[ale] Firewall convo

Derek Atkins derek at ihtfp.com
Fri Apr 10 17:08:14 EDT 2020 

If you only have 1 IP address then you will need to do port-based NAT in
order to serve multiple items..  I.e., the consumer of that 1 IP would
need to be a router and then it would NAT traffic to your DMZ and/or
internal network as necessary.

I am sure a pfSense can do this.  I also know the ER-X would do it.

-derek

On Fri, April 10, 2020 5:03 pm, Jeff Hubbs via Ale wrote:
> I'm looking to have Comcast Business installed at home as a backup
> (their reps can stop calling my phone *any old time now* until I've had
> a chance to actually read over the contract). Will pfSense enable me to
> establish a DMZ for Internet-facing servers? I'm getting only one IP
> address at this time, so I understand that I will have to have the first
> thing on the DMZ be a machine to act as reverse proxy if I want to
> present multiple web sites.
>
> On 4/10/20 4:33 PM, Derek Atkins via Ale wrote:
>> Hi,
>>
>> On Fri, April 10, 2020 4:25 pm, Robert Story wrote:
>> [snip]
>>> Sorry, I wasn't clear. Using their GUI or CLI tools are fine. I mean
>>> that if you edit files yourself (eg /etc/network/interfaces) or make
>>> local modifications (maybe iptables rules), those changes will likely
>>> be overwritten on reboot or when their GUI/CLI tools are used to modify
>>> something that will regenerate those files..
>> Ah, yes, that's definitely true.  Any changes you make outside the
>> /config
>> directory will not last beyond a reboot.  Having said that, you CAN
>> write
>> a shell script that will re-introduce your changes upon reboot, and I've
>> used that method myself to deal with certain shortcomings of the Unifi
>> firmware.
>>
>> For example, unifi does not handle IPv6 source-based routing for IPv6
>> through its default configuration, but you can configure it through the
>> Linux interfaces.  So I wrote a script that is stored in
>> /config/scripts/post-config.d/ that edits /etc/iproute2/rt_tables and
>> then
>> runs a bunch of "ip -6" commands to set up my route and routes.  Works
>> great for me, but it does make it a tad harder to manage vs using the
>> GUI
>> interface.
>>
>>> My point was that if you prefer shell access over GUI, with the ER-X
>>> (and openWRT too) you have to learn what you can safely modify just
>>> like any other Linux system and what you need to modify using
>>> non-standard commands for that system.
>> Yes, I agree with that.  But once you learn what you can modify safely
>> and
>> the tricks for how to modify everything else, you can script it all up
>> just fine!  :)
>>
>>> Robert
>> -derek
>>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>


-- 
       Derek Atkins                 617-623-3745
       derek at ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant

More information about the Ale mailing list