From: "Carlos E. R." <robin.listas@telefonica.net> Date: Tue, 11 Jul 2023 01:52:04 +0200 On 2023-07-11 01:15, Marc Chamberlin via openSUSE Users wrote:
Bob Rogers wrote:
From: Marc Chamberlin via openSUSE Users users@lists.opensuse.org Date: Sun, 09 Jul 2023 22:48:31 -0000 OK, so now you've renamed the zone for what it does (though a simpler, more rose-like, name might have served better).
LOL, OK how about IMZ for internal militarized zone? I am not clear why the network hawks chose to use a military term (DMZ) for describing a particular type of network design, but I really don't care about the name, just the functionality.
For simplicity, we can just call them the "external" and "internal" networks.
But I think we're all still a bit unclear on what you hope to accomplish by having a separate network for external traffic. If this traffic all goes to the same hosts anyway, what difference does it make? In terms of security, or ease of configuration, or anything else?
What I want is for each system to present a different set of capabilities depending on where the access to that system is coming from. For example the security cameras will require authentication if access to the computer that controls them comes from the internet via my IMZ zone. So I want to route all traffic that comes from the internet, destined to a particular public IP address, to be routed onto the IMZ zone and passed to the computer that controls my security camera. But if access comes from my internal zone, then no authentication will be necessary.
Same goes for my computer that controls a telescope . . .
I suspect it is impossible to enforce. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar) Actually, I see three potential ways to accomplish this, albeit with limitations: 1. Given that you have said (in an earlier post) that you have two interfaces on each system, you can run two separate servers, one which binds only to the address(es) on the internal network interface, and another which binds only to the external interface addresses. The two separate servers can be configured independently, and there is no danger that the limited server will accidentally give too much privilege to external clients. Unfortunately, I suspect this won't work for your telescope, since I doubt you can share the hardware between two servers. 2. The conventional solution is to have a single server, and configure it so that it only grants higher levels of privilege to clients with addresses from the internal network. This requires just a single network with a single interface, but is more work to configure the server. And if the server doesn't let you classify users by IP address in its configuration interface, you're out of luck. 3. A hybrid solution would use one network and interface with two servers. The server for external users is configured as before, but it listens on a different port, chosen arbitrarily, and the firewall sends external connections to this port in order to leave the standard port free for internal network users. From the software (and security) point of view, this is exactly equivalent to the first option, but requires less hardware. Again, this doesn't work for non-shareable hardware. -- Bob