UK diy (uk.d-i-y) For the discussion of all topics related to diy (do-it-yourself) in the UK. All levels of experience and proficency are welcome to join in to ask questions or offer solutions.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1   Report Post  
Posted to uk.comp.homebuilt,uk.d-i-y
external usenet poster
 
Posts: 569
Default Virgin SuperHub2 and DMZ setting

I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ (RPi
running a VPN server).

I used 'shields up' to check what the ports were doing.

Now without DMZ turned on everything is stealthed.

With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both
opened automatically.

The rest go to 'closed' instead of 'stealthed'.

The opening of the two ports seems reasonable for an instant DMZ, but I am
puzzled why the other ports now show as 'closed'.
AFAIK a 'closed' port will show up on a port scan by 'bad people' whereas
a 'stealthed' one will not.

OTOH is I have 22 and 1723 open the router must be standing out like a
sore thumb anyway.

So does the team think that this strategy is O.K. or should I be looking
at a more robust implementation of a DMZ?

Cheers

Dave R
  #2   Report Post  
Posted to uk.comp.homebuilt,uk.d-i-y
external usenet poster
 
Posts: 2,040
Default Virgin SuperHub2 and DMZ setting

On 15/02/2014 11:09, David.WE.Roberts wrote:
I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ (RPi
running a VPN server).

I used 'shields up' to check what the ports were doing.

Now without DMZ turned on everything is stealthed.

With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both
opened automatically.

The rest go to 'closed' instead of 'stealthed'.

The opening of the two ports seems reasonable for an instant DMZ, but I am
puzzled why the other ports now show as 'closed'.
AFAIK a 'closed' port will show up on a port scan by 'bad people' whereas
a 'stealthed' one will not.

OTOH is I have 22 and 1723 open the router must be standing out like a
sore thumb anyway.


Don't put SSH in DMZ, use port forwarding with some other chosen number
instead, disable password authentication in SSH (or they'll be brute
forcing that) and enforce the use of private key certificates instead.

DMZ is a bit of a wildcard for web facing services where you don't want
those users also trawling through your local network (hence closed).

Best services of your LAN stays stealthed, and get a bit devious about
the use of 'standard' port numbers.

--
Adrian C

  #3   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 2,018
Default Virgin SuperHub2 and DMZ setting


"David.WE.Roberts" wrote in message
...
I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ (RPi
running a VPN server).

I used 'shields up' to check what the ports were doing.

Now without DMZ turned on everything is stealthed.

With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both
opened automatically.

The rest go to 'closed' instead of 'stealthed'.

The opening of the two ports seems reasonable for an instant DMZ, but I am
puzzled why the other ports now show as 'closed'.
AFAIK a 'closed' port will show up on a port scan by 'bad people' whereas
a 'stealthed' one will not.

OTOH is I have 22 and 1723 open the router must be standing out like a
sore thumb anyway.

So does the team think that this strategy is O.K. or should I be looking
at a more robust implementation of a DMZ?

Try here
free.virginmedia.discussion.general


  #4   Report Post  
Posted to uk.comp.homebuilt,uk.d-i-y
external usenet poster
 
Posts: 569
Default Virgin SuperHub2 and DMZ setting

On Sat, 15 Feb 2014 12:01:06 +0000, Adrian C wrote:

On 15/02/2014 11:09, David.WE.Roberts wrote:
I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ
(RPi running a VPN server).

I used 'shields up' to check what the ports were doing.

Now without DMZ turned on everything is stealthed.

With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both
opened automatically.

The rest go to 'closed' instead of 'stealthed'.

The opening of the two ports seems reasonable for an instant DMZ, but I
am puzzled why the other ports now show as 'closed'.
AFAIK a 'closed' port will show up on a port scan by 'bad people'
whereas a 'stealthed' one will not.

OTOH is I have 22 and 1723 open the router must be standing out like a
sore thumb anyway.


Don't put SSH in DMZ, use port forwarding with some other chosen number
instead, disable password authentication in SSH (or they'll be brute
forcing that) and enforce the use of private key certificates instead.

