Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How to access website through LAN and security issues?
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1751

PostPosted: Sun Feb 21, 2016 6:14 pm    Post subject: Reply with quote

Quote:
So in case of ransomeware gets in, it can encrypting all database! Even if it is not root...
Dude, such a thing is just a computer program. All programs do exactly the same thing: they read data, they process it, and they write it back. There is no way to say what the result of this processing is. At least, there is no way for another program to say it: you must be intelligent to predict the outcome. Computers are not intelligent.

There is a good news for you though: databases tend to use their data files, and they do that by keeping them open. You can run a test on a separate instance and check if the files are locked. On windows all programs by default set full locks on any files they open. On linux it's different, but it's still possible to prevent other programs from writing to a file you're using.
Quote:
You can set Linux to execute email attachments ... but why would you?

Where this option is exist - I mean, how to check if it is not active...
Have you deliberately configured it in a way that allows executing attachments directly from emails? If no, then it's not active
Setting no-exec for all user-writable locations is a bonus that would protect you from any running other programs that were not installed there by root.
Back to top
View user's profile Send private message
pmam
Veteran
Veteran


Joined: 30 Dec 2013
Posts: 1145

PostPosted: Sun Feb 21, 2016 7:24 pm    Post subject: Reply with quote

Quote:
Dude, such a thing is just a computer program.

I see - no way to distinguish encrypting... I thought it is an operator or algorithm that can be identified - So I thought...

noexec will be consider positively...

BTW: Is rsnapshot a useful backup application? I saw it in this wiki: https://wiki.gentoo.org/wiki/Backup

Thanks
_________________
“You can take our property, our sweet homes, even our cloths...
But don't touch the streets, Ah, That's NO, NO, NO!
The streets are our @world's compilable kernel ...”
Back to top
View user's profile Send private message
gordonb3
Apprentice
Apprentice


Joined: 01 Jul 2015
Posts: 185

PostPosted: Sun Feb 21, 2016 7:43 pm    Post subject: Reply with quote

NeddySeagoon wrote:

The definition of having a backup is that you have a spare copy. With exactly two copes, that's your working copy and one spare.
When your working copy is destroyed, you have only one copy, so you no longer have a backup.

That is assuming the backup is a direct working copy. Normally you would use a backup to restore files to the original system or create a starter set for a newly built system in case the old one somehow became unrecoverable. I suppose you are referring to a redundancy cluster? In that case you are correct that a second backup should exist.

pmam wrote:
BTW: Is rsnapshot a useful backup application?

Absolutely. It is essentially a wrapper for rsync that allows for easy creation of rotation scheme's. Which may in fact pose to be a limit if you want to set up something a bit more complicated.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43383
Location: 56N 3W

PostPosted: Sun Feb 21, 2016 8:02 pm    Post subject: Reply with quote

gordonb3,

Its more the on site backup and off site backup concept.

When at any time, for whatever reason, you are down to a single copy, you no longer have a backup.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
gordonb3
Apprentice
Apprentice


Joined: 01 Jul 2015
Posts: 185

PostPosted: Sun Feb 21, 2016 9:04 pm    Post subject: Reply with quote

I understand what you are saying, but again: you are assuming a situation where the backup data can be used as a working set. Particularly when databases are concerned the backup may not be in any running format or the backup machine not capable of serving the database. In many many cases the backup can only be used to restore something, if even a completely new machine. Meaning the backup will still be the backup rather than the new running environment, as would be the case in a redundancy cluster. Which by definition is not a backup at all.
Back to top
View user's profile Send private message
paul_chany
Tux's lil' helper
Tux's lil' helper


Joined: 01 Aug 2010
Posts: 82
Location: Europe, Serbia

PostPosted: Sat Mar 12, 2016 9:18 am    Post subject: How to access website through LAN and security issues? Reply with quote

I red this topic and want to set my home server too to be reachable from the Internet.
I'm connected to my ISP through a cable modem.
Code:
ISP
|
- Cable modem
  |-- headless server Bubba2, Gentoo linux ( firewall, router, webserver - nginx )
    |-- plug & play Switch
      |-- desktop machine, Gentoo linux
      |-- raspberry pi 2 RasPi, Gentoo linux ( webserver- nginx )

