Re, Could u just tell me if what I''m trying to set up is actually possible ?=20 I''ve one static IP and would like to have a full featured DMZ hosting various=20 servers + a local zone where stand workstations + ssh access to ALL boxes=20 from the net + remote desktop (under Linux) on local boxes from the net. Many thanks in advance. Tarax --=20 Future Is Free, Fight Against SwindleSoft & Co http://www.arkitekts.org Linux User # 274160; Linux Boxes #157052, 157053, 157054 MandrakeClub Member
On 12 Dec 2002 at 3:16, Tarax wrote:> Re, > > Could u just tell me if what I''m trying to set up is actuallypossible> ? > > I''ve one static IP and would like to have a full featured DMZhosting> various servers + a local zone where stand workstations + sshaccess> to ALL boxes from the net + remote desktop (under Linux) on local > boxes from the net. >What you seem to be describing is inward connections when you say "ssh access to ALL boxes from the net". This is easily accomplished by ssh to the firewall and the ssh again to the inside workstation. If that is not acceptable, you can forward connections from the firewall to each sorkstation when a connection is made to osome nonstandard port on the firewall. So if you conntect on 3222, you might forward to port 22 on workstation 192.168.0.3 for example. Same for remote destop (if it is an inward connection). If the contection is oringinated on you inside boxes to machines outside on the net, it generally requires no special setup. ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386_______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/
--On Thursday, December 12, 2002 03:16:30 AM +0100 Tarax <tarax@arkitekts.org> wrote:> Re, > > Could u just tell me if what I''m trying to set up is actually possible ? > > I''ve one static IP and would like to have a full featured DMZ hosting > various servers + a local zone where stand workstations + ssh access to > ALL boxes from the net + remote desktop (under Linux) on local boxes > from the net. >If I had those requirements, I would set up a VPN server (ipsec or PPTP) on the Shorewall box. I could then connect to the Shorewall box via VPN from the net and do whatever I wanted SECURELY to any of the local systems. Doing the remote desktop part any other way is foolish in my opinion and requires a rather complicated setup. Also, unless you have a VERY fast internet connection, the remote desktops are going to perform poorly. I''ve tested remote desktop (VNC) between here and Dallas with DSL connections on both ends and performance sucked. I''ve also tried X from California to my home network (T1 on the California end) and it was basically unusable. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
Le Jeudi 12 D=E9cembre 2002 04:11, John S. Andersen a =E9crit :> On 12 Dec 2002 at 3:16, Tarax wrote: > > Re, > > > > Could u just tell me if what I''m trying to set up is actually > > possible > > > ? > > > > I''ve one static IP and would like to have a full featured DMZ > > hosting > > > various servers + a local zone where stand workstations + ssh > > access > > > to ALL boxes from the net + remote desktop (under Linux) on local > > boxes from the net. > > What you seem to be describing is inward connections > when you say "ssh access to ALL boxes from the net". >actually yes> This is easily accomplished by ssh to the firewall and the > ssh again to the inside workstation. > > If that is not acceptable, you can forward connections > from the firewall to each sorkstation when a connection is made to > osome nonstandard port on the firewall. > > So if you conntect on 3222, you might forward to port 22 on > workstation 192.168.0.3 for example. >Hey! So clever !!! ;-P Didn''t thought to that :$ Nicely tricky indeed :-))) Adopted, cause I can''t have incoming connections from the net on one port (say=20 22) be arbitrated (say in regard to host name rather than incoming port) by=20 the FW to determine wich box to follow the packet to isn''t it ? Further, read the doc many times but still I cannot clearly figure what=20 combination of SNAT/DNAT/Static NAT should be best suited for the different=20 zones ? Could u just show me the way ? BEST regards Tarax PS: the "brand newbie" tutorial still planed (may be it will even extend P.