On 1/19/23 13:15, Tom Browder wrote:
I am trying to use my new public static IP for my Debian PC which is ready
for it security-wise (thanks to advice from this ML; note I will initially
allow access only via ssh from the IP address of one of my remote hosts).
I know how to turn on public access in their router, but it's not clear
what the results will be. I have queried the AT&T community but no answer
yet.
The question is: when I set the router to allow public access, does it only
allow access to devices assigned to one of the public IPs (i.e., it does
NOT allow access to devices using DHCP)?
It seems to me logically that should be true, but I just need some
confirmation before I open up to the public. (And I will start by limit
Thanks.
-Tom
If your AT&T U-verse residential gateway is anything like mine (Pace
5268AC FXN), it will have a web server/ control panel accessed by
connecting a computer via an RJ-45 Ethernet port or via Wi-Fi, and
browsing to a specific IPv4 address (mine uses 192.168.1.254). Doing so
with Debian 11.6 and Firefox, I see a web page with 4 tabs and the
"Home" tab active. If I select Settings -> Firewall, I see a Status
page with the rules I have defined. If I select Applications, Pinholes
and DMZ, I see a web page with two parts -- "Select a computer" and
"Edit firewall settings for this computer". If click the link for my
UniFi Security Gateway in the first part (you would choose your Debian
server here), the second part updates and I see three choices:
- Maximum protection -- this means no incoming Internet traffic will be
forwarded to the selected host.
- Allow individual applications -- this means incoming Internet traffic
that matches the specific protocols/ ports that I have configured will
be forwarded to the selected host. I have configured my AT&T gateway to
route Internet incoming SSH traffic and Internet incoming VPN traffic to
my UniFi Security Gateway.
- Allow all applications -- this means all incoming Internet traffic
will be forwarded to the selected host.
I suggest that you start with the second option and SSH traffic.
On a related note, you might want your static IP to be accessible via a
Fully Qualified Domain Name. You have at least two choices:
- Add an entry to the /etc/hosts file on the remote host(s) (e.g. your
laptop), so that it can find your static IP when you enter the FQDN
(e.g. when you are remote with a laptop and want to connecting to your
Debian host with ssh(1)).
- If you have a domain name and DNS hosting, add a DNS record to your
DNS hosting service so that any host connected to the Internet can find
your static IP by name.
I own and recommend "Networking for System Administrators" by Lucas:
https://mwl.io/nonfiction/networking#n4sa
HTH,
David