I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ (RPi
running a VPN server).

I used 'shields up' to check what the ports were doing.

Now without DMZ turned on everything is stealthed.

With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both
opened automatically.

The rest go to 'closed' instead of 'stealthed'.

The opening of the two ports seems reasonable for an instant DMZ, but I am
puzzled why the other ports now show as 'closed'.
AFAIK a 'closed' port will show up on a port scan by 'bad people' whereas
a 'stealthed' one will not.

OTOH is I have 22 and 1723 open the router must be standing out like a
sore thumb anyway.

So does the team think that this strategy is O.K. or should I be looking
at a more robust implementation of a DMZ?

Cheers

Dave R

On 15/02/2014 11:09, David.WE.Roberts wrote:
I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ (RPi
running a VPN server).

I used 'shields up' to check what the ports were doing.

Now without DMZ turned on everything is stealthed.

With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both
opened automatically.

The rest go to 'closed' instead of 'stealthed'.

The opening of the two ports seems reasonable for an instant DMZ, but I am
puzzled why the other ports now show as 'closed'.
AFAIK a 'closed' port will show up on a port scan by 'bad people' whereas
a 'stealthed' one will not.

OTOH is I have 22 and 1723 open the router must be standing out like a
sore thumb anyway.


Don't put SSH in DMZ, use port forwarding with some other chosen number
instead, disable password authentication in SSH (or they'll be brute
forcing that) and enforce the use of private key certificates instead.

DMZ is a bit of a wildcard for web facing services where you don't want
those users also trawling through your local network (hence closed).

Best services of your LAN stays stealthed, and get a bit devious about
the use of 'standard' port numbers.

--
Adrian C

On Sat, 15 Feb 2014 12:01:06 +0000, Adrian C wrote:

On 15/02/2014 11:09, David.WE.Roberts wrote:
I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ
(RPi running a VPN server).

I used 'shields up' to check what the ports were doing.

Now without DMZ turned on everything is stealthed.

With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both
opened automatically.

The rest go to 'closed' instead of 'stealthed'.

The opening of the two ports seems reasonable for an instant DMZ, but I
am puzzled why the other ports now show as 'closed'.
AFAIK a 'closed' port will show up on a port scan by 'bad people'
whereas a 'stealthed' one will not.

OTOH is I have 22 and 1723 open the router must be standing out like a
sore thumb anyway.


Don't put SSH in DMZ, use port forwarding with some other chosen number
instead, disable password authentication in SSH (or they'll be brute
forcing that) and enforce the use of private key certificates instead.

DMZ is a bit of a wildcard for web facing services where you don't want
those users also trawling through your local network (hence closed).

Best services of your LAN stays stealthed, and get a bit devious about
the use of 'standard' port numbers.

Thanks for the reminder about brute forcing SSH - have closed that port on
the firewall.

I haven't found a 'stealth' option in the firewall on the SuperHub2 though.

Now looking at alternative hardware and will start a new thread.

Cheers

Dave R

"David.WE.Roberts" wrote in message
...
I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ (RPi
running a VPN server).

I used 'shields up' to check what the ports were doing.

Now without DMZ turned on everything is stealthed.

With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both
opened automatically.

The rest go to 'closed' instead of 'stealthed'.

The opening of the two ports seems reasonable for an instant DMZ, but I am
puzzled why the other ports now show as 'closed'.
AFAIK a 'closed' port will show up on a port scan by 'bad people' whereas
a 'stealthed' one will not.

OTOH is I have 22 and 1723 open the router must be standing out like a
sore thumb anyway.

So does the team think that this strategy is O.K. or should I be looking
at a more robust implementation of a DMZ?

Try here
free.virginmedia.discussion.general

On Sat, 15 Feb 2014 12:59:48 +0000, Mr Pounder wrote:

"David.WE.Roberts" wrote in message
...
I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ
(RPi
running a VPN server).

I used 'shields up' to check what the ports were doing.

Now without DMZ turned on everything is stealthed.

With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both
opened automatically.

The rest go to 'closed' instead of 'stealthed'.

The opening of the two ports seems reasonable for an instant DMZ, but I
am puzzled why the other ports now show as 'closed'.
AFAIK a 'closed' port will show up on a port scan by 'bad people'
whereas a 'stealthed' one will not.

OTOH is I have 22 and 1723 open the router must be standing out like a
sore thumb anyway.

So does the team think that this strategy is O.K. or should I be
looking at a more robust implementation of a DMZ?

Try here free.virginmedia.discussion.general

Well, I looked at the Broadband NG and it was not very active.

The General NG doesn't seem to be about VM at all - more OT that uk.d-i-y
by a factor of about 100.

So I come back to the usually reliable uk.d-i-y and uk.comp.homebuilt
which are usually full of (quite) good advice :-)

Cheers

Dave R

"David.WE.Roberts" wrote in message
...
On Sat, 15 Feb 2014 12:59:48 +0000, Mr Pounder wrote:

"David.WE.Roberts" wrote in message
...
I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ
(RPi
running a VPN server).

I used 'shields up' to check what the ports were doing.

Now without DMZ turned on everything is stealthed.

With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both
opened automatically.

The rest go to 'closed' instead of 'stealthed'.

The opening of the two ports seems reasonable for an instant DMZ, but I
am puzzled why the other ports now show as 'closed'.
AFAIK a 'closed' port will show up on a port scan by 'bad people'
whereas a 'stealthed' one will not.

OTOH is I have 22 and 1723 open the router must be standing out like a
sore thumb anyway.

So does the team think that this strategy is O.K. or should I be
looking at a more robust implementation of a DMZ?

Try here free.virginmedia.discussion.general

Well, I looked at the Broadband NG and it was not very active.

