Re: Server Static IP and At's BGW210

2023-01-20 Thread Tom Browder 
On Fri, Jan 20, 2023 at 05:39 Tom Browder  wrote:

BTW, I just found this link from a guy I recently found on Youtube who
seems to know his stuff:

>
  https://christitus.com/secure-web-server/

-Tom

Re: Server Static IP and At's BGW210

2023-01-20 Thread Tom Browder 
On Thu, Jan 19, 2023 at 19:58 David Christensen 
wrote:
…

If your AT U-verse residential gateway is anything like mine (Pace
> 5268AC FXN), it will have a web server/ control panel accessed

…

Yes, mine router is similar

I own and recommend "Networking for System Administrators" by Lucas:
>
> https://mwl.io/nonfiction/networking#n4sa


I do too.

And your email helps.

I certainly have a firewall on the computer to go public. And I’m
restricting external ssh to one of my remote hosts while I build out my
planned set up . I’m just trying to understand the way the ATT router
translates to my physical situation.

Conceptually, it seems to me it’s like having two houses: (1) one with the
private LAN like most internet connected houses these days and (2) a house
like my remote service and hosts at Dedispec where all hosts have one or
more public IPs open to ssh from the internet.

On the ATT router I turn on the public subnet and assign one of the static
IPs to my desired host.

Eventually I’m going to fancify things with other  network hardware, but
not for a while.

Thanks, David.

-Tom

Re: Server Static IP and At's BGW210

2023-01-19 Thread David Christensen 

On 1/19/23 13:15, Tom Browder wrote:

I am trying to use my new public static IP for my Debian PC which is ready
for it security-wise (thanks to advice from this ML; note I will initially
allow access only via ssh from the IP address of one of my remote hosts).

I know how to turn on public access in their router, but it's not clear
what the results will be. I have queried the AT community but no answer
yet.

The question is: when I set the router to allow public access, does it only
allow access to devices assigned to one of the public IPs (i.e., it does
NOT allow access to devices using DHCP)?

It seems to me logically that should be true, but I just need some
confirmation before I open up to the public. (And I will start by limit

Thanks.

-Tom



If your AT U-verse residential gateway is anything like mine (Pace 
5268AC FXN), it will have a web server/ control panel accessed by 
connecting a computer via an RJ-45 Ethernet port or via Wi-Fi, and 
browsing to a specific IPv4 address (mine uses 192.168.1.254).  Doing so 
with Debian 11.6 and Firefox, I see a web page with 4 tabs and the 
"Home" tab active.  If I select Settings -> Firewall, I see a Status 
page with the rules I have defined.  If I select Applications, Pinholes 
and DMZ, I see a web page with two parts -- "Select a computer" and 
"Edit firewall settings for this computer".  If click the link for my 
UniFi Security Gateway in the first part (you would choose your Debian 
server here), the second part updates and I see three choices:


- Maximum protection -- this means no incoming Internet traffic will be 
forwarded to the selected host.


- Allow individual applications -- this means incoming Internet traffic 
that matches the specific protocols/ ports that I have configured will 
be forwarded to the selected host.  I have configured my AT gateway to 
route Internet incoming SSH traffic and Internet incoming VPN traffic to 
my UniFi Security Gateway.


- Allow all applications -- this means all incoming Internet traffic 
will be forwarded to the selected host.



I suggest that you start with the second option and SSH traffic.


On a related note, you might want your static IP to be accessible via a 
Fully Qualified Domain Name.  You have at least two choices:


- Add an entry to the /etc/hosts file on the remote host(s) (e.g. your 
laptop), so that it can find your static IP when you enter the FQDN 
(e.g. when you are remote with a laptop and want to connecting to your 
Debian host with ssh(1)).


- If you have a domain name and DNS hosting, add a DNS record to your 
DNS hosting service so that any host connected to the Internet can find 
your static IP by name.



I own and recommend "Networking for System Administrators" by Lucas:

https://mwl.io/nonfiction/networking#n4sa


HTH,

David

Re: Server Static IP and At's BGW210

2023-01-19 Thread gene heskett 

On 1/19/23 17:08, john doe wrote:

On 1/19/23 22:15, Tom Browder wrote:
I am trying to use my new public static IP for my Debian PC which is 
ready
for it security-wise (thanks to advice from this ML; note I will 
initially

allow access only via ssh from the IP address of one of my remote hosts).

-Tom



If I may, use bridge mode or a modem but do not use a router from your ISP.
To me, the simple fact that you are asking this question is enough to
not trust what you have from your ISP!

--
John Doe

Good advice. My whole home net is in the 192.168.xxx.yyy area, natted in 
MY router running dd-wrt. I've totally transparent access to the whole 
world, but that whole world has not touched me in 20 years.


Cheers, Gene Heskett.
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page

Re: Server Static IP and At's BGW210

2023-01-19 Thread Brian 
On Thu 19 Jan 2023 at 15:15:28 -0600, Tom Browder wrote:

> I am trying to use my new public static IP for my Debian PC which is ready
> for it security-wise (thanks to advice from this ML; note I will initially
> allow access only via ssh from the IP address of one of my remote hosts).
> 
> I know how to turn on public access in their router, but it's not clear
> what the results will be. I have queried the AT community but no answer
> yet.
> 
> The question is: when I set the router to allow public access, does it only
> allow access to devices assigned to one of the public IPs (i.e., it does
> NOT allow access to devices using DHCP)?
> 
> It seems to me logically that should be true, but I just need some
> confirmation before I open up to the public. (And I will start by limit

*All* addresses used on the internet are public.

Re: Server Static IP and At's BGW210

2023-01-19 Thread john doe 

On 1/19/23 22:15, Tom Browder wrote:

I am trying to use my new public static IP for my Debian PC which is ready
for it security-wise (thanks to advice from this ML; note I will initially
allow access only via ssh from the IP address of one of my remote hosts).

-Tom



If I may, use bridge mode or a modem but do not use a router from your ISP.
To me, the simple fact that you are asking this question is enough to
not trust what you have from your ISP!

--
John Doe

Server Static IP and At's BGW210

2023-01-19 Thread Tom Browder 
I am trying to use my new public static IP for my Debian PC which is ready
for it security-wise (thanks to advice from this ML; note I will initially
allow access only via ssh from the IP address of one of my remote hosts).

I know how to turn on public access in their router, but it's not clear
what the results will be. I have queried the AT community but no answer
yet.

The question is: when I set the router to allow public access, does it only
allow access to devices assigned to one of the public IPs (i.e., it does
NOT allow access to devices using DHCP)?

It seems to me logically that should be true, but I just need some
confirmation before I open up to the public. (And I will start by limit

Thanks.

-Tom