From: Bob Lee (crazybobcrazybob.org)
Date: Tue May 27 2003 - 16:27:42 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tuesday, May 27, 2003, at 11:50 AM, Don Felgar wrote:

> You can also give the webserver in question a public IP address, put
> it behind a firewall, and configure the firewall to allow access to
> the necessary IP addresses only. This will work either with or
> without a VPN. This has the added benefit of excluding attacks on
> ports 80 and/or 443, but a drawback in that you must know in advance
> what IP addresses to allow.
>
> If you cannot know if advance what IP addresses to let through, you
> can authenticate the client on a public webserver, and upon success
> poke a hole in the firewall for that specific IP address and then
> redirect the client.
>
> Incidentally a drawback to port-forwarding type schemes is that all
> traffic appears to originate from a single IP address from the point
> of view of the webserver, reducing the utility of logfiles. I don't
> know of Squid reverse proxy has this effect or not. Don't learn this
> the hard way as I did.
>
> --Don

Trusting IP addresses is not a very safe or scalable practice. You have
NAT, dynamic IPs, ARP poisoning, etc.

Bob

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]