I setup another linux box as a home server w/ apache and ftp. I currently have this opened to the wan by using my linksys router's port forwarding. For example, apache is config'd to listen on port 80 and port 8080 because my isp filters port 80. Port 443 is also forwarded to same comp because apache-ssl listens on that port. This box is in the router DMZ and I use Firestarter firewall wihich is a gui frontend to the native linux firewall.
My question is this: Do I have to place this comp in the DMZ in order that clients on the WAN can connect to it? Isn't port forwarding all by itself enough to allow outside requests to connect to apache?
home server
home server
No one has any right to force data on you
and command you to believe it or else.
If it is not true for you, it isn't true.
LRH
and command you to believe it or else.
If it is not true for you, it isn't true.
LRH
Port forwarding is all you need. I use a physical DMZ for my servers.
DSL -> perimeter firewall |servers| ->internal firewall |LAN
Personally, once I put a serverhost on the internet I assume it's compromised - no longer trust that machine to have access to my LAN. In my example above, the 'internal firewall' is stealthed with no ports forwarded.
DMZ features for a router are sorta legacy if you ask me. All it really does is forward ALL ports to the DMZ host. With SPI, you no longer have to open the whole box up to host ftp or h323 (or any other service that uses multiple ports in a session) as the router should be able to tell that a connection attempt is related to the initial session.
DSL -> perimeter firewall |servers| ->internal firewall |LAN
Personally, once I put a serverhost on the internet I assume it's compromised - no longer trust that machine to have access to my LAN. In my example above, the 'internal firewall' is stealthed with no ports forwarded.
DMZ features for a router are sorta legacy if you ask me. All it really does is forward ALL ports to the DMZ host. With SPI, you no longer have to open the whole box up to host ftp or h323 (or any other service that uses multiple ports in a session) as the router should be able to tell that a connection attempt is related to the initial session.
anything is possible - nothing is free
Blisster wrote:It *would* be brokeback bay if I in fact went and hung out with Skye and co (did I mention he is teh hotness?)
-
YeOldeStonecat
- SG VIP
- Posts: 51171
- Joined: Mon Jan 15, 2001 12:00 pm
- Location: Somewhere along the shoreline in New England
TonyT wrote:Isn't port forwarding all by itself enough to allow outside requests to connect to apache?
With port forwarding, you only need to open the minimum necessary ports needed for peeps to access the services you wish for. Example, 2K3 OWA, only need port 443.
With DMZ you have over 65,000 ports fully exposed...that's
MORNING WOOD Lumber Company
Guinness for Strength!!!
Guinness for Strength!!!
Ok, I took the box out of the dmz.
Can you connect to it?
http://68.100.238.40:8080/
speed the pages load? any latency?
Can you connect to it?
http://68.100.238.40:8080/
speed the pages load? any latency?
No one has any right to force data on you
and command you to believe it or else.
If it is not true for you, it isn't true.
LRH
and command you to believe it or else.
If it is not true for you, it isn't true.
LRH
-
YeOldeStonecat
- SG VIP
- Posts: 51171
- Joined: Mon Jan 15, 2001 12:00 pm
- Location: Somewhere along the shoreline in New England
Thanks!
Next stop http://www.dydns.org to bind my domain name w/ my ip!
Next stop http://www.dydns.org to bind my domain name w/ my ip!
No one has any right to force data on you
and command you to believe it or else.
If it is not true for you, it isn't true.
LRH
and command you to believe it or else.
If it is not true for you, it isn't true.
LRH