in another thread I think I may have learned something new! It seems I can set up a computer, assign it an internal IP, and then put it in the DMZ? Is this correct? and are there any security issues regarding this DMZ computer and my internal network? e.g. once they are in through the DMZ cp, snooping around and being able to jump onto a cp in my firewalled network.

Also, can you use a wild card (*) to cover all alias's in a host file? e.g.
192.168.2.5 *.domain.tld (and this would cover www and ftp)
Reply With Quote
Sponsored Links
  #2  
Old 3rd October 2006, 18:01
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

Quote:
Originally Posted by latcarf
It seems I can set up a computer, assign it an internal IP, and then put it in the DMZ?
Yes.

Quote:
Originally Posted by latcarf
Is this correct? and are there any security issues regarding this DMZ computer and my internal network? e.g. once they are in through the DMZ cp, snooping around and being able to jump onto a cp in my firewalled network.
Normally not.

Quote:
Originally Posted by latcarf
Also, can you use a wild card (*) to cover all alias's in a host file? e.g.
192.168.2.5 *.domain.tld (and this would cover www and ftp)
I have to admit - I don't know. I'd try it.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 3rd October 2006, 20:02
Ben Ben is offline
Moderator
 
Join Date: Jul 2006
Posts: 1,029
Thanks: 7
Thanked 62 Times in 56 Posts
Default

Quote:
In the process of fixing an ftp problem in another thread I think I may have learned something new! It seems I can set up a computer, assign it an internal IP, and then put it in the DMZ? Is this correct? and are there any security issues regarding this DMZ computer and my internal network? e.g. once they are in through the DMZ cp, snooping around and being able to jump onto a cp in my firewalled network.
I would say yes. Afaik most dsl routers only allow to make one IP like a DMZ meaning forwarding the wanted stuff directyl to it. But if you do not have the ability to give that dmz machine another ip from another subnet than your "normal" lan has, the "hacked" DMZ machine can be used to attack the rest of your lan. If the router does not only switch internal packets and also inspect them you could have the possiblity to set firewall rules internally but I think the normal dsl routers won't do that.
A real DMZ in my eyes is something between two FWs to splitt the DMZ stuff from the rest of the lan....
Reply With Quote
  #4  
Old 4th October 2006, 01:44
latcarf latcarf is offline
Senior Member
 
Join Date: Jul 2005
Posts: 215
Thanks: 0
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by falko
Yes.

Normally not.

I have to admit - I don't know. I'd try it.
I tried... wildcard wouldn't work. It's really only a pain in th2 Windows cps running in the house because you have to manually edit the files. Yast for Windows would be a good thing! :-)
Reply With Quote
  #5  
Old 4th October 2006, 01:53
latcarf latcarf is offline
Senior Member
 
Join Date: Jul 2005
Posts: 215
Thanks: 0
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by Ben
I would say yes. Afaik most dsl routers only allow to make one IP like a DMZ meaning forwarding the wanted stuff directyl to it. But if you do not have the ability to give that dmz machine another ip from another subnet than your "normal" lan has, the "hacked" DMZ machine can be used to attack the rest of your lan. If the router does not only switch internal packets and also inspect them you could have the possiblity to set firewall rules internally but I think the normal dsl routers won't do that.
A real DMZ in my eyes is something between two FWs to splitt the DMZ stuff from the rest of the lan....
I looked in the router set up and I did not sdee where I could set up another subnet... the set up right now is cable modem to lan router (cabled). my cable modem has extra ports... I will have to check and see if there is a way I can run the test machine direct from it. there is a place for additional static IPs on the lan router... maybe my ISP has an extra IP floating around they'll give me...

Thanks for the info!
Reply With Quote
  #6  
Old 4th October 2006, 18:14
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

Quote:
Originally Posted by latcarf
I tried... wildcard wouldn't work. It's really only a pain in th2 Windows cps running in the house because you have to manually edit the files. Yast for Windows would be a good thing! :-)
Instead of editing the hosts file you could set up an internal DNS server and make your systems in your LAN use this DNS server.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #7  
Old 5th October 2006, 23:28
latcarf latcarf is offline
Senior Member
 
Join Date: Jul 2005
Posts: 215
Thanks: 0
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by falko
Instead of editing the hosts file you could set up an internal DNS server and make your systems in your LAN use this DNS server.
lol... I'm afraid to even start the external DNS server for fear of breaking something! Interesting theory though... any HowTos on internal DNS?
Reply With Quote
  #8  
Old 6th October 2006, 15:28
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

You could set up a MyDNS name server: http://www.howtoforge.com/mydns_name_server

It's easier to set up and manage than BIND.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #9  
Old 6th October 2006, 15:41
latcarf latcarf is offline
Senior Member
 
Join Date: Jul 2005
Posts: 215
Thanks: 0
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by falko
You could set up a MyDNS name server: http://www.howtoforge.com/mydns_name_server

It's easier to set up and manage than BIND.
cool! On my way out of town but I'll check it out when I get back. thanks
Reply With Quote
  #10  
Old 31st October 2006, 17:20
latcarf latcarf is offline
Senior Member
 
Join Date: Jul 2005
Posts: 215
Thanks: 0
Thanked 1 Time in 1 Post
 
Default

Quote:
Originally Posted by falko
You could set up a MyDNS name server: http://www.howtoforge.com/mydns_name_server

It's easier to set up and manage than BIND.
I looked through this howto... I didn't see where this would help me set one of my boxes outside my network. Did I miss something?

I spoke with my ISP Support the other day and they indicated that I could possibly connect my server (or another box) directly to their modem and use the "useable" IP. When I tried to get a better answer from them they said they did not support network issues.

Hopefully you or someone else will see this and can explain it to me. This is what I have as a overall setup:
  • Static IP which includes a Network IP, Gateway IP, Useable IP, and a Broadcast IP.
  • ISP router is an Advent
  • My router is a Belkin F5D7230-4
  • 1 Server box
  • 3 desktops - 2 XP Home and 1 Linux

What I want to do is get one of the boxes outside my home network so that when I open one of my web sites via a browser it will do it just as any other computer out there would (and not through my home network via host files).

If I understand my ISP support correctly I think they are telling me I could assign the "Useable IP" to one of the boxes and hook it directly to their Advent router in stead of through my Belkin router. Again, hopefully someone that has some solid network knowledge can point me in the right direction.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
php Apps email not going through palkat General 8 21st September 2011 05:35
Statistic not working mzo Installation/Configuration 49 20th April 2011 12:19
Setting up a backup mail server setup with two installations of ISPConfig zitch Tips/Tricks/Mods 7 30th December 2006 10:07
Email - Ueb-Miau mazhar Installation/Configuration 5 21st December 2005 10:01
The Perfect Setup Suse 9.3 - Postfix problems new_bee05 HOWTO-Related Questions 20 25th November 2005 02:30


All times are GMT +2. The time now is 01:46.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.