If you want to isolate the Web server from the LAN, you normally do so by adding a third interface to the router and setting up on it a separate netwotk, customarily called a DMZ, that keeps the "exposed" part of your site isolated from the truly privat part of your site. This is a standard DachStein setup and should be well explained in the DachStein docs and config-file comments. >>>>>>>>
This seems to be the more secure route to protect the LAN from the webserver. I will try this approach. I will look for more info on DMZ. Thanks. >From: Ray Olszewski <[EMAIL PROTECTED]> >To: "djoutlaw outlaw" <[EMAIL PROTECTED]> >CC: [EMAIL PROTECTED] >Subject: Re: [Leaf-user] How can I protect the network from the webserver >Date: Thu, 27 Dec 2001 21:46:05 -0800 > >I added the LEAF list back in. > >At 03:38 AM 12/28/01 +0000, djoutlaw outlaw wrote: > >I am sorry what I mean is I can give a friend my static IP address and >then > >they can pull up my apache test page. I am using DachStein which seems >to > >be the easiest setup. Just opened up the INTERNAL__WWW_SERVER > >XXX.XXX.XXX.XXX and with the TCP 0.0.0.0/0_www > >OK. This means you are port forwarding port 80 of your LEAF router's >external IP address to port 80 of a private-address server. No problem >there. > > >I really just want people to be able to access port 80 but not be able to > >use the server as a gateway to the network. I am only forwading port 80. > >I thought there was some way I could block the webserver from connecting >to > >the network but allow everyone else to connect to the webserver > >Unfortunately, "connecting" is an imprecise term. I'm also uncertain as to >what you mean by "the" network. > >You can prevent the Web server from initiating connections to the Internet >(one possible "the" network), while allowing it to access the Internet only >for purposes of responding to port-80 queries. I don't know if there is an >easy way to do this using DachStein's setup scripts, though ... someone >better acquainted with the intricacies of DachStein will have to handle >that. > >You would most easily do the underlying work by adding, at an appropriate >place in your input chain, theses two firewalling rules (approximately; I >haven't tested this syntax so may have made small errors): > > ipchains -A input -j ACCEPT -s a.b.c.d/32 80 -i eth1 -p tcp > ipchains -A input -j DENY -s a.b.c.d/32 -i eth1 -p all > >where a.b.c.d is the internal address of the Web server and I've assumed >that eth1 is your LAN interface. > >The first rule passes all traffic from port 80 on the Web server. The >second >rule blocks all other traffic from the Web server. > >There are fancier ways to do this too; you can distinguish initiation and >reply TCP (but not UDP or ICMP) packets by testing the flag bits. Look at >the -y switch for ipchains to learn the details. > >While you can do this, you may not want to. The Web server may well need to >communicate to or from other ports to work properly. For example, it may >need to do off-LAN DNS resolution. Or it may get its time updated using >ntp. >Or it may also be a mail server. Or ... you get the idea. This is what I >meant when I said you can't decide how to firewall properly without knowing >the details of how the setup is supposed to work. > >OTOH, if you want to prevent the Web server from connecting to other hosts >on the LAN (the other possible "the" network) ... if the Web server is >itself on the LAN, a LEAF router cannot help you there, since on-LAN >traffic >doesn't (normally) go through a router. (There are some tricky things you >can do there, but in the end, none are really secure if the Web server gets >cracked.) > >If you want to isolate the Web server from the LAN, you normally do so by >adding a third interface to the router and setting up on it a separate >netwotk, customarily called a DMZ, that keeps the "exposed" part of your >site isolated from the truly privat part of your site. This is a standard >DachStein setup and should be well explained in the DachStein docs and >config-file comments. > > >Thanks for the quick response! >[old stuff deleted] > > >-- >------------------------------------"Never tell me the odds!"--- >Ray Olszewski -- Han Solo >Palo Alto, CA [EMAIL PROTECTED] >---------------------------------------------------------------- > _________________________________________________________________ Join the world�s largest e-mail service with MSN Hotmail. http://www.hotmail.com _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