DMZ is a bit of a wildcard for web facing services where you don't want
those users also trawling through your local network (hence closed).

Best services of your LAN stays stealthed, and get a bit devious about
the use of 'standard' port numbers.


Thanks for the reminder about brute forcing SSH - have closed that port on
the firewall.

I haven't found a 'stealth' option in the firewall on the SuperHub2 though.

Now looking at alternative hardware and will start a new thread.

Cheers

Dave R
  #5   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 569
Default Virgin SuperHub2 and DMZ setting

On Sat, 15 Feb 2014 12:59:48 +0000, Mr Pounder wrote:

"David.WE.Roberts" wrote in message
...
I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ
(RPi
running a VPN server).

I used 'shields up' to check what the ports were doing.

Now without DMZ turned on everything is stealthed.

With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both
opened automatically.

The rest go to 'closed' instead of 'stealthed'.

The opening of the two ports seems reasonable for an instant DMZ, but I
am puzzled why the other ports now show as 'closed'.
AFAIK a 'closed' port will show up on a port scan by 'bad people'
whereas a 'stealthed' one will not.

OTOH is I have 22 and 1723 open the router must be standing out like a
sore thumb anyway.

So does the team think that this strategy is O.K. or should I be
looking at a more robust implementation of a DMZ?

Try here free.virginmedia.discussion.general


Well, I looked at the Broadband NG and it was not very active.

The General NG doesn't seem to be about VM at all - more OT that uk.d-i-y
by a factor of about 100.

So I come back to the usually reliable uk.d-i-y and uk.comp.homebuilt
which are usually full of (quite) good advice :-)

Cheers

Dave R


  #6   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 2,018
Default Virgin SuperHub2 and DMZ setting


"David.WE.Roberts" wrote in message
...
On Sat, 15 Feb 2014 12:59:48 +0000, Mr Pounder wrote:

"David.WE.Roberts" wrote in message
...
I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ
(RPi
running a VPN server).

I used 'shields up' to check what the ports were doing.

Now without DMZ turned on everything is stealthed.

With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both
opened automatically.

The rest go to 'closed' instead of 'stealthed'.

The opening of the two ports seems reasonable for an instant DMZ, but I
am puzzled why the other ports now show as 'closed'.
AFAIK a 'closed' port will show up on a port scan by 'bad people'
whereas a 'stealthed' one will not.

OTOH is I have 22 and 1723 open the router must be standing out like a
sore thumb anyway.

So does the team think that this strategy is O.K. or should I be
looking at a more robust implementation of a DMZ?

Try here free.virginmedia.discussion.general


Well, I looked at the Broadband NG and it was not very active.

The General NG doesn't seem to be about VM at all - more OT that uk.d-i-y
by a factor of about 100.

So I come back to the usually reliable uk.d-i-y and uk.comp.homebuilt
which are usually full of (quite) good advice :-)

The broadband group has been quiet for ages.

There are some learned people on the general group.


  #7   Report Post  
Posted to uk.comp.homebuilt,uk.d-i-y
external usenet poster
 
Posts: 9,369
Default Virgin SuperHub2 and DMZ setting

On 15/02/2014 11:09, David.WE.Roberts wrote:
I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ (RPi
running a VPN server).

I used 'shields up' to check what the ports were doing.

Now without DMZ turned on everything is stealthed.

With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both
opened automatically.

The rest go to 'closed' instead of 'stealthed'.

The opening of the two ports seems reasonable for an instant DMZ, but I am
puzzled why the other ports now show as 'closed'.
AFAIK a 'closed' port will show up on a port scan by 'bad people' whereas
a 'stealthed' one will not.


Last time I looked you got a different response from the final router
for a destination that wasn't there and for one that didn't respond.
That is you can stealth your ports but someone can still tell you are there.



  #8   Report Post  
Posted to uk.comp.homebuilt,uk.d-i-y
external usenet poster
 
Posts: 6,896
Default Virgin SuperHub2 and DMZ setting

In article om,
dennis@home scribeth thus
On 15/02/2014 11:09, David.WE.Roberts wrote:
I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ (RPi
running a VPN server).

I used 'shields up' to check what the ports were doing.

