Home |
Search |
Today's Posts |
![]() |
|
UK diy (uk.d-i-y) For the discussion of all topics related to diy (do-it-yourself) in the UK. All levels of experience and proficency are welcome to join in to ask questions or offer solutions. |
Reply |
|
LinkBack | Thread Tools | Display Modes |
#1
![]()
Posted to uk.comp.homebuilt,uk.d-i-y
|
|||
|
|||
![]()
I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ (RPi
running a VPN server). I used 'shields up' to check what the ports were doing. Now without DMZ turned on everything is stealthed. With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both opened automatically. The rest go to 'closed' instead of 'stealthed'. The opening of the two ports seems reasonable for an instant DMZ, but I am puzzled why the other ports now show as 'closed'. AFAIK a 'closed' port will show up on a port scan by 'bad people' whereas a 'stealthed' one will not. OTOH is I have 22 and 1723 open the router must be standing out like a sore thumb anyway. So does the team think that this strategy is O.K. or should I be looking at a more robust implementation of a DMZ? Cheers Dave R |
#2
![]()
Posted to uk.comp.homebuilt,uk.d-i-y
|
|||
|
|||
![]()
On 15/02/2014 11:09, David.WE.Roberts wrote:
I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ (RPi running a VPN server). I used 'shields up' to check what the ports were doing. Now without DMZ turned on everything is stealthed. With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both opened automatically. The rest go to 'closed' instead of 'stealthed'. The opening of the two ports seems reasonable for an instant DMZ, but I am puzzled why the other ports now show as 'closed'. AFAIK a 'closed' port will show up on a port scan by 'bad people' whereas a 'stealthed' one will not. OTOH is I have 22 and 1723 open the router must be standing out like a sore thumb anyway. Don't put SSH in DMZ, use port forwarding with some other chosen number instead, disable password authentication in SSH (or they'll be brute forcing that) and enforce the use of private key certificates instead. DMZ is a bit of a wildcard for web facing services where you don't want those users also trawling through your local network (hence closed). Best services of your LAN stays stealthed, and get a bit devious about the use of 'standard' port numbers. -- Adrian C |
#3
![]()
Posted to uk.d-i-y
|
|||
|
|||
![]() "David.WE.Roberts" wrote in message ... I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ (RPi running a VPN server). I used 'shields up' to check what the ports were doing. Now without DMZ turned on everything is stealthed. With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both opened automatically. The rest go to 'closed' instead of 'stealthed'. The opening of the two ports seems reasonable for an instant DMZ, but I am puzzled why the other ports now show as 'closed'. AFAIK a 'closed' port will show up on a port scan by 'bad people' whereas a 'stealthed' one will not. OTOH is I have 22 and 1723 open the router must be standing out like a sore thumb anyway. So does the team think that this strategy is O.K. or should I be looking at a more robust implementation of a DMZ? Try here free.virginmedia.discussion.general |
#4
![]()
Posted to uk.comp.homebuilt,uk.d-i-y
|
|||
|
|||
![]()
On Sat, 15 Feb 2014 12:01:06 +0000, Adrian C wrote:
On 15/02/2014 11:09, David.WE.Roberts wrote: I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ (RPi running a VPN server). I used 'shields up' to check what the ports were doing. Now without DMZ turned on everything is stealthed. With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both opened automatically. The rest go to 'closed' instead of 'stealthed'. The opening of the two ports seems reasonable for an instant DMZ, but I am puzzled why the other ports now show as 'closed'. AFAIK a 'closed' port will show up on a port scan by 'bad people' whereas a 'stealthed' one will not. OTOH is I have 22 and 1723 open the router must be standing out like a sore thumb anyway. Don't put SSH in DMZ, use port forwarding with some other chosen number instead, disable password authentication in SSH (or they'll be brute forcing that) and enforce the use of private key certificates instead. DMZ is a bit of a wildcard for web facing services where you don't want those users also trawling through your local network (hence closed). Best services of your LAN stays stealthed, and get a bit devious about the use of 'standard' port numbers. Thanks for the reminder about brute forcing SSH - have closed that port on the firewall. I haven't found a 'stealth' option in the firewall on the SuperHub2 though. Now looking at alternative hardware and will start a new thread. Cheers Dave R |
#5
![]()
Posted to uk.d-i-y
|
|||
|
|||
![]()
On Sat, 15 Feb 2014 12:59:48 +0000, Mr Pounder wrote:
"David.WE.Roberts" wrote in message ... I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ (RPi running a VPN server). I used 'shields up' to check what the ports were doing. Now without DMZ turned on everything is stealthed. With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both opened automatically. The rest go to 'closed' instead of 'stealthed'. The opening of the two ports seems reasonable for an instant DMZ, but I am puzzled why the other ports now show as 'closed'. AFAIK a 'closed' port will show up on a port scan by 'bad people' whereas a 'stealthed' one will not. OTOH is I have 22 and 1723 open the router must be standing out like a sore thumb anyway. So does the team think that this strategy is O.K. or should I be looking at a more robust implementation of a DMZ? Try here free.virginmedia.discussion.general Well, I looked at the Broadband NG and it was not very active. The General NG doesn't seem to be about VM at all - more OT that uk.d-i-y by a factor of about 100. So I come back to the usually reliable uk.d-i-y and uk.comp.homebuilt which are usually full of (quite) good advice :-) Cheers Dave R |
#6
![]()
Posted to uk.d-i-y
|
|||
|
|||
![]() "David.WE.Roberts" wrote in message ... On Sat, 15 Feb 2014 12:59:48 +0000, Mr Pounder wrote: "David.WE.Roberts" wrote in message ... I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ (RPi running a VPN server). I used 'shields up' to check what the ports were doing. Now without DMZ turned on everything is stealthed. With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both opened automatically. The rest go to 'closed' instead of 'stealthed'. The opening of the two ports seems reasonable for an instant DMZ, but I am puzzled why the other ports now show as 'closed'. AFAIK a 'closed' port will show up on a port scan by 'bad people' whereas a 'stealthed' one will not. OTOH is I have 22 and 1723 open the router must be standing out like a sore thumb anyway. So does the team think that this strategy is O.K. or should I be looking at a more robust implementation of a DMZ? Try here free.virginmedia.discussion.general Well, I looked at the Broadband NG and it was not very active. The General NG doesn't seem to be about VM at all - more OT that uk.d-i-y by a factor of about 100. So I come back to the usually reliable uk.d-i-y and uk.comp.homebuilt which are usually full of (quite) good advice :-) The broadband group has been quiet for ages. There are some learned people on the general group. |
#7
![]()
Posted to uk.comp.homebuilt,uk.d-i-y
|
|||
|
|||
![]()
On 15/02/2014 11:09, David.WE.Roberts wrote:
I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ (RPi running a VPN server). I used 'shields up' to check what the ports were doing. Now without DMZ turned on everything is stealthed. With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both opened automatically. The rest go to 'closed' instead of 'stealthed'. The opening of the two ports seems reasonable for an instant DMZ, but I am puzzled why the other ports now show as 'closed'. AFAIK a 'closed' port will show up on a port scan by 'bad people' whereas a 'stealthed' one will not. Last time I looked you got a different response from the final router for a destination that wasn't there and for one that didn't respond. That is you can stealth your ports but someone can still tell you are there. |
#8
![]()
Posted to uk.comp.homebuilt,uk.d-i-y
|
|||
|
|||
![]()
In article om,
dennis@home scribeth thus On 15/02/2014 11:09, David.WE.Roberts wrote: I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ (RPi running a VPN server). I used 'shields up' to check what the ports were doing. Now without DMZ turned on everything is stealthed. With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both opened automatically. The rest go to 'closed' instead of 'stealthed'. The opening of the two ports seems reasonable for an instant DMZ, but I am puzzled why the other ports now show as 'closed'. AFAIK a 'closed' port will show up on a port scan by 'bad people' whereas a 'stealthed' one will not. Last time I looked you got a different response from the final router for a destination that wasn't there and for one that didn't respond. That is you can stealth your ports but someone can still tell you are there. Think I'm missing a post here;(.. Can the OP explain again just what it is he's looking to do, as if its VPN's over cable systems they can be done without any fuss at all. Or is he after something else?.. -- Tony Sayer |
#9
![]()
Posted to uk.comp.homebuilt,uk.d-i-y
|
|||
|
|||
![]()
On Sun, 16 Feb 2014 10:59:10 +0000, tony sayer wrote:
In article om, dennis@home scribeth thus On 15/02/2014 11:09, David.WE.Roberts wrote: I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ (RPi running a VPN server). I used 'shields up' to check what the ports were doing. Now without DMZ turned on everything is stealthed. With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both opened automatically. The rest go to 'closed' instead of 'stealthed'. The opening of the two ports seems reasonable for an instant DMZ, but I am puzzled why the other ports now show as 'closed'. AFAIK a 'closed' port will show up on a port scan by 'bad people' whereas a 'stealthed' one will not. Last time I looked you got a different response from the final router for a destination that wasn't there and for one that didn't respond. That is you can stealth your ports but someone can still tell you are there. Think I'm missing a post here;(.. Can the OP explain again just what it is he's looking to do, as if its VPN's over cable systems they can be done without any fuss at all. Or is he after something else?.. I wish to run a VPN server at home, to allow connection into my home LAN then out again, so that the call looks to be coming from my home network. Useful when you are abroad and sites refuse to talk to non-UK IP addresses. Now implemented using the DMZ feature of the Virgin SH2, which forwards all incoming calls to a selected IP address, and a Raspberry Pi as the VPN Server. My concerns now centre on the way the SH2 implements the DMZ feature. HTH Dave R |