I shall remove webserver from Bubba2 and run webserver only on the RasPi.
I already setup DNAT on Bubba2 to the RasPi webserver - nginx.
I can reach RasPi webserver from the LAN.
I have a registered FQDN so I want to use it on RasPi's webserver.
What must I do more to can the RasPi's webserver reach from the Internet too?
_________________
Best, Pali
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43383
Location: 56N 3W

PostPosted: Sat Mar 12, 2016 10:25 am    Post subject: Reply with quote

paul_chany,

A few choices
You need to Destination Network Address Translation (DNAT) port 80 from your public IP to RasPi, so that Web traffic from the internet arrives at RasPi. You may also need to DNAT port 443. That's for https.

You may also choose to forward (no DNAT) packets on port 80/443 RasPi, in which case your webserver needs to listen on your public IP.
That's only useful if you have a static public IP.

If you have a dynamic public IP, you need to sign up to a service like no-ip. They will give you a no-ip. URL that points to your IP, whatever it happens to be at the time.

If your public IP is static, you update the authorative nameservers for your FQDN to point to your static public IP.

Now it gets messy. You should not need to do any of this, but you need to be aware of it.
Some ISPs block some incoming ports. This is to stop you running your own servers.
The work around is to use non-standard ports. This will prevent most users reaching your servers.

In the UK, a lot of cable subscribers don't even have a public IP, Their ISP keeps them behind NAT. Then its game over. You cannot be reached from the internet.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
paul_chany
Tux's lil' helper
Tux's lil' helper


Joined: 01 Aug 2010
Posts: 82
Location: Europe, Serbia

PostPosted: Sat Mar 12, 2016 5:00 pm    Post subject: Reply with quote

NeddySeagoon wrote:
paul_chany,

A few choices
You need to Destination Network Address Translation (DNAT) port 80 from your public IP to RasPi, so that Web traffic from the internet arrives at RasPi. You may also need to DNAT port 443. That's for https.

If you have a dynamic public IP, you need to sign up to a service like no-ip. They will give you a no-ip. URL that points to your IP, whatever it happens to be at the time.

Now it gets messy. You should not need to do any of this, but you need to be aware of it.
Some ISPs block some incoming ports. This is to stop you running your own servers.

I have already set up DNAT for HTTP:
Code:
Web(DNAT) net loc:192.168.50.200

I have a dynamic public IP and I managed this already on my Bubba2 headless server with a bash shall script.

RasPi has a LAN IP address 192.168.50.200 - it is get this IP address always, this is already managed by dnsmaqs on Bubba2.
How to set up that that RasPi get a public IP address as Bubba2 does?
_________________
Best, Pali
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43383
Location: 56N 3W

PostPosted: Sat Mar 12, 2016 5:29 pm    Post subject: Reply with quote

paul_chany,

You don't need a public IP on RasPi. You have DNAT.

If you forward port 80, without DNAT, packets with <Public_IP>:80 appear on your LAN.
RasPi can deal with them. However, it now needs to deal with a dynamic IP address too.
DNAT is a better solution.

When a packet arrives at <Public_IP>:80, its NATted to 192.168.50.200:80
Your router saves this information, so that replies get sent back to original requester.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
paul_chany
Tux's lil' helper
Tux's lil' helper


Joined: 01 Aug 2010
Posts: 82
Location: Europe, Serbia

PostPosted: Sat Mar 12, 2016 5:52 pm    Post subject: Reply with quote

NeddySeagoon wrote:
paul_chany,

You don't need a public IP on RasPi. You have DNAT.

If you forward port 80, without DNAT, packets with <Public_IP>:80 appear on your LAN.
RasPi can deal with them. However, it now needs to deal with a dynamic IP address too.
DNAT is a better solution.

When a packet arrives at <Public_IP>:80, its NATted to 192.168.50.200:80
Your router saves this information, so that replies get sent back to original requester.

