I added the LEAF list back in.
At 03:38 AM 12/28/01 +0000, djoutlaw outlaw wrote:
>I am sorry what I mean is I can give a friend my static IP address and then
>they can pull up my apache test page. I am using DachStein which seems to
>be the easiest setup. Just opened up the INTERNAL__WWW_SERVER
>XXX.XXX.XXX.XXX and with the TCP 0.0.0.0/0_www
OK. This means you are port forwarding port 80 of your LEAF router's
external IP address to port 80 of a private-address server. No problem there.
>I really just want people to be able to access port 80 but not be able to
>use the server as a gateway to the network. I am only forwading port 80.
>I thought there was some way I could block the webserver from connecting to
>the network but allow everyone else to connect to the webserver
Unfortunately, "connecting" is an imprecise term. I'm also uncertain as to
what you mean by "the" network.
You can prevent the Web server from initiating connections to the Internet
(one possible "the" network), while allowing it to access the Internet only
for purposes of responding to port-80 queries. I don't know if there is an
easy way to do this using DachStein's setup scripts, though ... someone
better acquainted with the intricacies of DachStein will have to handle that.
You would most easily do the underlying work by adding, at an appropriate
place in your input chain, theses two firewalling rules (approximately; I
haven't tested this syntax so may have made small errors):
ipchains -A input -j ACCEPT -s a.b.c.d/32 80 -i eth1 -p tcp
ipchains -A input -j DENY -s a.b.c.d/32 -i eth1 -p all
where a.b.c.d is the internal address of the Web server and I've assumed
that eth1 is your LAN interface.
The first rule passes all traffic from port 80 on the Web server. The second
rule blocks all other traffic from the Web server.
There are fancier ways to do this too; you can distinguish initiation and
reply TCP (but not UDP or ICMP) packets by testing the flag bits. Look at
the -y switch for ipchains to learn the details.
While you can do this, you may not want to. The Web server may well need to
communicate to or from other ports to work properly. For example, it may
need to do off-LAN DNS resolution. Or it may get its time updated using ntp.
Or it may also be a mail server. Or ... you get the idea. This is what I
meant when I said you can't decide how to firewall properly without knowing
the details of how the setup is supposed to work.
OTOH, if you want to prevent the Web server from connecting to other hosts
on the LAN (the other possible "the" network) ... if the Web server is
itself on the LAN, a LEAF router cannot help you there, since on-LAN traffic
doesn't (normally) go through a router. (There are some tricky things you
can do there, but in the end, none are really secure if the Web server gets
cracked.)
If you want to isolate the Web server from the LAN, you normally do so by
adding a third interface to the router and setting up on it a separate
netwotk, customarily called a DMZ, that keeps the "exposed" part of your
site isolated from the truly privat part of your site. This is a standard
DachStein setup and should be well explained in the DachStein docs and
config-file comments.
>Thanks for the quick response!
[old stuff deleted]
--
------------------------------------"Never tell me the odds!"---
Ray Olszewski -- Han Solo
Palo Alto, CA [EMAIL PROTECTED]
----------------------------------------------------------------
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