#10
![]()
Posted to uk.comp.homebuilt,uk.d-i-y
|
|||
|
|||
![]()
On 16/02/2014 13:20, David.WE.Roberts wrote:
On Sun, 16 Feb 2014 10:59:10 +0000, tony sayer wrote: I wish to run a VPN server at home, to allow connection into my home LAN then out again, so that the call looks to be coming from my home network. Useful when you are abroad and sites refuse to talk to non-UK IP addresses. Now implemented using the DMZ feature of the Virgin SH2, which forwards all incoming calls to a selected IP address, and a Raspberry Pi as the VPN Server. My concerns now centre on the way the SH2 implements the DMZ feature. I've a similar use of VPN (actually OpenVPN), but poke a hole in the firewall and simply use port forwarding to the server/UDP port. I don't use/need DMZ. If I were running www Web servers (which I kind of thought you were) then I'd be investigating DMZ and possibly addtional assigned IP addresses for each server. Hmmm, do Virgin even roll out additional static addresses for home users? -- Adrian C |
#11
![]()
Posted to uk.comp.homebuilt,uk.d-i-y
|
|||
|
|||
![]()
On Sun, 16 Feb 2014 18:46:17 +0000, Adrian C wrote:
On 16/02/2014 13:20, David.WE.Roberts wrote: On Sun, 16 Feb 2014 10:59:10 +0000, tony sayer wrote: I wish to run a VPN server at home, to allow connection into my home LAN then out again, so that the call looks to be coming from my home network. Useful when you are abroad and sites refuse to talk to non-UK IP addresses. Now implemented using the DMZ feature of the Virgin SH2, which forwards all incoming calls to a selected IP address, and a Raspberry Pi as the VPN Server. My concerns now centre on the way the SH2 implements the DMZ feature. I've a similar use of VPN (actually OpenVPN), but poke a hole in the firewall and simply use port forwarding to the server/UDP port. I don't use/need DMZ. If I were running www Web servers (which I kind of thought you were) then I'd be investigating DMZ and possibly addtional assigned IP addresses for each server. Hmmm, do Virgin even roll out additional static addresses for home users? AIUI the 'DMZ' feature on the SH2 is just a massive port redirect where everything incoming goes to one internal IP address. Then you just have to worry about which ports to open. Don't need static IP address unless the assigned one changes too often. I haven't asked about one or more static addresses - it sounds expensive :- ) Cheers Dave R |
#12
![]()
Posted to uk.comp.homebuilt,uk.d-i-y
|
|||
|
|||
![]() I've a similar use of VPN (actually OpenVPN), but poke a hole in the firewall and simply use port forwarding to the server/UDP port. I don't use/need DMZ. If I were running www Web servers (which I kind of thought you were) then I'd be investigating DMZ and possibly addtional assigned IP addresses for each server. Hmmm, do Virgin even roll out additional static addresses for home users? No.. AIUI the 'DMZ' feature on the SH2 is just a massive port redirect where everything incoming goes to one internal IP address. Then you just have to worry about which ports to open. Don't need static IP address unless the assigned one changes too often. This may well be a problem if with VM as if you have the server at that end the clients want to know where to look for their connection. A varying VM IP address ain't that useful;!.. I haven't asked about one or more static addresses - it sounds expensive :- ) If its Virgin Media they dont have any, they use DHCP or their version of it all the time. My IP addy has changed over time but its not that often. For added addresses you'll have to go to another non VM provider... Cheers Dave R -- Tony Sayer |
#13
![]()
Posted to uk.comp.homebuilt,uk.d-i-y
|
|||
|
|||
![]()
On Tue, 18 Feb 2014 09:34:09 +0000, tony sayer wrote:
I've a similar use of VPN (actually OpenVPN), but poke a hole in the firewall and simply use port forwarding to the server/UDP port. I don't use/need DMZ. If I were running www Web servers (which I kind of thought you were) then I'd be investigating DMZ and possibly addtional assigned IP addresses for each server. Hmmm, do Virgin even roll out additional static addresses for home users? No.. AIUI the 'DMZ' feature on the SH2 is just a massive port redirect where everything incoming goes to one internal IP address. Then you just have to worry about which ports to open. Don't need static IP address unless the assigned one changes too often. This may well be a problem if with VM as if you have the server at that end the clients want to know where to look for their connection. A varying VM IP address ain't that useful;!.. I haven't asked about one or more static addresses - it sounds expensive :- ) If its Virgin Media they dont have any, they use DHCP or their version of it all