siliconshaman: black cat against the moon (Default)
siliconshaman ([personal profile] siliconshaman) wrote in [community profile] linux4all2010-06-05 05:26 am

plea for help

I have two problems.
1] I'm trying to secure my home server, which has an static LAN ip just outside the 1-100 range and is DMZ'ed. 
Now it's running lucid..and for some reason I can't fathom, although the firewall is set to allow incoming connections on the SMB port specifically mentioning the other computers on the LAN by host name...it won't let them connect. [in point of fact, they can't see the server]. 

2] I can't get Tor to start... it's installed ok, but the throwing the error unable to bind the listening port [9050] to the home address, suggesting that another instance of tor is using it.. but there is no other instance of tor running [I checked using htop]. If it's any help, the Torcc file is blank, which I'm not sure it shouldn't be.

Any suggestions..I've been up all night and I'm brain fried. I can probably shut down the firewall and tor and revert to an open server.. but that's just asking some script kiddie to poke at it. I'd like to get it up and secure so that no-one but the three computers my family use can access the server, and the server uses tor to connect to the net. [and if possible works as a tor relay.]

But damned if I can see how to right now...I'm doing what it says in the instructions and it isn't doing what it should according to them.
aphenine: Teresa and Claire (Default)

[personal profile] aphenine 2010-06-05 11:54 pm (UTC)(link)
Just a disclaimer to say I've never done this exact setup, but I've dealt with some occasional glitches on internal networks, and this sounds a lot like the problem one gets when one is trying to connect to servers inside a network that is using Network Address Translation to route packets from the external network to the internal network. So, for example, say computer A in network 1 is talking to a computer B in network 2 and network 1 is an internal network, because B sees network 1 as a single IP address, it can't connect to computers in network 1 unless the router linking the two specifically knows which of the internal computers to forward the packet to on that port. However, computers from network 1 can send (and initiate connections) to network 2 and have packets sent back to the right computer

If you're seeing that kind of behaviour, then somewhere, you or the firewall software screwed up the routing. You can have a look at how the kernel is routing using the route commands, or the ipchains command to view the Network Address Translation part of the Firewall. (if you go down this path, expect to do a lot of reading up about the commands).

Also, as a side point, it seems like a bit of an overkill to do a DMZ for a home network. Most home networks benefit from the assumption that if someone is inside your network, then they're probably inside your house, or hijacking your wifi. So it's far better to put stout locks on your doors, WPA encryption on your wifi and a good firewall on the internet end of your connection (between the server and the internet) and assume that your internal network is secure otherwise. So are you sure that a DMZ is really what you need? I also think a DMZ would be really hard to set up without using at least three computers (or one computer and two routers), and you sound like you're using just one.