=20 Amaury''s one on setting up a Mandrake MNF without bying the 1990$ (:-|)=20 packaged box ;-P)... I''ll keep yall on track about this. PS2: Does setting up an "administrative" zone, hosting snmp, time, dns & such=20 "cross zone" shared features makes sense, or does it would only make the set=20 up harder for no real gain ?> Same for remote destop (if it is an inward connection). > If the contection is oringinated on you inside boxes to > machines outside on the net, it generally requires no > special setup. > > > ______________________________________ > John Andersen > NORCOM / Juneau, Alaska > http://www.screenio.com/ > (907) 790-3386_______________________________________ > John S. Andersen > NORCOM mailto:JAndersen@norcomsoftware.com > Juneau, Alaska > http://www.screenio.com/--=20 Future Is Free, Fight Against SwindleSoft & Co http://www.arkitekts.org Linux User # 274160; Linux Boxes #157052, 157053, 157054 MandrakeClub Member
Le Jeudi 12 D=E9cembre 2002 04:11, John S. Andersen a =E9crit :> On 12 Dec 2002 at 3:16, Tarax wrote: > > Re, > > > > Could u just tell me if what I''m trying to set up is actually > > possible > > > ? > > > > I''ve one static IP and would like to have a full featured DMZ > > hosting > > > various servers + a local zone where stand workstations + ssh > > access > > > to ALL boxes from the net + remote desktop (under Linux) on local > > boxes from the net. > > What you seem to be describing is inward connections > when you say "ssh access to ALL boxes from the net". >actually yes> This is easily accomplished by ssh to the firewall and the > ssh again to the inside workstation. > > If that is not acceptable, you can forward connections > from the firewall to each sorkstation when a connection is made to > osome nonstandard port on the firewall. > > So if you conntect on 3222, you might forward to port 22 on > workstation 192.168.0.3 for example. >Hey! So clever !!! ;-P Didn''t thought to that :$ Nicely tricky indeed :-))) Adopted, cause I can''t have incoming connections from the net on one port (say=20 22) be arbitrated (say in regard to host name rather than incoming port) by=20 the FW to determine wich box to follow the packet to isn''t it ? Further, read the doc many times but still I cannot clearly figure what=20 combination of SNAT/DNAT/Static NAT should be best suited for the different=20 zones ? Could u just show me the way ? BEST regards Tarax PS: the "brand newbie" tutorial still planed (may be it will even extend P.=20 Amaury''s one on setting up a Mandrake MNF without bying the 1990$ (:-|)=20 packaged box ;-P)... I''ll keep yall on track about this. PS2: Does setting up an "administrative" zone, hosting snmp, time, dns & such=20 "cross zone" shared features makes sense, or does it would only make the set=20 up harder for no real gain ? --=20 Future Is Free, Fight Against SwindleSoft & Co http://www.arkitekts.org Linux User # 274160; Linux Boxes #157052, 157053, 157054 MandrakeClub Member
Le Jeudi 12 D=E9cembre 2002 05:50, Tom Eastep a =E9crit :> --On Thursday, December 12, 2002 03:16:30 AM +0100 Tarax > > <tarax@arkitekts.org> wrote: > > Re, > > > > Could u just tell me if what I''m trying to set up is actually possible ? > > > > I''ve one static IP and would like to have a full featured DMZ hosting > > various servers + a local zone where stand workstations + ssh access to > > ALL boxes from the net + remote desktop (under Linux) on local boxes > > from the net. > > If I had those requirements, I would set up a VPN server (ipsec or PPTP) on > the Shorewall box. I could then connect to the Shorewall box via VPN from > the net and do whatever I wanted SECURELY to any of the local systems. > > Doing the remote desktop part any other way is foolish in my opinion and > requires a rather complicated setup. Also, unless you have a VERY fast > internet connection, the remote desktops are going to perform poorly. I''ve > tested remote desktop (VNC) between here and Dallas with DSL connections on > both ends and performance sucked. I''ve also tried X from California to my > home network (T1 on the California end) and it was basically unusable. > > -TomThank u for sharing ur experience & technical advisories Tom :-) Thinks now=20 remote desktop is far from a priority ;-) Tarax --=20 Future Is Free, Fight Against SwindleSoft & Co http://www.arkitekts.org Linux User # 274160; Linux Boxes #157052, 157053, 157054 MandrakeClub Member