On Mon, May 21, 2012 at 3:17 PM, Girish Venkatachalam < [email protected]> wrote:
> I dunno a single Indian company that is doing web hosting or any > hosting of applications with success. > > Even if you take God forsaken Reliance, Airtel, Tata or our own Sarkai > BSNL, they all suffer from technical incompetence in equal measure. > You are trying to educate folks on the list. Passing value judgements on what others do is in real bad taste. Seems like self aggrandizement as you'd go on late to say how you did it....... Humility has its value. I have successfully run my mail server with an optic fiber static IP > block and nowadays I have at least 3 machines in America which I can > access publicly; so I have no trouble about running any application with > full access to the Internet. > This is really no big deal. Folks have done this for ages. Not many in the public, but a good number on this list would've. You should be able to access a local machine's local port from a > public machine on the Internet by changing the configuration on the MODEM. > > How to achieve that? > > This is a big complex , so I will cover this with care. > > I really don't understand the concept of DMZ very well but I know this > much for my practical need that every MODEM out there has a DMZ setting > where you can give a local IP like 192.168.1.3. > DMZ (De-Militarised Zone is a standard term used in securing your perimeter. It is a wartime terminology. Essentially, it divides the area that needs to be protected into different zone with different levels of security and restrictions. Networks are treated the same way. Generally, publicly accessible services behind a firewall are placed in a DMZ. The LAN within the organisation would be treated as a core, highly secure network. Good practice to restrict traffic would be Public -> DMZ Allow using port forwarding. DMZ -> Public not allowed LAN -> DMZ Allow using simple routing. DMZ -> LAN not allowed. LAN -> Public Allow via proxies to monitor and restrict as needed, Public -> LAN Not allowed. Just like you can port forward HTTP, you can port forward any TCP or UDP > port, of course this will not work with FTP, but this will work with rsync, > ssh and many other protocols. > Applications are designed to use just one port ssh, apache etc) or two ports (one for control and one for data - FTP, SIP etc). Port forwarding is straightforward for single port applications. Dual port applications need ALGs (Application level gateways) which will dynamically open up ports for forwarding as new connections are established and new data ports negotiated. Many MODEMs (misnomer as these are routers and not Modems) do have built in ALGs for some applications like FTP. > In a way NAT leads to a local of security eh? > Not something that is encouraged. Security by obscurity is not advisable for serious use. Home use and low security profile needs could probably do with this. I reckon if someone want to runs services for public access, security is a serious concern. -- Mohan Sundaram _______________________________________________ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