The General NG doesn't seem to be about VM at all - more OT that uk.d-i-y
by a factor of about 100.

So I come back to the usually reliable uk.d-i-y and uk.comp.homebuilt
which are usually full of (quite) good advice :-)

The broadband group has been quiet for ages.
There are some learned people on the general group.

On 15/02/2014 11:09, David.WE.Roberts wrote:
I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ (RPi
running a VPN server).

I used 'shields up' to check what the ports were doing.

Now without DMZ turned on everything is stealthed.

With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both
opened automatically.

The rest go to 'closed' instead of 'stealthed'.

The opening of the two ports seems reasonable for an instant DMZ, but I am
puzzled why the other ports now show as 'closed'.
AFAIK a 'closed' port will show up on a port scan by 'bad people' whereas
a 'stealthed' one will not.

Last time I looked you got a different response from the final router
for a destination that wasn't there and for one that didn't respond.
That is you can stealth your ports but someone can still tell you are there.

In article om,
dennis@home scribeth thus
On 15/02/2014 11:09, David.WE.Roberts wrote:
I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ (RPi
running a VPN server).

I used 'shields up' to check what the ports were doing.

Now without DMZ turned on everything is stealthed.

With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are both
opened automatically.

The rest go to 'closed' instead of 'stealthed'.

The opening of the two ports seems reasonable for an instant DMZ, but I am
puzzled why the other ports now show as 'closed'.
AFAIK a 'closed' port will show up on a port scan by 'bad people' whereas
a 'stealthed' one will not.

Last time I looked you got a different response from the final router
for a destination that wasn't there and for one that didn't respond.
That is you can stealth your ports but someone can still tell you are there.



Think I'm missing a post here;(..

Can the OP explain again just what it is he's looking to do, as if its
VPN's over cable systems they can be done without any fuss at all.

Or is he after something else?..

--
Tony Sayer

On Sun, 16 Feb 2014 10:59:10 +0000, tony sayer wrote:

In article om,
dennis@home scribeth thus
On 15/02/2014 11:09, David.WE.Roberts wrote:
I now have my Virgin SuperHub2 set to accept incoming calls to a DMZ
(RPi running a VPN server).

I used 'shields up' to check what the ports were doing.

Now without DMZ turned on everything is stealthed.

With DMZ turned on Port 22 (ssh) and Post 1723 (pptpd for VPN) are
both opened automatically.

The rest go to 'closed' instead of 'stealthed'.

The opening of the two ports seems reasonable for an instant DMZ, but
I am puzzled why the other ports now show as 'closed'.
AFAIK a 'closed' port will show up on a port scan by 'bad people'
whereas a 'stealthed' one will not.

Last time I looked you got a different response from the final router
for a destination that wasn't there and for one that didn't respond.
That is you can stealth your ports but someone can still tell you are
there.



Think I'm missing a post here;(..

Can the OP explain again just what it is he's looking to do, as if its
VPN's over cable systems they can be done without any fuss at all.

Or is he after something else?..

I wish to run a VPN server at home, to allow connection into my home LAN
then out again, so that the call looks to be coming from my home network.

Useful when you are abroad and sites refuse to talk to non-UK IP addresses.

Now implemented using the DMZ feature of the Virgin SH2, which forwards
all incoming calls to a selected IP address, and a Raspberry Pi as the VPN
Server.

My concerns now centre on the way the SH2 implements the DMZ feature.

HTH

Dave R

On 16/02/2014 13:20, David.WE.Roberts wrote:
On Sun, 16 Feb 2014 10:59:10 +0000, tony sayer wrote:

I wish to run a VPN server at home, to allow connection into my home LAN
then out again, so that the call looks to be coming from my home network.

Useful when you are abroad and sites refuse to talk to non-UK IP addresses.

Now implemented using the DMZ feature of the Virgin SH2, which forwards
all incoming calls to a selected IP address, and a Raspberry Pi as the VPN
Server.

My concerns now centre on the way the SH2 implements the DMZ feature.


I've a similar use of VPN (actually OpenVPN), but poke a hole in the
firewall and simply use port forwarding to the server/UDP port. I don't
use/need DMZ. If I were running www Web servers (which I kind of thought
you were) then I'd be investigating DMZ and possibly addtional assigned
IP addresses for each server. Hmmm, do Virgin even roll out additional
static addresses for home users?

--
Adrian C

On Sun, 16 Feb 2014 18:46:17 +0000, Adrian C wrote:

On 16/02/2014 13:20, David.WE.Roberts wrote:
On Sun, 16 Feb 2014 10:59:10 +0000, tony sayer wrote:

I wish to run a VPN server at home, to allow connection into my home
LAN then out again, so that the call looks to be coming from my home
network.

Useful when you are abroad and sites refuse to talk to non-UK IP
addresses.

Now implemented using the DMZ feature of the Virgin SH2, which forwards
all incoming calls to a selected IP address, and a Raspberry Pi as the
VPN Server.

My concerns now centre on the way the SH2 implements the DMZ feature.


I've a similar use of VPN (actually OpenVPN), but poke a hole in the
firewall and simply use port forwarding to the server/UDP port. I don't
use/need DMZ. If I were running www Web servers (which I kind of thought
you were) then I'd be investigating DMZ and possibly addtional assigned
IP addresses for each server. Hmmm, do Virgin even roll out additional
static addresses for home users?

AIUI the 'DMZ' feature on the SH2 is just a massive port redirect where
everything incoming goes to one internal IP address. Then you just have to
worry about which ports to open. Don't need static IP address unless the
assigned one changes too often.

I haven't asked about one or more static addresses - it sounds expensive :-
)

Cheers

Dave R