I already use DNAT on Bubba2 for the RasPi.
Then why can't reach my FQDN http://www.cspl.hu from the Internet?
_________________
Best, Pali
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43383
Location: 56N 3W

PostPosted: Sat Mar 12, 2016 6:16 pm    Post subject: Reply with quote

paul_chany,

First, can you browse RasPi from your own LAN.
Code:
http://RasPi_IP
should return a web page?
Lets check your webserver is working.

If that works, can you browse
Code:
http://Public_IP
from outside your network?
This will test the internet to RasPi. If this step fails, either port 80 is blocked or there is something wrong with your network configuration at your end.

Doing
Code:
$ ping cspl.hu
gets me
Code:
$ ping cspl.hu
PING cspl.hu (192.184.88.81) 56(84) bytes of data.
64 bytes from redirect.webenlet.hu (192.184.88.81): icmp_seq=1 ttl=54 time=160 ms


From the "redirect.webenlet.hu", it appears that you have not set up your FQDN to point to your public IP address and your registrar is pointing it to redirect until you change it. You need an least an A record.
Now the hard bit. This has to be updated every time your public IP changes.
Until you can browse by IP address, browsing by name won't work either.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
paul_chany
Tux's lil' helper
Tux's lil' helper


Joined: 01 Aug 2010
Posts: 82
Location: Europe, Serbia

PostPosted: Sat Mar 12, 2016 7:06 pm    Post subject: Reply with quote

NeddySeagoon wrote:
paul_chany,

First, can you browse RasPi from your own LAN.
Code:
http://RasPi_IP
should return a web page?
Lets check your webserver is working.

If that works, can you browse
Code:
http://Public_IP
from outside your network?
This will test the internet to RasPi. If this step fails, either port 80 is blocked or there is something wrong with your network configuration at your end.

Doing
Code:
$ ping cspl.hu
gets me
Code:
$ ping cspl.hu
PING cspl.hu (192.184.88.81) 56(84) bytes of data.
64 bytes from redirect.webenlet.hu (192.184.88.81): icmp_seq=1 ttl=54 time=160 ms


From the "redirect.webenlet.hu", it appears that you have not set up your FQDN to point to your public IP address and your registrar is pointing it to redirect until you change it. You need an least an A record.
Now the hard bit. This has to be updated every time your public IP changes.
Until you can browse by IP address, browsing by name won't work either.

I can browse RasPi from my LAN.
I can't browse http://cspl.hu from my LAN.
I can't browse it from outside mine LAN because I'm at home now.
Can you browse it?

Port 80 is not blocked neither on Bubba2 nor on RasPi.
I'm using Shorewall firewall.
rules on Bubba2 are:
Code:
Web(ACCEPT)   net   $FW
Web(ACCEPT)   loc   $FW
Web(DNAT)   net   loc:192.168.50.200

Bubba2 has two interfacws: eth0 for WAN and eth1 for LAN.

and on RasPi:
Code:
Web(ACCEPT)   net   $FW

On dns.webenlet.hu there can one add an A record that as default redirect my cspl.hu domain to http://www.cspl.hu URL as default.
One can't add different A record at all.

However, this setup works when my webserver was on Bubba2.
_________________
Best, Pali
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43383
Location: 56N 3W

PostPosted: Sat Mar 12, 2016 8:39 pm    Post subject: Reply with quote

paul_chany,

I can both ping cspl.hu and browse http://www.cspl.hu/.
It says Kistechnikusok távképzése and links to the Free Software Foundation.

I thought I recognised shorewall.

The firewall is its own zone in Shorewall, so you have three zones called net, fw and loc.

My rule to do DNAT for my webserver is
Code:
#ACTION         SOURCE          DEST            PROTO   DEST
DNAT            net             dmz:$Web        tcp     http

net, dmz, $Web are resolved using the shorewall file fragments below.

/etc/shorewall/params:

# Local IP of Webserver
Web=192.168.10.123
so I can write $Web in the rules file.

/etc/shorewall/zones:
ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
green   ipv4
dmz     ipv4
blue    ipv4
net     ipv4


/etc/shorewall/interfaces :
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     ppp0            -
dmz     eth0            -               logmartians=1,nosmurfs,routefilter


http is resolved by consulting /etc/services and tcp is resolved from /etc/protocols. Shorewall does this for free.

