On Thursday 30 Mar 2017 17:23:13 Adam Carter wrote: > On Thu, Mar 30, 2017 at 2:59 AM, Peter Humphrey <pe...@prh.myzen.co.uk> > > wrote: > > Hello list, > > > > I've been using shorewall happily for many years, but now I have a LAN > > setup > > that the docs seem not to cover. The new web-server box I mentioned > > recently > > has two Ethernet ports, which I want to connect as follows: > > > > Port 1 (enp1s0) will be connected to a spare port on my vDSL > > modem/router > > and be accessible from outside. An HTTP hole* will be opened in the > > router for this. > > > > Port 2 (enp2s0) is connected to my LAN switch, which is connected in > > turn > > to > > another port on the vDSL modem, which has no holes open to this port. > > Once the server goes into service this interface will be down most of > > the time. > > > > I want to ensure that no bridging occurs between the two ports in the > > web > > server. > > The term "bridging" implies layer 2 forwarding, like what a hub or switch > does. You have to do a little work to set that up, so it wont happen by > accident. > > Routing, at layer 3, just requires /proc/sys/net/ipv4/ip_forward to be set > to 1. However since you're allowing connections to the webserver, any > compromise of that webserver means that any network connected to the > webserver is available without restriction. This is why webservers are > typically put in a DMZ, and a firewall used to connect the outside, the > DMZ and the inside.
Yes, I understand that last. > For HTTPS, get a LetsEntrypt cert. Ah! Thanks for the pointer. I'll follow it up. > FWIW i'm running my home system pretty much the way you propose, and > AFAICT i haven't been compromised...but there's little of value there. A little confidence, then. Thanks for that too. -- Regards Peter