Mailinglist Archive: opensuse (3349 mails)
| < Previous | Next > |
Re: [SLE] Routing issues with eth1(internal) & eth2(external)
- From: Stan Glasoe <SRGlasoe@xxxxxxxxxxx>
- Date: Wed, 18 May 2005 15:33:55 -0500
- Message-id: <200505181533.56120.SRGlasoe@xxxxxxxxxxx>
On Wednesday 18 May 2005 12:50 pm, Mark A. Taff wrote:
> > > > See network map pdf at http://www.marktaff.com/network.map.pdf
Too complex to do what you want. What's the model number of the D-Link
Wireless Router? Does it not have 4 or more 10/100 Ethernet switch ports?
If it does then drop the 10bT hub, connect liberty1-external to the D-Link.
How are all the other workstations and printer connecting to the D-Link?
All wireless? Is liberty1-internal a wireless NIC? Which NICs are wired if
any?
> Thanks for the help. I understand that if I can access liberty1 from the
> internet, then I can access every other host on my internal network.
> Here is what I want to be able to accomplish:
>
> Liberty1 will be running sshd, apache, mysql, postgresql, subversion,
> possibly a mail server, and maybe from time to time remote X (just cause
> it impresses windows users ;-). It will also serve as a file server
> (using fish/ssh in KDE). Liberty1 is to be a development server.
>
> Here's the issue: I will be hanging lots of stuff on this box, with many
> layers of abstraction. At the base, I need to be able to connect with
> the same connection string, regardless of whether I am at work, at home,
> or traveling. I also need full access to the internal network from
> liberty1, hence the reason I put liberty1-int in the machine.
>
> This is because liberty1 serves as my backup machine, i.e. if something
> goes wrong with my laptop, I like having liberty1 be fully functional to
> help me fix my laptop.
Then you need to secure it better. If this is the bread winner, why are you
connecting it in the DMZ or rather directly to the Internet? Comcast isn't
doing any security filtering for you so this machine is wide open to the
internet. Don't see any mention of a firewall, Intrusion Detection System,
etc running on Liberty1... IF you secure this box better then it could be
left in the DMZ but its your main machine! Why expose it to the big, bad
Internet if you really don't have to?
> Currently, I have liberty1-int and liberty1-ext defined in /etc/hosts
> with the internal and external ip addresses, respectively. So at home I
> need ssh root@liberty1-int, and at work ssh root@liberty1-ext.
I hope this is just an example and not what you really do because I'm going
to shout here. NEVER allow external root access, especially on your
golden-egg-laying goose of a server. Shut that down now. ONLY ssh/VPN in as
a normal user and then use sux or su to do root work only as needed and
then get out of it.
> Just forwarding all ports on the router to point to liberty1 can be done,
> but then I lose the ability to host any services on any of the other
> machines on my network. Further, the router has unreasonable limitations
> built in, such as max of 10 (I think) firewall rules (not counting the
> default deny).
Maybe you should consider a Linksys WRT54G (or whatever those model numbers
are) that has the ability to use different flash ROM updates with real
firewall/router capabilities, Linux based even. That would be much more
flexible for what you really want to do here and give you more control and
security. I even advocate using one of Liberty2-5 as an internal
firewall/router with external/internal NICs and put that between the D-Link
and Liberty1-5. 2 firewalls are better than none or one. That D-Link is
more an obscurity device than a real security device. If you know that then
you can use it accordingly. I'd still advocate another firewall/router
device after it and before Liberty1-5 though.
> I really don't care if I have to access liberty1 via liberty1-int when
> I'm at home and via liberty1-ext when elsewhere, PROVIDED I can always
> use the same connection parameters, and don't have to tell the computer
> I'm at home.
Not sure what the concern here is in using the 'same connection parameters'.
You should want to use a more secure method from outside your LAN than
inside. ssh/VPN can be setup to be similar for both ways as in your example
above. "ssh -X -p any-high-number-other-than-22 user@xxxxxxxxxxxx" gives
you X capabilities, connects to a high number port at the D-Link which then
sends this to whichever system you can setup in the D-Link at whichever
port. Having port 22 open on the D-Link will have tons of bots trying all
kinds of common user names like root, guest, etc. Once they get a response
then they can try dictionary attacks on the password since they know a
valid user name. 3 password attempts per user name, wait x amount of time,
try 3 more. Don't connect Liberty1 direct to the Internet... Are you
thinking about default ssh parameters to cut down the number of failed
attempts, amount of time to wait for a password, etc?
