> Let's say you want to run a web server. Don't you have to somehow > convince the ISP that you are THE customer who should get port 80 > requests? Or am I missing something. > > --
The ISP is going to provide you with a valid, routeable IP address that can be reached from anywhere on the Internet. Around these parts this is common, up North you get a 10.x.x.x address unless you go "business class" that is still DHCP. Anyway, let's assume you have a valid IP address and the service provider has provided a cable modem or DSL router for your use. Depending on the provider the device will be a layer 2 device that will assign whatever is plugged into the router/modem the valid, routeable address or the device may be a layer 3 device that will take the address for itself and assign DHCP address, most likely on the 192.168.x.x range, for whatever is plugged into the back of the device. If you have a layer 3 device you will have to change the configuration to a layer 2. Once that is done whatever you plug into the router/modem will receive the valid address. (this can be taken a step further by registering the device with dyndns, or any dynamic dns service - this allows you to assign a name to the valid, routeable address that will update automatically when a new DHCP address is received from the service provider. Very handy) So now plug the firewall into the modem/router and it gets the valid, routeable address. At this point anyone on the Internet can hit the firewall via any protocol. In most cases the firewall will not have any Internet facing services just to keep things safe and secure. >From here you can start to do your inbound NAT stuff. For my m0n0wall I'll say the following: Any internet traffic coming from port 8022 on the Internet I want to pass that to 192.168.17.22 port 80 on my wired lan side. (this happens to be an Axis 206W webcam I have running at the beach). So now any request to http://cphatteras.dyndns.org:8022 goes from the Internet to my webcam on port 80 behind the firewall. Give it a try. Now if I put another webcam, this time an Axis 205, I can do the same thing: Internet traffic over port 8021 I forward to 192.168.17.21 port 80 http://cphatteras.dyndns.org:8021 Does that make sense? Greg -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