Now without DMZ turned on everything is stealthed.

With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both
opened automatically.

The rest go to 'closed' instead of 'stealthed'.

The opening of the two ports seems reasonable for an instant DMZ, but I am
puzzled why the other ports now show as 'closed'.
AFAIK a 'closed' port will show up on a port scan by 'bad people' whereas
a 'stealthed' one will not.


Last time I looked you got a different response from the final router
for a destination that wasn't there and for one that didn't respond.
That is you can stealth your ports but someone can still tell you are there.



Think I'm missing a post here;(..

Can the OP explain again just what it is he's looking to do, as if its
VPN's over cable systems they can be done without any fuss at all.

Or is he after something else?..

--
Tony Sayer

  #9   Report Post  
Posted to uk.comp.homebuilt,uk.d-i-y
external usenet poster
 
Posts: 569
Default Virgin SuperHub2 and DMZ setting

On Sun, 16 Feb 2014 10:59:10 +0000, tony sayer wrote:

In article om,
dennis@home scribeth thus
On 15/02/2014 11:09, David.WE.Roberts wrote:
I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ
(RPi running a VPN server).

I used 'shields up' to check what the ports were doing.

Now without DMZ turned on everything is stealthed.

With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are
both opened automatically.

The rest go to 'closed' instead of 'stealthed'.

The opening of the two ports seems reasonable for an instant DMZ, but
I am puzzled why the other ports now show as 'closed'.
AFAIK a 'closed' port will show up on a port scan by 'bad people'
whereas a 'stealthed' one will not.


Last time I looked you got a different response from the final router
for a destination that wasn't there and for one that didn't respond.
That is you can stealth your ports but someone can still tell you are
there.



Think I'm missing a post here;(..

Can the OP explain again just what it is he's looking to do, as if its
VPN's over cable systems they can be done without any fuss at all.

Or is he after something else?..


I wish to run a VPN server at home, to allow connection into my home LAN
then out again, so that the call looks to be coming from my home network.

Useful when you are abroad and sites refuse to talk to non-UK IP addresses.

Now implemented using the DMZ feature of the Virgin SH2, which forwards
all incoming calls to a selected IP address, and a Raspberry Pi as the VPN
Server.

My concerns now centre on the way the SH2 implements the DMZ feature.

HTH

Dave R
  #10   Report Post  
Posted to uk.comp.homebuilt,uk.d-i-y
external usenet poster
 
Posts: 2,040
Default Virgin SuperHub2 and DMZ setting

On 16/02/2014 13:20, David.WE.Roberts wrote:
On Sun, 16 Feb 2014 10:59:10 +0000, tony sayer wrote:

I wish to run a VPN server at home, to allow connection into my home LAN
then out again, so that the call looks to be coming from my home network.

Useful when you are abroad and sites refuse to talk to non-UK IP addresses.

Now implemented using the DMZ feature of the Virgin SH2, which forwards
all incoming calls to a selected IP address, and a Raspberry Pi as the VPN
Server.

My concerns now centre on the way the SH2 implements the DMZ feature.


I've a similar use of VPN (actually OpenVPN), but poke a hole in the
firewall and simply use port forwarding to the server/UDP port. I don't
use/need DMZ. If I were running www Web servers (which I kind of thought
you were) then I'd be investigating DMZ and possibly addtional assigned
IP addresses for each server. Hmmm, do Virgin even roll out additional
static addresses for home users?

--
Adrian C



  #11   Report Post  
Posted to uk.comp.homebuilt,uk.d-i-y
external usenet poster
 
Posts: 569
Default Virgin SuperHub2 and DMZ setting

On Sun, 16 Feb 2014 18:46:17 +0000, Adrian C wrote:

On 16/02/2014 13:20, David.WE.Roberts wrote:
On Sun, 16 Feb 2014 10:59:10 +0000, tony sayer wrote:

I wish to run a VPN server at home, to allow connection into my home
LAN then out again, so that the call looks to be coming from my home
network.

Useful when you are abroad and sites refuse to talk to non-UK IP
addresses.