> Perhaps my logic is flawed. Certainly wouldn't be the first time. ;-)
Your diagram shows a huge security hole coming through Liberty1, IMNSHO
obviously... Otherwise it looks good!
> Thanks again for all your help.
> Mark A. Taff
Stan
> > > > See network map pdf at http://www.marktaff.com/network.map.pdf
Too complex to do what you want. What's the model number of the D-Link
Wireless Router? Does it not have 4 or more 10/100 Ethernet switch ports?
If it does then drop the 10bT hub, connect liberty1-external to the D-Link.
How are all the other workstations and printer connecting to the D-Link?
All wireless? Is liberty1-internal a wireless NIC? Which NICs are wired if
any?
> Thanks for the help. I understand that if I can access liberty1 from the
> internet, then I can access every other host on my internal network.
> Here is what I want to be able to accomplish:
>
> Liberty1 will be running sshd, apache, mysql, postgresql, subversion,
> possibly a mail server, and maybe from time to time remote X (just cause
> it impresses windows users ;-). It will also serve as a file server
> (using fish/ssh in KDE). Liberty1 is to be a development server.
>
> Here's the issue: I will be hanging lots of stuff on this box, with many
> layers of abstraction. At the base, I need to be able to connect with
> the same connection string, regardless of whether I am at work, at home,
> or traveling. I also need full access to the internal network from
> liberty1, hence the reason I put liberty1-int in the machine.
>
> This is because liberty1 serves as my backup machine, i.e. if something
> goes wrong with my laptop, I like having liberty1 be fully functional to
> help me fix my laptop.
Then you need to secure it better. If this is the bread winner, why are you
connecting it in the DMZ or rather directly to the Internet? Comcast isn't
doing any security filtering for you so this machine is wide open to the
internet. Don't see any mention of a firewall, Intrusion Detection System,
etc running on Liberty1... IF you secure this box better then it could be
left in the DMZ but its your main machine! Why expose it to the big, bad
Internet if you really don't have to?
> Currently, I have liberty1-int and liberty1-ext defined in /etc/hosts
> with the internal and external ip addresses, respectively. So at home I
> need ssh root@liberty1-int, and at work ssh root@liberty1-ext.
I hope this is just an example and not what you really do because I'm going
to shout here. NEVER allow external root access, especially on your
golden-egg-laying goose of a server. Shut that down now. ONLY ssh/VPN in as
a normal user and then use sux or su to do root work only as needed and
then get out of it.
> Just forwarding all ports on the router to point to liberty1 can be done,
> but then I lose the ability to host any services on any of the other
> machines on my network. Further, the router has unreasonable limitations
> built in, such as max of 10 (I think) firewall rules (not counting the
> default deny).
Maybe you should consider a Linksys WRT54G (or whatever those model numbers
are) that has the ability to use different flash ROM updates with real
firewall/router capabilities, Linux based even. That would be much more
flexible for what you really want to do here and give you more control and
security. I even advocate using one of Liberty2-5 as an internal
firewall/router with external/internal NICs and put that between the D-Link
and Liberty1-5. 2 firewalls are better than none or one. That D-Link is
more an obscurity device than a real security device. If you know that then
you can use it accordingly. I'd still advocate another firewall/router
device after it and before Liberty1-5 though.
> I really don't care if I have to access liberty1 via liberty1-int when
> I'm at home and via liberty1-ext when elsewhere, PROVIDED I can always
> use the same connection parameters, and don't have to tell the computer
> I'm at home.
Not sure what the concern here is in using the 'same connection parameters'.
You should want to use a more secure method from outside your LAN than
inside. ssh/VPN can be setup to be similar for both ways as in your example
above. "ssh -X -p any-high-number-other-than-22 user@xxxxxxxxxxxx" gives
you X capabilities, connects to a high number port at the D-Link which then
sends this to whichever system you can setup in the D-Link at whichever
port. Having port 22 open on the D-Link will have tons of bots trying all
kinds of common user names like root, guest, etc. Once they get a response
then they can try dictionary attacks on the password since they know a
valid user name. 3 password attempts per user name, wait x amount of time,
try 3 more. Don't connect Liberty1 direct to the Internet... Are you
thinking about default ssh parameters to cut down the number of failed
attempts, amount of time to wait for a password, etc?
> Perhaps my logic is flawed. Certainly wouldn't be the first time. ;-)
Your diagram shows a huge security hole coming through Liberty1, IMNSHO
obviously... Otherwise it looks good!
> Thanks again for all your help.
> Mark A. Taff
Stan
| < Previous | Next > |