Post #39,460
5/21/02 11:14:32 PM
|
Re: Virtual Server works behind firewall but not outside
First of all the DMZ (DeMilitarized Zone) is a computer you put effectively outside of the firewall. Don't do this! Setting up the virtual server is a good way to start doing what you want to do. Also look at your router's incoming packet server, and make sure it lets outside servers have access to TCP port 80. What I did at this level was set up a policy to Deny any IP Address:Ports I didn't specify, then specified all the non-local IP addresses on port 80 were allowed past this point.
Next, you need to make sure Windows 2000 isn't blocking the external addresses (I have a feeling it is). I'm afraid I can't be of much use here, as I've had no experience setting Win 2000 up for web services. One thing to think about though is that the packets retain their original IP address, so Windows see them as outside of the local network.
Consider setting up a OS level firewall up on the server as well. This could give you finer control of what packets get on. An application level firewall like ZoneAlarm can also prevent programs on your computer (whether you installed it or a hacker did) from accessing the internet without your express permission.
~~~)-Steven----
"I want you to remember that no bastard ever won a war by dying for his country.
He won it by making the other poor dumb bastard die for his country..."
General George S. Patton
|
Post #39,465
5/21/02 11:53:50 PM
|
Settings on Windows 2000 Server
Show No IPSEC and no filtering for TCP/IP. So port 80 should not be blocked by the server. I had Black Ice on it, but removed it because I thought it might be blocking the server.
I set the range of addresses to pass for port 80 to the known Internet (1.1.1.1 to 254.254.254.254) and still no connection.
I am free now, to choose my own destiny.
|
Post #39,532
5/22/02 2:07:43 PM
|
Any outgoing filters
I was able to ping your server, and when I tried accessing the web server, Netscape said it connected to the host, but was waiting for a reply (as opposed to saying "establishing connection"). This makes me wonder if the reply might be getting dropped on the way out. Have you looked for a log from your Web service? Does it show any activity? You should see my connection attempt from IP 132.10.250.4 among others.
On your incoming packet filter, you may want to block the Class A-E network and loopback addresses. These are addresses that shouldn't be used on the internet, if they are, it's for spoofing poorly networked computers. See [link|http://z.iwethey.org/forums/render/content/show?contentid=36713|this message] for more info on these reserved IPs .
~~~)-Steven----
"I want you to remember that no bastard ever won a war by dying for his country.
He won it by making the other poor dumb bastard die for his country..."
General George S. Patton
|
Post #39,555
5/22/02 8:19:04 PM
|
Weblog doesn't show any access
so I am guessing that it is dying at the router. Only access it is showing is my local access IP numbers.
Ah heck, maybe I ought to put the web pages up at Brinkster or Webhostme and hope that the pop-ups and banner ads don't look too bad to people reviewing my programs.
I am free now, to choose my own destiny.
|
Post #39,560
5/22/02 8:44:49 PM
|
Nah - it's good to have your own server....
I've had mine since dial-up days (made a deal w/ my ISP @ the time - they kicked me off first if all the lines filled up; I could use 'redial' *grin*).
Could you indulge me in an experiment? Dunno if it's relevant, but can you put a reference in your hosts file on the webserver that points normad.homelinux.com to your local address (192.168.0.2)?
Imric's Tips for Living- Paranoia Is a Survival Trait
- Pessimists are never disappointed - but sometimes, if they are very lucky, they can be pleasantly surprised...
- Even though everyone is out to get you, it doesn't matter unless you let them win.
|
Post #39,573
5/22/02 10:34:51 PM
|
Done
and the server is restarting now just to be sure.
I am free now, to choose my own destiny.
|
Post #39,579
5/22/02 11:27:35 PM
5/22/02 11:31:34 PM
|
Well, it still doesn't work...
So I port-scanned you. Here are the results: Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
Interesting ports on dsl-64-129-13-109.telocity.com (64.129.13.109):
(The 1539 ports scanned but not shown below are in state: filtered)
Port State Service
110/tcp closed pop-3
113/tcp closed auth
8080/tcp closed http-proxy
Nmap run completed -- 1 IP address (1 host up) scanned in 154 seconds
Imric's Tips for Living- Paranoia Is a Survival Trait
- Pessimists are never disappointed - but sometimes, if they are very lucky, they can be pleasantly surprised...
- Even though everyone is out to get you, it doesn't matter unless you let them win.
Edited by imric
May 22, 2002, 11:31:34 PM EDT
|
Post #39,605
5/23/02 9:58:39 AM
|
What make/model router?
~~~)-Steven----
"I want you to remember that no bastard ever won a war by dying for his country.
He won it by making the other poor dumb bastard die for his country..."
General George S. Patton
|
Post #39,673
5/23/02 2:16:03 PM
|
Make model router
DLINK DI-804
I have them on tech support by email. Told them I applied the latest firmware, they emailed me back to try the latest firmware upgrade. Duh! Jeff Daniels and Jim Carey must be running their helpdesk?
I am free now, to choose my own destiny.
|
Post #39,715
5/23/02 6:11:53 PM
|
troubleshooting
I looked at the manual for that model. It doesn't look like that router allows you to set up your own packet filters. I guess I just assumed it did. You'll definately want to set up a firewall on your server if there is no packet filter on the router. I've included a checklist of troubleshooting questions, please don't feel insulted by the simplicity of some of them, sometimes we all miss the little things.
Is the DHCP server enabled on the router?
-Yes
--Did you reserve the server's IP address in the DHCP Server Settings?
--Is your server set up as a DHCP client?
--You might also try disabling DHCP and setting up your server with a static IP (see below)
-No
--Did you manually set the DNS addresses of your ISP on your server?
Does your ISP for some reason block that port (and others)? They don't normally, but it is possible.
~~~)-Steven----
"I want you to remember that no bastard ever won a war by dying for his country.
He won it by making the other poor dumb bastard die for his country..."
General George S. Patton
|
Post #39,806
5/24/02 10:49:44 AM
|
Re: troubleshooting
I set up the server with the static IP 192.168.0.2 and used the ISP's DNS settings. I followed all those steps, and either the ISP is blocking port 80, or this router needs some other settings?
I am free now, to choose my own destiny.
|
Post #39,854
5/24/02 4:09:04 PM
|
Have you looked at
The Intrusion Detection Log? Both Imric and I have tried port scans on your IP, these should have shown up on this log if they made it to your router.
Another thing you can try is connecting your server directly to the DSL modem. See if your web server shows up then. You should probably have Black Ice running to protect yourself, just make sure you can open up port 80. Also make sure your security updates are current.
~~~)-Steven----
"I want you to remember that no bastard ever won a war by dying for his country.
He won it by making the other poor dumb bastard die for his country..."
General George S. Patton
|
Post #39,857
5/24/02 5:05:07 PM
|
DSL or Cable?
either the ISP is blocking port 80
Verizon has done exactly this on the East Coast. Anyone that had DSL before the merger with GTE may not be blocked, but everyone else using Verizon ADSL is probably hosed.
I'd suggest switching to port 8080 and see if things magically start working.
|
Post #39,917
5/25/02 5:04:16 PM
|
DSL
DirectTV (I joined when they were Telocity). Do they bloack port 80? If so, they never told me that they did.
I am free now, to choose my own destiny.
|