Now implemented using the DMZ feature of the Virgin SH2, which forwards
all incoming calls to a selected IP address, and a Raspberry Pi as the
VPN Server.

My concerns now centre on the way the SH2 implements the DMZ feature.


I've a similar use of VPN (actually OpenVPN), but poke a hole in the
firewall and simply use port forwarding to the server/UDP port. I don't
use/need DMZ. If I were running www Web servers (which I kind of thought
you were) then I'd be investigating DMZ and possibly addtional assigned
IP addresses for each server. Hmmm, do Virgin even roll out additional
static addresses for home users?


AIUI the 'DMZ' feature on the SH2 is just a massive port redirect where
everything incoming goes to one internal IP address. Then you just have to
worry about which ports to open. Don't need static IP address unless the
assigned one changes too often.

I haven't asked about one or more static addresses - it sounds expensive :-
)

Cheers

Dave R
  #12   Report Post  
Posted to uk.comp.homebuilt,uk.d-i-y
external usenet poster
 
Posts: 6,896
Default Virgin SuperHub2 and DMZ setting


I've a similar use of VPN (actually OpenVPN), but poke a hole in the
firewall and simply use port forwarding to the server/UDP port. I don't
use/need DMZ. If I were running www Web servers (which I kind of thought
you were) then I'd be investigating DMZ and possibly addtional assigned
IP addresses for each server. Hmmm, do Virgin even roll out additional
static addresses for home users?


No..


AIUI the 'DMZ' feature on the SH2 is just a massive port redirect where
everything incoming goes to one internal IP address. Then you just have to
worry about which ports to open. Don't need static IP address unless the
assigned one changes too often.


This may well be a problem if with VM as if you have the server at that
end the clients want to know where to look for their connection.

A varying VM IP address ain't that useful;!..

I haven't asked about one or more static addresses - it sounds expensive :-
)


If its Virgin Media they dont have any, they use DHCP or their version
of it all the time. My IP addy has changed over time but its not that
often. For added addresses you'll have to go to another non VM
provider...


Cheers

Dave R


--
Tony Sayer



  #13   Report Post  
Posted to uk.comp.homebuilt,uk.d-i-y
external usenet poster
 
Posts: 569
Default Virgin SuperHub2 and DMZ setting

On Tue, 18 Feb 2014 09:34:09 +0000, tony sayer wrote:


I've a similar use of VPN (actually OpenVPN), but poke a hole in the
firewall and simply use port forwarding to the server/UDP port. I
don't use/need DMZ. If I were running www Web servers (which I kind of
thought you were) then I'd be investigating DMZ and possibly addtional
assigned IP addresses for each server. Hmmm, do Virgin even roll out
additional static addresses for home users?


No..


AIUI the 'DMZ' feature on the SH2 is just a massive port redirect where
everything incoming goes to one internal IP address. Then you just have
to worry about which ports to open. Don't need static IP address unless
the assigned one changes too often.


This may well be a problem if with VM as if you have the server at that
end the clients want to know where to look for their connection.

A varying VM IP address ain't that useful;!..

I haven't asked about one or more static addresses - it sounds expensive
:-
)


If its Virgin Media they dont have any, they use DHCP or their version
of it all the time. My IP addy has changed over time but its not that
often. For added addresses you'll have to go to another non VM
provider...


One alternative, of course, is just to have a cron job on the Pi which
checks the WAN IP address every now and then.

If it has changed, then a quick mailshot to the small user base provides
the new information.

So fine for a small proxy service, but not so much for a web site with a
wider audience.

[Although it is possible that a redirect from a domain management site
could be worked up.]

Another interesting thing is the DNS name of my link, which seems to
include a customer ID and geographical location. It may be that this
remains constant even if the IP address changes.

I will need to monitor the whole thing to establish what (if any) the
rules are.