If you want me to browse to your webserver, you need to PM me your current public IP.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
paul_chany
Tux's lil' helper
Tux's lil' helper


Joined: 01 Aug 2010
Posts: 82
Location: Europe, Serbia

PostPosted: Sat Mar 12, 2016 8:47 pm    Post subject: Reply with quote

NeddySeagoon wrote:
paul_chany,

I can both ping cspl.hu and browse http://www.cspl.hu/.
It says Kistechnikusok távképzése and links to the Free Software Foundation.

I thought I recognised shorewall.

The firewall is its own zone in Shorewall, so you have three zones called net, fw and loc.

My rule to do DNAT for my webserver is
Code:
#ACTION         SOURCE          DEST            PROTO   DEST
DNAT            net             dmz:$Web                tcp     http

net, dmz, $Web are resolved using the shorewall file fragments below.

/etc/shorewall/params:

# Local IP of Webserver
Web=192.168.10.123
so I can write $Web in the rules file.

/etc/shorewall/zones:
ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
green   ipv4
dmz     ipv4
blue    ipv4
net     ipv4


http is resolved by consulting /etc/services and tcp is resolved from /etc/protocols

/etc/shorewall/interfaces :
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     ppp0            -
dmz     eth0            -               logmartians=1,nosmurfs,routefilter

All right!
That is mine home page so far: Kistechnikusok távképzése and links to the Free Software Foundation.
Then I can't open the http://cspl.hu only from my LAN.
Can't open it too when using it's IP address, which is at this moment ( remember, it is a dynamic IP ) 95.85.141.171.
However, I can to open it when browse http://192.168.50.200

When my webserver did run on Bubba2 then I was able to open http://cspl.hu from LAN.
Now, when my webserver run on RasPi I can't open neither http://cspl.hu nor http://95.85.141.171 from my LAN.
How can I solve this problem?
_________________
Best, Pali
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43383
Location: 56N 3W

PostPosted: Sat Mar 12, 2016 8:58 pm    Post subject: Reply with quote

paul_chany,

Quote:
I can to open it when browse http://192.168.50.200

Works because 192.168.50.200 is a private IP address on your LAN.

When I browse 95.85.141.171, I get the same page as above. Kistechnikusok távképzése and FSF link.

I think your shorewall rule is incorrect.
Code:
DNAT  net   loc:192.168.50.200  tcp     http

Fix your rule then restart shorewall.

-- edit --
Code:
$ ping 95.85.141.171
PING 95.85.141.171 (95.85.141.171) 56(84) bytes of data.
^C
--- 95.85.141.171 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 6999ms

Ping fails too.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
paul_chany
Tux's lil' helper
Tux's lil' helper


Joined: 01 Aug 2010
Posts: 82
Location: Europe, Serbia

PostPosted: Sat Mar 12, 2016 9:16 pm    Post subject: Reply with quote

NeddySeagoon wrote:
paul_chany,

I think your shorewall rule is incorrect.
Code:
DNAT  net   loc:192.168.50.200  tcp     http

Fix your rule then restart shorewall.

I found the rule I'm using from here:
http://www.shorewall.net/two-interface.htm#DNAT
Code:
Web(DNAT)   net   loc:192.168.50.200

I think this is the same rule as
Code:
DNAT   net   loc:192.168.50.200   tcp   http

However, I tried booth without success.
Still can't reach http://cspl.hu from my LAN.
_________________
Best, Pali
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43383
Location: 56N 3W

PostPosted: Sat Mar 12, 2016 9:50 pm    Post subject: Reply with quote

paul_chany,

From your link, the two rules look to be the same.

You can't reach http://cspl.hu from your LAN as even when its working, it will resolve to your public IP.
That needs another DNAT rule

Code:
#ACTION         SOURCE          DEST                    PROTO   DEST    SOURCE          ORIGINAL
DNAT            loc             192.168.50.200          tcp     80         -             $Public



This says that when you are trying to browse to your public IP, redirect the packets to 192.168.50.200 instead.
$Public is a placeholder for your public IP.
You need to update this and restart shorewall every time it changes.