the time. My IP addy has changed over time but its not that often. For added addresses you'll have to go to another non VM provider... One alternative, of course, is just to have a cron job on the Pi which checks the WAN IP address every now and then. If it has changed, then a quick mailshot to the small user base provides the new information. So fine for a small proxy service, but not so much for a web site with a wider audience. [Although it is possible that a redirect from a domain management site could be worked up.] Another interesting thing is the DNS name of my link, which seems to include a customer ID and geographical location. It may be that this remains constant even if the IP address changes. I will need to monitor the whole thing to establish what (if any) the rules are. Cheers Dave R |
#14
![]()
Posted to uk.comp.homebuilt,uk.d-i-y
|
|||
|
|||
![]()
On 18/02/14 11:12, David.WE.Roberts wrote:
On Tue, 18 Feb 2014 09:34:09 +0000, tony sayer wrote: I've a similar use of VPN (actually OpenVPN), but poke a hole in the firewall and simply use port forwarding to the server/UDP port. I don't use/need DMZ. If I were running www Web servers (which I kind of thought you were) then I'd be investigating DMZ and possibly addtional assigned IP addresses for each server. Hmmm, do Virgin even roll out additional static addresses for home users? No.. AIUI the 'DMZ' feature on the SH2 is just a massive port redirect where everything incoming goes to one internal IP address. Then you just have to worry about which ports to open. Don't need static IP address unless the assigned one changes too often. This may well be a problem if with VM as if you have the server at that end the clients want to know where to look for their connection. A varying VM IP address ain't that useful;!.. I haven't asked about one or more static addresses - it sounds expensive :- ) If its Virgin Media they dont have any, they use DHCP or their version of it all the time. My IP addy has changed over time but its not that often. For added addresses you'll have to go to another non VM provider... One alternative, of course, is just to have a cron job on the Pi which checks the WAN IP address every now and then. If it has changed, then a quick mailshot to the small user base provides the new information. So fine for a small proxy service, but not so much for a web site with a wider audience. [Although it is possible that a redirect from a domain management site could be worked up.] Just open an account with one of the various providers that will host your domain and forward traffic to whatever IP address you are using today. No-IP is one. You install an application on your system that periodically sends a message to your provider which will then dynamically update their DNS servers if your IP changes. -- Bernard Peek |
#15
![]()
Posted to uk.comp.homebuilt,uk.d-i-y
|
|||
|
|||
![]()
"David.WE.Roberts" wrote in message
... On Tue, 18 Feb 2014 09:34:09 +0000, tony sayer wrote: I've a similar use of VPN (actually OpenVPN), but poke a hole in the firewall and simply use port forwarding to the server/UDP port. I don't use/need DMZ. If I were running www Web servers (which I kind of thought you were) then I'd be investigating DMZ and possibly addtional assigned IP addresses for each server. Hmmm, do Virgin even roll out additional static addresses for home users? No.. AIUI the 'DMZ' feature on the SH2 is just a massive port redirect where everything incoming goes to one internal IP address. Then you just have to worry about which ports to open. Don't need static IP address unless the assigned one changes too often. This may well be a problem if with VM as if you have the server at that end the clients want to know where to look for their connection. A varying VM IP address ain't that useful;!.. I haven't asked about one or more static addresses - it sounds expensive :- ) If its Virgin Media they don't have any, they use DHCP or their version of it all the time. My IP addy has changed over time but its not that often. For added addresses you'll have to go to another non VM provider... One alternative, of course, is just to have a cron job on the Pi which checks the WAN IP address every now and then. If it has changed, then a quick mailshot to the small user base provides the new information. So fine for a small proxy service, but not so much for a web site with a wider audience. [Although it is possible that a redirect from a domain management site could be worked up.] Another interesting thing is the DNS name of my link, which seems to include a customer ID and geographical location. It may be that this remains constant even if the IP address changes. I will need to monitor the whole thing to establish what (if any) the rules are. Stop wasting time and visit this site. It is all free as long as you log into account every so often. http://freedns.afraid.org/ |
Reply |
Thread Tools | Search this Thread |
Display Modes | |
|
|
![]() |
||||
Thread | Forum | |||
Virgin media | UK diy | |||
OT - Virgin Cable | UK diy | |||
Mixing different setting times of setting type joint compound | Home Repair | |||
virgin telephones | UK diy | |||
Update from mobile phone virgin on Virgin Mobile | UK diy |