Cheers

Dave R

  #14   Report Post  
Posted to uk.comp.homebuilt,uk.d-i-y
external usenet poster
 
Posts: 292
Default Virgin SuperHub2 and DMZ setting

On 18/02/14 11:12, David.WE.Roberts wrote:
On Tue, 18 Feb 2014 09:34:09 +0000, tony sayer wrote:


I've a similar use of VPN (actually OpenVPN), but poke a hole in the
firewall and simply use port forwarding to the server/UDP port. I
don't use/need DMZ. If I were running www Web servers (which I kind of
thought you were) then I'd be investigating DMZ and possibly addtional
assigned IP addresses for each server. Hmmm, do Virgin even roll out
additional static addresses for home users?


No..


AIUI the 'DMZ' feature on the SH2 is just a massive port redirect where
everything incoming goes to one internal IP address. Then you just have
to worry about which ports to open. Don't need static IP address unless
the assigned one changes too often.


This may well be a problem if with VM as if you have the server at that
end the clients want to know where to look for their connection.

A varying VM IP address ain't that useful;!..

I haven't asked about one or more static addresses - it sounds expensive
:-
)


If its Virgin Media they dont have any, they use DHCP or their version
of it all the time. My IP addy has changed over time but its not that
often. For added addresses you'll have to go to another non VM
provider...


One alternative, of course, is just to have a cron job on the Pi which
checks the WAN IP address every now and then.

If it has changed, then a quick mailshot to the small user base provides
the new information.

So fine for a small proxy service, but not so much for a web site with a
wider audience.

[Although it is possible that a redirect from a domain management site
could be worked up.]


Just open an account with one of the various providers that will host
your domain and forward traffic to whatever IP address you are using
today. No-IP is one. You install an application on your system that
periodically sends a message to your provider which will then
dynamically update their DNS servers if your IP changes.



--
Bernard Peek

  #15   Report Post  
Posted to uk.comp.homebuilt,uk.d-i-y
external usenet poster
 
Posts: 4
Default Virgin SuperHub2 and DMZ setting

"David.WE.Roberts" wrote in message
...
On Tue, 18 Feb 2014 09:34:09 +0000, tony sayer wrote:


I've a similar use of VPN (actually OpenVPN), but poke a hole in the
firewall and simply use port forwarding to the server/UDP port. I
don't use/need DMZ. If I were running www Web servers (which I kind of
thought you were) then I'd be investigating DMZ and possibly addtional
assigned IP addresses for each server. Hmmm, do Virgin even roll out
additional static addresses for home users?


No..


AIUI the 'DMZ' feature on the SH2 is just a massive port redirect where
everything incoming goes to one internal IP address. Then you just have
to worry about which ports to open. Don't need static IP address unless
the assigned one changes too often.


This may well be a problem if with VM as if you have the server at that
end the clients want to know where to look for their connection.

A varying VM IP address ain't that useful;!..

I haven't asked about one or more static addresses - it sounds expensive
:-
)


If its Virgin Media they don't have any, they use DHCP or their version
of it all the time. My IP addy has changed over time but its not that
often. For added addresses you'll have to go to another non VM
provider...


One alternative, of course, is just to have a cron job on the Pi which
checks the WAN IP address every now and then.

If it has changed, then a quick mailshot to the small user base provides
the new information.

So fine for a small proxy service, but not so much for a web site with a
wider audience.

[Although it is possible that a redirect from a domain management site
could be worked up.]

Another interesting thing is the DNS name of my link, which seems to
include a customer ID and geographical location. It may be that this
remains constant even if the IP address changes.

I will need to monitor the whole thing to establish what (if any) the
rules are.


Stop wasting time and visit this site. It is all free as long as you log
into account every so often.
http://freedns.afraid.org/


Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules

Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Virgin media The Medway Handyman UK diy 14 September 11th 12 09:28 PM
OT - Virgin Cable David WE Roberts[_4_] UK diy 10 December 11th 11 09:30 PM
Mixing different setting times of setting type joint compound blueman Home Repair 4 November 16th 11 04:34 AM
virgin telephones Dave UK diy 25 August 13th 10 12:38 AM
Update from mobile phone virgin on Virgin Mobile Mike Mitchell UK diy 37 April 3rd 04 04:13 PM


All times are GMT +1. The time now is 07:34 PM.

Powered by vBulletin® Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright 2004-2024 DIYbanter.
The comments are property of their posters.
 

About Us

"It's about DIY & home improvement"