Routing issues with eth1(internal) & eth2(external)
All, I sure hope someone can enlighten me. I am having a weird routing issue. Everything works OK, except I can't access the the external interface from a machine on my internal network. See network map pdf at http://www.marktaff.com/network.map.pdf See output of `ifconfig` and `route` below. From any internal (192.168...) machine, I can't ping/ssh liberty1-ext, but I can ping/ssh to liberty1-int. From each internal machine, I can reach all the other internal machines, and the router's external ip, but not liberty1's external ip. From outside my private network, I can ping/ssh liberty1-ext just fine. I want to be able to access the machine via liberty1-ext both at home and while traveling, yet still be able to access the private network from liberty1 via liberty1-int interface. Could the problem be my hub? Do I need to replace it with a switch, or perhaps a separate router? Seems like the hub should work? Thanks for all your help. -- Mark A. Taff +++++++++++++++++++++++++++++++++++++++ liberty1:~ # ifconfig eth1 Link encap:Ethernet HWaddr 00:0F:B5:44:34:B3 inet addr:192.168.0.111 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::20f:b5ff:fe44:34b3/64 Scope:Link UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1 RX packets:197992 errors:0 dropped:0 overruns:0 frame:0 TX packets:13195 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:63024816 (60.1 Mb) TX bytes:2299455 (2.1 Mb) Interrupt:11 Base address:0x8000 eth2 Link encap:Ethernet HWaddr 00:00:C5:B3:6D:63 inet addr:24.16.122.35 Bcast:255.255.255.255 Mask:255.255.240.0 inet6 addr: fe80::200:c5ff:feb3:6d63/64 Scope:Link UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8708383 errors:0 dropped:0 overruns:0 frame:0 TX packets:48430 errors:0 dropped:0 overruns:0 carrier:0 collisions:8845 txqueuelen:1000 RX bytes:1003929910 (957.4 Mb) TX bytes:6020982 (5.7 Mb) Interrupt:10 Base address:0x6000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:2273 errors:0 dropped:0 overruns:0 frame:0 TX packets:2273 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:879444 (858.8 Kb) TX bytes:879444 (858.8 Kb) ++++++++++++++++++++++++++++++++++++++++++++++ liberty1:~ # route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 * 255.255.255.0 U 0 0 0 eth1 c-24-16-112-0.h * 255.255.240.0 U 0 0 0 eth2 link-local * 255.255.0.0 U 0 0 0 eth1 loopback * 255.0.0.0 U 0 0 0 lo default c-24-16-112-1.h 0.0.0.0 UG 0 0 0 eth2
On Tue, 17 May 2005, Mark A. Taff wrote:
All,
I sure hope someone can enlighten me. I am having a weird routing issue. Everything works OK, except I can't access the the external interface from a machine on my internal network.
In addition, you have a weird network configuration.
See network map pdf at http://www.marktaff.com/network.map.pdf See output of `ifconfig` and `route` below.
From any internal (192.168...) machine, I can't ping/ssh liberty1-ext, but I can ping/ssh to liberty1-int.
From each internal machine, I can reach all the other internal machines, and the router's external ip, but not liberty1's external ip.
From outside my private network, I can ping/ssh liberty1-ext just fine.
I want to be able to access the machine via liberty1-ext both at home and while traveling, yet still be able to access the private network from liberty1 via liberty1-int interface.
This is the part that is hard to understand: Why do you want to do this? If all of the "internal" systems can access LIBERTY1 from the internal network, why would you want them to go through two firewalls to access LIBERTY1? You appear to have two Comcast networks assigned to you. Does Comcast allow routing between the two networks? For security reasons, it would be reasonable for them not to as it would provide a pathway to deliver malware.
Could the problem be my hub? Do I need to replace it with a switch, or perhaps a separate router? Seems like the hub should work?
From a simple routing perspective, you shouldn't be able to communicate between the 24.22.122/20 and the 24.22.190/24 networks, at least locally, without some routing information being provided.
You could add a static host route to LIBERTY1 and your D-Link Wireless Router. On LIBERTY1 add 24.22.190.86 with the gateway as being your eth1 interface. On the wireless router add a host route for 24.16.122.35 and specify it's ethernet interface as the gateway. This would identify that there are two networks on the "external" LAN. This should allow the traffic between the networks to be routed locally through the hub. Still, it doesn't make sense to do this. What are you trying to accomplish? Merton Campbell Crockett -- BEGIN: vcard VERSION: 3.0 FN: Merton Campbell Crockett ORG: General Dynamics Advanced Information Systems; Intelligence and Exploitation Systems N: Crockett;Merton;Campbell EMAIL;TYPE=internet: mcc@CATO.GD-AIS.COM TEL;TYPE=work,voice,msg,pref: +1(805)497-5045 TEL;TYPE=work,fax: +1(805)497-5050 TEL;TYPE=cell,voice,msg: +1(805)377-6762 END: vcard
On Wed, 2005-05-18 at 06:42 -0700, Merton Campbell Crockett wrote:
On Tue, 17 May 2005, Mark A. Taff wrote:
All,
I sure hope someone can enlighten me. I am having a weird routing issue. Everything works OK, except I can't access the the external interface from a machine on my internal network.
In addition, you have a weird network configuration.
See network map pdf at http://www.marktaff.com/network.map.pdf See output of `ifconfig` and `route` below.
From any internal (192.168...) machine, I can't ping/ssh liberty1-ext, but I can ping/ssh to liberty1-int.
From each internal machine, I can reach all the other internal machines, and the router's external ip, but not liberty1's external ip.
There is no need to reach the router's external IP (internally), only the internal IP. Let the router do the job it was designed for, route traffic.
From outside my private network, I can ping/ssh liberty1-ext just fine.
I want to be able to access the machine
Which one, liberty1? You just stated that you can ping/ssh liberty1-ext.
via liberty1-ext both at home and
while traveling, yet still be able to access the private network from liberty1 via liberty1-int interface.
Could the problem be my hub? Do I need to replace it with a switch, or perhaps a separate router? Seems like the hub should work?
No. The problem seems to be in your logic. If you can access liberty1 from the internet you can then access all of the internal machines via eth1 Let the router handle the connection to liberty1 via port forwarding. I believe the d-link can handle this, I know linksys routers can. port forward ssh from the router to liberty1-int but no other ports, unless needed for other services and then you can setup a vpn tunnel to further protect any traffic between your internet connection and liberty1. Then you can eliminate liberty1-ext interface and the hub by having the cable/modem connect directly to the d-link wan port. -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998 "The day Microsoft makes something that doesn't suck is probably the day they start making vacuum cleaners." -Ernst Jan Plugge
On Wednesday 18 May 2005 07:23, Ken Schneider wrote:
On Wed, 2005-05-18 at 06:42 -0700, Merton Campbell Crockett wrote:
On Tue, 17 May 2005, Mark A. Taff wrote:
All,
I sure hope someone can enlighten me. I am having a weird routing issue. Everything works OK, except I can't access the the external interface from a machine on my internal network.
In addition, you have a weird network configuration.
See network map pdf at http://www.marktaff.com/network.map.pdf See output of `ifconfig` and `route` below.
From any internal (192.168...) machine, I can't ping/ssh liberty1-ext, but I
can ping/ssh to liberty1-int.
From each internal machine, I can reach all the other internal machines, and
the router's external ip, but not liberty1's external ip.
There is no need to reach the router's external IP (internally), only the internal IP. Let the router do the job it was designed for, route traffic.
From outside my private network, I can ping/ssh liberty1-ext just fine.
I want to be able to access the machine
Which one, liberty1? You just stated that you can ping/ssh liberty1-ext.
via liberty1-ext both at home and
while traveling, yet still be able to access the private network from liberty1 via liberty1-int interface.
Could the problem be my hub? Do I need to replace it with a switch, or perhaps a separate router? Seems like the hub should work?
No. The problem seems to be in your logic. If you can access liberty1 from the internet you can then access all of the internal machines via eth1 Let the router handle the connection to liberty1 via port forwarding. I believe the d-link can handle this, I know linksys routers can. port forward ssh from the router to liberty1-int but no other ports, unless needed for other services and then you can setup a vpn tunnel to further protect any traffic between your internet connection and liberty1. Then you can eliminate liberty1-ext interface and the hub by having the cable/modem connect directly to the d-link wan port.
-- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998
"The day Microsoft makes something that doesn't suck is probably the day they start making vacuum cleaners." -Ernst Jan Plugge
Thanks for the help. I understand that if I can access liberty1 from the internet, then I can access every other host on my internal network. Here is what I want to be able to accomplish: Liberty1 will be running sshd, apache, mysql, postgresql, subversion, possibly a mail server, and maybe from time to time remote X (just cause it impresses windows users ;-). It will also serve as a file server (using fish/ssh in KDE). Liberty1 is to be a development server. Here's the issue: I will be hanging lots of stuff on this box, with many layers of abstraction. At the base, I need to be able to connect with the same connection string, regardless of whether I am at work, at home, or traveling. I also need full access to the internal network from liberty1, hence the reason I put liberty1-int in the machine. This is because liberty1 serves as my backup machine, i.e. if something goes wrong with my laptop, I like having liberty1 be fully functional to help me fix my laptop. Currently, I have liberty1-int and liberty1-ext defined in /etc/hosts with the internal and external ip addresses, respectively. So at home I need ssh root@liberty1-int, and at work ssh root@liberty1-ext. Just forwarding all ports on the router to point to liberty1 can be done, but then I lose the ability to host any services on any of the other machines on my network. Further, the router has unreasonable limitations built in, such as max of 10 (I think) firewall rules (not counting the default deny). I really don't care if I have to access liberty1 via liberty1-int when I'm at home and via liberty1-ext when elsewhere, PROVIDED I can always use the same connection parameters, and don't have to tell the computer I'm at home. Perhaps my logic is flawed. Certainly wouldn't be the first time. ;-) Thanks again for all your help. -- Mark A. Taff
On Wed, 2005-05-18 at 10:50 -0700, Mark A. Taff wrote:
On Wednesday 18 May 2005 07:23, Ken Schneider wrote:
There is no need to reach the router's external IP (internally), only the internal IP. Let the router do the job it was designed for, route traffic.
No. The problem seems to be in your logic. If you can access liberty1 from the internet you can then access all of the internal machines via eth1 Let the router handle the connection to liberty1 via port forwarding. I believe the d-link can handle this, I know linksys routers can. port forward ssh from the router to liberty1-int but no other ports, unless needed for other services and then you can setup a vpn tunnel to further protect any traffic between your internet connection and liberty1. Then you can eliminate liberty1-ext interface and the hub by having the cable/modem connect directly to the d-link wan port.
Thanks for the help. I understand that if I can access liberty1 from the internet, then I can access every other host on my internal network. Here is what I want to be able to accomplish:
Liberty1 will be running sshd, apache, mysql, postgresql, subversion, possibly a mail server, and maybe from time to time remote X (just cause it impresses windows users ;-). It will also serve as a file server (using fish/ssh in KDE). Liberty1 is to be a development server.
Here's the issue: I will be hanging lots of stuff on this box, with many layers of abstraction. At the base, I need to be able to connect with the same connection string, regardless of whether I am at work, at home, or traveling. I also need full access to the internal network from liberty1, hence the reason I put liberty1-int in the machine.
This is because liberty1 serves as my backup machine, i.e. if something goes wrong with my laptop, I like having liberty1 be fully functional to help me fix my laptop.
Currently, I have liberty1-int and liberty1-ext defined in /etc/hosts with the internal and external ip addresses, respectively. So at home I need ssh root@liberty1-int, and at work ssh root@liberty1-ext.
Just forwarding all ports on the router to point to liberty1 can be done, but then I lose the ability to host any services on any of the other machines on my network. Further, the router has unreasonable limitations built in, such as max of 10 (I think) firewall rules (not counting the default deny).
Then as I see it liberty1-ext would be in a DMZ which is fine. You can then use that address for connecting to liberty1 as well as run other services out ot the internet. As far as the other boxes go use the router to port forward as needed. Routing: liberty1 - default route should be liberty1-ext additional route for the internal network pointing to router via liberty1-int All other machines would have there default route point to the router. With this you have no problems with all other machines reaching the internet through the router and can also reach liberty1 through the internal nic. Every device in the network should have a default route (I think) so that it knows where to send packets that are not known locally. If you follow it like this: pc-a is connected to a local router (the d-link) pc-a whats to connect to liberty1. The d-link knows about liberty1 and sends the request to liberty1 directly. Now pc-a wants to connect to somewhere.com. The d-link doesn't know about somewhere.com and sends a request out to the internet name servers asking for the address to somewhere.com, gets a response and forwards the packet to somewhere.com. This is over simplified but you should get the idea about routing. If you don't know first hand about a destination send the request through your default route. At the last place I worked even the outside router that connected directly to the ISP had a default route which pointed the to ISP's router that it was connected to. -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998 "The day Microsoft makes something that doesn't suck is probably the day they start making vacuum cleaners." -Ernst Jan Plugge
On Wednesday 18 May 2005 12:50 pm, Mark A. Taff wrote:
See network map pdf at http://www.marktaff.com/network.map.pdf Too complex to do what you want. What's the model number of the D-Link Wireless Router? Does it not have 4 or more 10/100 Ethernet switch ports? If it does then drop the 10bT hub, connect liberty1-external to the D-Link. How are all the other workstations and printer connecting to the D-Link? All wireless? Is liberty1-internal a wireless NIC? Which NICs are wired if any?
Thanks for the help. I understand that if I can access liberty1 from the internet, then I can access every other host on my internal network. Here is what I want to be able to accomplish:
Liberty1 will be running sshd, apache, mysql, postgresql, subversion, possibly a mail server, and maybe from time to time remote X (just cause it impresses windows users ;-). It will also serve as a file server (using fish/ssh in KDE). Liberty1 is to be a development server.
Here's the issue: I will be hanging lots of stuff on this box, with many layers of abstraction. At the base, I need to be able to connect with the same connection string, regardless of whether I am at work, at home, or traveling. I also need full access to the internal network from liberty1, hence the reason I put liberty1-int in the machine.
This is because liberty1 serves as my backup machine, i.e. if something goes wrong with my laptop, I like having liberty1 be fully functional to help me fix my laptop. Then you need to secure it better. If this is the bread winner, why are you connecting it in the DMZ or rather directly to the Internet? Comcast isn't doing any security filtering for you so this machine is wide open to the internet. Don't see any mention of a firewall, Intrusion Detection System, etc running on Liberty1... IF you secure this box better then it could be left in the DMZ but its your main machine! Why expose it to the big, bad Internet if you really don't have to?
Currently, I have liberty1-int and liberty1-ext defined in /etc/hosts with the internal and external ip addresses, respectively. So at home I need ssh root@liberty1-int, and at work ssh root@liberty1-ext. I hope this is just an example and not what you really do because I'm going to shout here. NEVER allow external root access, especially on your golden-egg-laying goose of a server. Shut that down now. ONLY ssh/VPN in as a normal user and then use sux or su to do root work only as needed and then get out of it.
Just forwarding all ports on the router to point to liberty1 can be done, but then I lose the ability to host any services on any of the other machines on my network. Further, the router has unreasonable limitations built in, such as max of 10 (I think) firewall rules (not counting the default deny). Maybe you should consider a Linksys WRT54G (or whatever those model numbers are) that has the ability to use different flash ROM updates with real firewall/router capabilities, Linux based even. That would be much more flexible for what you really want to do here and give you more control and security. I even advocate using one of Liberty2-5 as an internal firewall/router with external/internal NICs and put that between the D-Link and Liberty1-5. 2 firewalls are better than none or one. That D-Link is more an obscurity device than a real security device. If you know that then you can use it accordingly. I'd still advocate another firewall/router device after it and before Liberty1-5 though.
I really don't care if I have to access liberty1 via liberty1-int when I'm at home and via liberty1-ext when elsewhere, PROVIDED I can always use the same connection parameters, and don't have to tell the computer I'm at home. Not sure what the concern here is in using the 'same connection parameters'. You should want to use a more secure method from outside your LAN than inside. ssh/VPN can be setup to be similar for both ways as in your example above. "ssh -X -p any-high-number-other-than-22 user@24.22.190.86" gives you X capabilities, connects to a high number port at the D-Link which then sends this to whichever system you can setup in the D-Link at whichever port. Having port 22 open on the D-Link will have tons of bots trying all kinds of common user names like root, guest, etc. Once they get a response then they can try dictionary attacks on the password since they know a valid user name. 3 password attempts per user name, wait x amount of time, try 3 more. Don't connect Liberty1 direct to the Internet... Are you thinking about default ssh parameters to cut down the number of failed attempts, amount of time to wait for a password, etc?
Perhaps my logic is flawed. Certainly wouldn't be the first time. ;-) Your diagram shows a huge security hole coming through Liberty1, IMNSHO obviously... Otherwise it looks good!
Thanks again for all your help. Mark A. Taff
Stan
On Wednesday 18 May 2005 13:33, Stan Glasoe wrote:
On Wednesday 18 May 2005 12:50 pm, Mark A. Taff wrote:
See network map pdf at http://www.marktaff.com/network.map.pdf
Too complex to do what you want. What's the model number of the D-Link Wireless Router? Does it not have 4 or more 10/100 Ethernet switch ports? If it does then drop the 10bT hub, connect liberty1-external to the D-Link. How are all the other workstations and printer connecting to the D-Link? All wireless? Is liberty1-internal a wireless NIC? Which NICs are wired if any?
Thanks for the help. I understand that if I can access liberty1 from the internet, then I can access every other host on my internal network. Here is what I want to be able to accomplish:
Liberty1 will be running sshd, apache, mysql, postgresql, subversion, possibly a mail server, and maybe from time to time remote X (just cause it impresses windows users ;-). It will also serve as a file server (using fish/ssh in KDE). Liberty1 is to be a development server.
Here's the issue: I will be hanging lots of stuff on this box, with many layers of abstraction. At the base, I need to be able to connect with the same connection string, regardless of whether I am at work, at home, or traveling. I also need full access to the internal network from liberty1, hence the reason I put liberty1-int in the machine.
This is because liberty1 serves as my backup machine, i.e. if something goes wrong with my laptop, I like having liberty1 be fully functional to help me fix my laptop.
Then you need to secure it better. If this is the bread winner, why are you connecting it in the DMZ or rather directly to the Internet? Comcast isn't doing any security filtering for you so this machine is wide open to the internet. Don't see any mention of a firewall, Intrusion Detection System, etc running on Liberty1... IF you secure this box better then it could be left in the DMZ but its your main machine! Why expose it to the big, bad Internet if you really don't have to?
Currently, I have liberty1-int and liberty1-ext defined in /etc/hosts with the internal and external ip addresses, respectively. So at home I need ssh root@liberty1-int, and at work ssh root@liberty1-ext.
I hope this is just an example and not what you really do because I'm going to shout here. NEVER allow external root access, especially on your golden-egg-laying goose of a server. Shut that down now. ONLY ssh/VPN in as a normal user and then use sux or su to do root work only as needed and then get out of it.
Just forwarding all ports on the router to point to liberty1 can be done, but then I lose the ability to host any services on any of the other machines on my network. Further, the router has unreasonable limitations built in, such as max of 10 (I think) firewall rules (not counting the default deny).
Maybe you should consider a Linksys WRT54G (or whatever those model numbers are) that has the ability to use different flash ROM updates with real firewall/router capabilities, Linux based even. That would be much more flexible for what you really want to do here and give you more control and security. I even advocate using one of Liberty2-5 as an internal firewall/router with external/internal NICs and put that between the D-Link and Liberty1-5. 2 firewalls are better than none or one. That D-Link is more an obscurity device than a real security device. If you know that then you can use it accordingly. I'd still advocate another firewall/router device after it and before Liberty1-5 though.
I really don't care if I have to access liberty1 via liberty1-int when I'm at home and via liberty1-ext when elsewhere, PROVIDED I can always use the same connection parameters, and don't have to tell the computer I'm at home.
Not sure what the concern here is in using the 'same connection parameters'. You should want to use a more secure method from outside your LAN than inside. ssh/VPN can be setup to be similar for both ways as in your example above. "ssh -X -p any-high-number-other-than-22 user@24.22.190.86" gives you X capabilities, connects to a high number port at the D-Link which then sends this to whichever system you can setup in the D-Link at whichever port. Having port 22 open on the D-Link will have tons of bots trying all kinds of common user names like root, guest, etc. Once they get a response then they can try dictionary attacks on the password since they know a valid user name. 3 password attempts per user name, wait x amount of time, try 3 more. Don't connect Liberty1 direct to the Internet... Are you thinking about default ssh parameters to cut down the number of failed attempts, amount of time to wait for a password, etc?
Perhaps my logic is flawed. Certainly wouldn't be the first time. ;-)
Your diagram shows a huge security hole coming through Liberty1, IMNSHO obviously... Otherwise it looks good!
Thanks again for all your help. Mark A. Taff
Stan
liberty3 and liberty5 are wireless. The rest are wired. I don't know the router model off the top off my head (at work). It's one of the 54Mbps "extreme" ones, and it has wired connectors, but I'm not sure if they are a hub or a switch. This router will eventually be replaced with a wl access point and a separate router/firewall(probably liberty4). Maybe now is the time to implement this... As for remote root access, that was for example. Obscurity may be weak, but no reason to make it even easier for attackers, right? Can I specify a port for KIO_Fish? Or will it always use port 22? Thanks for all your help. At least you like my Kivio skills. :o) -- Mark A. Taff
On Wednesday 18 May 2005 5:53 pm, Mark A. Taff wrote:
liberty3 and liberty5 are wireless. The rest are wired. I don't know the router model off the top off my head (at work). It's one of the 54Mbps "extreme" ones, and it has wired connectors, but I'm not sure if they are a hub or a switch. This router will eventually be replaced with a wl access point and a separate router/firewall(probably liberty4). Maybe now is the time to implement this... Looks like there are 4 wired 10/100 Ethernet switch ports on the D-Link. Check out the Linksys WRT54 series with Sveasoft firmware replacements and until then use Liberty 4, wired, as the second firewall/router to the other wired machines. You can always use the D-Link as a dumb Ethernet switch when it gets replaced or as another firewall/router elsewhere in the mix.
As for remote root access, that was for example. Obscurity may be weak, but no reason to make it even easier for attackers, right? Glad I got excited for no reason then. Whew.
Can I specify a port for KIO_Fish? Or will it always use port 22? The fish protocol uses port 22 by default. In Konqueror you could issue a fish://user@your-DLink's-IP-address:50022 (the port you set on the D-Link that gets forwarded to your server:port on the internal LAN) and you are good to go. Works for me. Then through Samba/NFS/ssh you could access any other machine internally.
Thanks for all your help. At least you like my Kivio skills. :o) Dang! Forgot to critique that! :) I wanted to change it and send it back but it was in PDF format instead of Kivio. None too skilled at extracting from PDF into other programs - yet.
Mark A. Taff
Stan
On Thursday 19 May 2005 09:28, Stan Glasoe wrote:
On Wednesday 18 May 2005 5:53 pm, Mark A. Taff wrote:
liberty3 and liberty5 are wireless. The rest are wired. I don't know the router model off the top off my head (at work). It's one of the 54Mbps "extreme" ones, and it has wired connectors, but I'm not sure if they are a hub or a switch. This router will eventually be replaced with a wl access point and a separate router/firewall(probably liberty4). Maybe now is the time to implement this...
Looks like there are 4 wired 10/100 Ethernet switch ports on the D-Link. Check out the Linksys WRT54 series with Sveasoft firmware replacements and until then use Liberty 4, wired, as the second firewall/router to the other wired machines. You can always use the D-Link as a dumb Ethernet switch when it gets replaced or as another firewall/router elsewhere in the mix.
As for remote root access, that was for example. Obscurity may be weak, but no reason to make it even easier for attackers, right?
Glad I got excited for no reason then. Whew.
Can I specify a port for KIO_Fish? Or will it always use port 22?
The fish protocol uses port 22 by default. In Konqueror you could issue a fish://user@your-DLink's-IP-address:50022 (the port you set on the D-Link that gets forwarded to your server:port on the internal LAN) and you are good to go. Works for me. Then through Samba/NFS/ssh you could access any other machine internally.
Thanks for all your help. At least you like my Kivio skills. :o)
Dang! Forgot to critique that! :) I wanted to change it andange send it back but it was in PDF format instead of Kivio. None too skilled at extracting from PDF into other programs - yet.
Mark A. Taff
Stan
So I decided just to change my network around. As I didn't really trust the D-link firewall, I went out and bought a Linksys WRT54g router and installed the dd-wrt firmware. I put liberty1 back on the private network, and just forward port 80 and a port for ssh to liberty1. Thanks for the fish tip. Everything works acceptablely now. Next time I'll publish the Kivio source file as well. :-) -- Mark A. Taff
HI all, Anyone on the list experience with ppdd? I know there are several ways to encrypt files and directories, but it seems with ppdd you can hide things from the root-user. Nice if you don't trust your sys-admin ;-) Found a reference at: http://linux01.gwdg.de/~alatham/ppdd.html But it looks like it's not maintained anymore. Did anyone ever tried (on 2.4.x or 2.6.x) ?? Kind regards, hans
participants (5)
-
Hans Witvliet -
Ken Schneider -
Mark A. Taff -
Merton Campbell Crockett -
Stan Glasoe