Notice too that
Code:
# ping cspl.hu
PING cspl.hu (192.184.88.81) 56(84) bytes of data.
64 bytes from redirect.webenlet.hu (192.184.88.81): icmp_seq=1 ttl=55 time=159 ms
your FQDN points to 192.184.88.81, not to 95.85.141.171, which you said was your public IP.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
paul_chany
Tux's lil' helper
Tux's lil' helper


Joined: 01 Aug 2010
Posts: 82
Location: Europe, Serbia

PostPosted: Sun Mar 13, 2016 8:03 am    Post subject: Reply with quote

Hi Neddy,
NeddySeagoon wrote:
paul_chany,

From your link, the two rules look to be the same.

You can't reach http://cspl.hu from your LAN as even when its working, it will resolve to your public IP.
That needs another DNAT rule

Code:
#ACTION         SOURCE          DEST                    PROTO   DEST    SOURCE          ORIGINAL
DNAT            loc             192.168.50.200          tcp     80         -             $Public



This says that when you are trying to browse to your public IP, redirect the packets to 192.168.50.200 instead.
$Public is a placeholder for your public IP.
You need to update this and restart shorewall every time it changes.

Notice too that
Code:
# ping cspl.hu
PING cspl.hu (192.184.88.81) 56(84) bytes of data.
64 bytes from redirect.webenlet.hu (192.184.88.81): icmp_seq=1 ttl=55 time=159 ms
your FQDN points to 192.184.88.81, not to 95.85.141.171, which you said was your public IP.

I tried the above shown rule but Shorewall says:
ERROR: Missing destination zone /etc/shorewall/rules
So I edit the line and try out this:
Code:

#ACTION  SOURCE           DEST                         PROTO    DEST       SOURCE     ORIGINAL
#                                                               PORT       PORT(S)    DEST
DNAT     loc              loc:192.168.50.200           tcp      80         -          192.184.88.81

But this doesn't work neither.
_________________
Best, Pali
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43383
Location: 56N 3W

PostPosted: Sun Mar 13, 2016 11:00 am    Post subject: Reply with quote

paul_chany,

It won't work until http://cspl.hu points to your public IP.

When I wrote last http://cspl.hu pointed to 192.184.88.81 and your public IP was 95.85.141.171

If you write the rule as
Code:
#ACTION         SOURCE          DEST                    PROTO   DEST    SOURCE          ORIGINAL
DNAT            loc             192.168.50.200          tcp     80         -             net:$Public
it may help.

That will allow browsing to http://95.85.141.171 (your public IP) to work.
It will not fix http://cspl.hu not pointing to you dynamic public IP.

Hmm ... I get Kistechnikusok távképzése and the FSF link from both http://cspl.hu and http://95.85.141.171 now but 95.85.141.171 does not respond to ping requests.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
paul_chany
Tux's lil' helper
Tux's lil' helper


Joined: 01 Aug 2010
Posts: 82
Location: Europe, Serbia

PostPosted: Sun Mar 13, 2016 11:41 am    Post subject: Reply with quote

Hi Neddy,
NeddySeagoon wrote:
paul_chany,

It won't work until http://cspl.hu points to your public IP.

When I wrote last http://cspl.hu pointed to 192.184.88.81 and your public IP was 95.85.141.171

If you write the rule as
Code:
#ACTION         SOURCE          DEST                    PROTO   DEST    SOURCE          ORIGINAL
DNAT            loc             192.168.50.200          tcp     80         -             net:$Public
it may help.

That will allow browsing to http://95.85.141.171 (your public IP) to work.
It will not fix http://cspl.hu not pointing to you dynamic public IP.

Hmm ... I get Kistechnikusok távképzése and the FSF link from both http://cspl.hu and http://95.85.141.171 now but 95.85.141.171 does not respond to ping requests.

