On Thu, Mar 30, 2017 at 2:59 AM, Peter Humphrey <pe...@prh.myzen.co.uk> wrote:
> Hello list, > > I've been using shorewall happily for many years, but now I have a LAN > setup > that the docs seem not to cover. The new web-server box I mentioned > recently > has two Ethernet ports, which I want to connect as follows: > > Port 1 (enp1s0) will be connected to a spare port on my vDSL modem/router > and be accessible from outside. An HTTP hole* will be opened in the router > for this. > > Port 2 (enp2s0) is connected to my LAN switch, which is connected in turn > to > another port on the vDSL modem, which has no holes open to this port. Once > the server goes into service this interface will be down most of the time. > > I want to ensure that no bridging occurs between the two ports in the web > server. > The term "bridging" implies layer 2 forwarding, like what a hub or switch does. You have to do a little work to set that up, so it wont happen by accident. Routing, at layer 3, just requires /proc/sys/net/ipv4/ip_forward to be set to 1. However since you're allowing connections to the webserver, any compromise of that webserver means that any network connected to the webserver is available without restriction. This is why webservers are typically put in a DMZ, and a firewall used to connect the outside, the DMZ and the inside. For HTTPS, get a LetsEntrypt cert. FWIW i'm running my home system pretty much the way you propose, and AFAICT i haven't been compromised...but there's little of value there.