No one can ping my public IP address because of this rule:
Code:
Ping(DROP)        net        $FW

The rule above
Code:
DNAT<-->loc<---><------>loc:192.168.50.200<----><------>tcp<--->80<---->-<----->net:95.85.141.171

is invalid for Shorewall, according to Shorewall's message:
Quote:
ERROR: Unknown Interface (net) /etc/shorewall/rules

So I replace it with rule:
Code:
DNAT<-->loc<---><------>loc:192.168.50.200<----><------>tcp<--->80<---->-<----->95.85.141.171

But when I try to open http://95.85.141.171/ from my LAN, I can't.
_________________
Best, Pali
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43383
Location: 56N 3W

PostPosted: Sun Mar 13, 2016 12:03 pm    Post subject: Reply with quote

paul_chany,

As you have this rule,
Code:
Web(DNAT)   net   loc:192.168.50.200
I was expecting your shorewall to understand net.
Please post the routing table from Bubba2.

That's the output of
Code:
route -n

_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
paul_chany
Tux's lil' helper
Tux's lil' helper


Joined: 01 Aug 2010
Posts: 82
Location: Europe, Serbia

PostPosted: Sun Mar 13, 2016 12:07 pm    Post subject: Reply with quote

Neddy,
NeddySeagoon wrote:
paul_chany,

As you have this rule,
Code:
Web(DNAT)   net   loc:192.168.50.200
I was expecting your shorewall to understand net.
Please post the routing table from Bubba2.

That's the output of
Code:
route -n

Code:
#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         95.85.143.254   0.0.0.0         UG    2      0        0 eth0
95.85.140.0     0.0.0.0         255.255.252.0   U     2      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
192.168.50.0    0.0.0.0         255.255.255.0   U     0      0        0 br0

In meantime I find this link, which describes the same situation as mine:
http://shorewall.net/FAQ.htm#Connections
_________________
Best, Pali
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43383
Location: 56N 3W

PostPosted: Sun Mar 13, 2016 7:32 pm    Post subject: Reply with quote

paul_chany,

I thought I understood your network topology, now its clear that I don't.

Code:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
95.85.140.0     0.0.0.0         255.255.252.0   U     2      0        0 eth0

This line suggests that you have a 95.85.140.0/22 subnet, or 1024 IP addresses.
I'm aware that cable companies do add things.
It may be that you are an the same cable subnet as 1023 other users. I hope you all have good firewalls.

Code:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.50.0    0.0.0.0         255.255.255.0   U     0      0        0 br0

Why do you have a bridge?
What interfaces are bridged?

I was expecting two normal interfaces.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
paul_chany
Tux's lil' helper
Tux's lil' helper


Joined: 01 Aug 2010
Posts: 82
Location: Europe, Serbia

PostPosted: Sun Mar 13, 2016 7:45 pm    Post subject: Reply with quote

NeddySeagoon wrote:
paul_chany,

I thought I understood your network topology, now its clear that I don't.

Code:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
95.85.140.0     0.0.0.0         255.255.252.0   U     2      0        0 eth0

This line suggests that you have a 95.85.140.0/22 subnet, or 1024 IP addresses.
I'm aware that cable companies do add things.
It may be that you are an the same cable subnet as 1023 other users. I hope you all have good firewalls.

Code:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.50.0    0.0.0.0         255.255.255.0   U     0      0        0 br0

Why do you have a bridge?
What interfaces are bridged?

I was expecting two normal interfaces.

I set up my network with help of my friend.
She knows why do I have a bridge. I can just guess, why.
I think because I have an USB WiFi adapter and we ( she and me ) must to set up that that users on WLAN could use Internet too.
bridge_br0="eth1"
_________________
Best, Pali
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43383
Location: 56N 3W

PostPosted: Sun Mar 13, 2016 8:28 pm    Post subject: Reply with quote

paul_chany,

A network bridge always has two or more interfaces. It connects the subnets on all the member networks together.
Its just like a road bridge. To be useful, it needs two (or more) ends.
Its the software equivalent of a hardware network hub, all packets go everywhere.

Would you try to cross a road bridge that had only one end?

More seriously, is it possible that you intended to add more devices later and later never arrived?
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page Previous  1, 2, 3, 4  Next
Page 3 of 4

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum