Greetings Can't find any somewhat current information (less than 2 years old) on what kind of an address to use on a server where its only for use by lan members - - - NOT for outside use. What I'm finding is at best 5 or 6 years old and then there is the stuff that's more like 10 or more years old. Debian has moved from iptables to nftables as of the latest release of stable (Buster or 10) and I haven't been able to find anything. Suggestions? TIA
On Tue, Jan 21, 2020 at 04:47:35PM -0600, o1bigtenor via talk wrote:
Greetings
Can't find any somewhat current information (less than 2 years old) on what kind of an address to use on a server where its only for use by lan members - - - NOT for outside use.
What I'm finding is at best 5 or 6 years old and then there is the stuff that's more like 10 or more years old. Debian has moved from iptables to nftables as of the latest release of stable (Buster or 10) and I haven't been able to find anything.
Maybe try wiki.debian.org. For example, https://wiki.debian.org/nftables. Cheers, -- Znoteer znoteer@mailbox.org
On Tue, Jan 21, 2020 at 5:09 PM Znoteer via talk <talk@gtalug.org> wrote:n
On Tue, Jan 21, 2020 at 04:47:35PM -0600, o1bigtenor via talk wrote:
Greetings
Can't find any somewhat current information (less than 2 years old) on what kind of an address to use on a server where its only for use by lan members - - - NOT for outside use.
What I'm finding is at best 5 or 6 years old and then there is the stuff that's more like 10 or more years old. Debian has moved from iptables to nftables as of the latest release of stable (Buster or 10) and I haven't been able to find anything.
Maybe try wiki.debian.org. For example, https://wiki.debian.org/nftables.
Had looked at that one - - - - didn't find it very informative. Suggested the use of firewalld yet that isn't what was actually part of the system. It may be possible that ufw will also work as a 'kinder' front end to nftables just as it did for iptables. Found a few posts that suggest that that is possible but little concrete evidence. Therefore the questions. Thanks
On 2020-01-21 5:47 p.m., o1bigtenor via talk wrote:
Can't find any somewhat current information (less than 2 years old) on what kind of an address to use on a server where its only for use by lan members - - - NOT for outside use.
There are three blocks of IPv4 addresses that are suitable for private use. The address range of those blocks hasn't changed. The three blocks are: 192.168.0.0 - 192.168.255.255 (65,536 IP addresses) 172.16.0.0 - 172.31.255.255 (1,048,576 IP addresses) 10.0.0.0 - 10.255.255.255 (16,777,216 IP addresses) -- Cheers! Kevin. http://www.ve3syb.ca/ | "Nerds make the shiny things that https://www.patreon.com/KevinCozens | distract the mouth-breathers, and | that's why we're powerful" Owner of Elecraft K2 #2172 | #include <disclaimer/favourite> | --Chris Hardwick
Cheers,
-- Znoteer znoteer@mailbox.org --- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
On Tue, Jan 21, 2020 at 5:14 PM Kevin Cozens via talk <talk@gtalug.org> wrote:
On 2020-01-21 5:47 p.m., o1bigtenor via talk wrote:
Can't find any somewhat current information (less than 2 years old) on what kind of an address to use on a server where its only for use by lan members - - - NOT for outside use.
There are three blocks of IPv4 addresses that are suitable for private use. The address range of those blocks hasn't changed. The three blocks are: 192.168.0.0 - 192.168.255.255 (65,536 IP addresses) 172.16.0.0 - 172.31.255.255 (1,048,576 IP addresses) 10.0.0.0 - 10.255.255.255 (16,777,216 IP addresses)
I wasn't thinking of IP addresses - - - rather I was thinking of something like example.com but not that. Trying to come up with something so that if machine 1 has the server program that machine 2 can access machine1 just by using machine1 in the browser. So far I've only found example.com and I'd rather not use that. I likely asked the question poorly but also didn't have any idea how to better phrase the ask - - -sorry. Thanks for the ideas though!
You want a server name (FQDN) that works internally, but not externally. Just stick it in DNS. Generally you likely have DNS configured somewhere for some domain. You can add an A record with machine1's internal address e.g. intservice.mydomain.com IN A 192.168.10.101 Even if you stick that in public DNS, there's no access through your firewall from outside to inside, so often not a big deal. (It would potentially leak information about your name intserver.mydomain.com.) You likely have a firewall/router at the edge of your internal network. Many firewalls provide DNS service e.g. pfsense provides a DNS resolver and you can add entries there that are only visible internally, even if most of your DNS is external. See also the dnsmasq server. You may have internal DNS servers running internally - you can add records there. Don't want to use your public domain name? Buy another domain, and use it only internally - set up DNS the same way. You can even just make up a domain, but that means that you run the risk of not being able to get to legit external servers, if someone else uses that domain. And it means you won't be able to get real SSL certificates. Or use a subdomain of your domain (e.g. internal.mydomain.com). Last few places I've been, we've purchased a separate domain just for internal use. We exposed a little bit of it in public DNS (e.g. a wildcard for *.myinternal.com) so that we can get letsencrypt SSL certificates for use on internal only machines. Note that some firewalls try to protect against DNS rebinding attacks, and won't give you an internal address from a public DNS server. You can usually whitelist specific domains. e.g. I have intwww.syonex.com as an A record in public DNS to 192.168.1.2 and I tell my pfsense firewall to trust syonex.com's DNS and give me that address internally. Remember - DNS is your friend. Tools like dnsmasq let you do weird but useful things with DNS. Hope that helps! John On Tue, 2020/01/21 10:03:53PM -0600, o1bigtenor via talk <talk@gtalug.org> wrote: | I wasn't thinking of IP addresses - - - rather I was thinking of something | like example.com but not that. Trying to come up with something so | that if machine 1 has the server program that machine 2 can access | machine1 just by using machine1 in the browser.
| From: John Sellens via talk <talk@gtalug.org> | You want a server name (FQDN) that works internally, but not externally. | Just stick it in DNS. Right. Here's a way you could do it. Certainly not the only way. I run BIND on a public IP address. But it is also on my LAN. For the public, it could be considered authoritative for my domain and is non-recursive (will only answer queries about my domain). (For accuracy I have to state but you should ignore: it is actually a "hidden master" (for performance reasons).) For the LAN, it is recursive and answers all DNS queries. That means it will ask other DNS servers about other domains. (It also caches answers to reduce queries to other servers.) All hosts within my LAN use it as their DNS server. name.conf contains: <<<<<<<<<<<<<<<< // see http://www.enterprisenetworkingplanet.com/netsecur/article.php/10952_3496441... // prevent cache-poisoning by outsiders using recursive queries acl "inside" { 127.0.0.0/8; ::1; <MY-LAN-CIDR>; }; view "inside" { match-clients { "inside"; }; recursion yes; allow-query { inside; } ; .... }; view "outside" { match-clients { any; }; recursion no; ... };
>>>>>>>>>>
If you want to have some names in your domain public, and some private to your LAN, I think that you need two different zone files for that domain. One for your LAN and one for your domain host (i.e. where queries about your domain go). One could put a whole zone inside the "inside" view and it would only be resolved for queries from your LAN. The limited zone file would be on you domain host. I don't know whether you could split a zone between views. But if your LAN DNS server is not answering queries from outside your LAN that isn't an issue.
On Tue, 21 Jan 2020 at 23:04, o1bigtenor via talk <talk@gtalug.org> wrote:
I wasn't thinking of IP addresses - - - rather I was thinking of something like example.com but not that. Trying to come up with something so that if machine 1 has the server program that machine 2 can access machine1 just by using machine1 in the browser.
Do you know that you can just use the IP address in a browser? As long as machine 1 has a static IP address, say 192.168.1.10, you can then enter 192.168.1.10 as the URL in any browser to reach it. (The address has to be local or reachable through routing tables.) If you like, can bookmark that address to make it easy to get to. -- Scott
On 2020-01-22 07:47 AM, Scott Allen via talk wrote:
On Tue, 21 Jan 2020 at 23:04, o1bigtenor via talk <talk@gtalug.org> wrote:
I wasn't thinking of IP addresses - - - rather I was thinking of something like example.com but not that. Trying to come up with something so that if machine 1 has the server program that machine 2 can access machine1 just by using machine1 in the browser. Do you know that you can just use the IP address in a browser? As long as machine 1 has a static IP address, say 192.168.1.10, you can then enter 192.168.1.10 as the URL in any browser to reach it. (The address has to be local or reachable through routing tables.) If you like, can bookmark that address to make it easy to get to.
It doesn't even have to be static. You just have to know what it is. Normally, DHCP addresses won't change, unless the lease is allowed to expire or something forces a change.
On Wed, Jan 22, 2020, 8:48 AM James Knott via talk, <talk@gtalug.org> wrote:
It doesn't even have to be static. You just have to know what it is. Normally, DHCP addresses won't change, unless the lease is allowed to expire or something forces a change.
Relying on that is just asking for trouble. -- Scott
I like to use DHCP settings on my router to “reserve” IP addresses - automatically assigning the reserved internal address of my choice to the MAC address of the machine I want to access in this way... On Wed, Jan 22, 2020 at 10:23 AM Scott Allen via talk <talk@gtalug.org> wrote:
On Wed, Jan 22, 2020, 8:48 AM James Knott via talk, <talk@gtalug.org> wrote:
It doesn't even have to be static. You just have to know what it is. Normally, DHCP addresses won't change, unless the lease is allowed to expire or something forces a change.
Relying on that is just asking for trouble.
-- Scott
--- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
On 2020-01-22 10:26 AM, James Medeiros via talk wrote:
I like to use DHCP settings on my router to “reserve” IP addresses - automatically assigning the reserved internal address of my choice to the MAC address of the machine I want to access in this way...
That's what I do too. I have IP addresses mapped to MAC addresses for all my devices on my network. The only exceptions are my firewall/router and my main desktop system, both of which are static config. Also, on IPv6, there's no need for DHCP, as one address on each device is based on the MAC address or, in some cases, a static random number.
On Wed, Jan 22, 2020 at 9:26 AM James Medeiros via talk <talk@gtalug.org> wrote:
I like to use DHCP settings on my router to “reserve” IP addresses - automatically assigning the reserved internal address of my choice to the MAC address of the machine I want to access in this way...
Wish there were an easy way to make sure everyone who has responded would get this. I have copied all of the ideas presented in a single file. I had spent quite a few hours looking in different ways for anything I could find. Almost everything was for example.com which I was somewhat leery of. This compendium is going to fuel quite a bit more looking and learning for this I thank you all for your generous contributions!!!
On Tue, Jan 21, 2020 at 10:03:53PM -0600, o1bigtenor via talk wrote:
I wasn't thinking of IP addresses - - - rather I was thinking of something like example.com but not that. Trying to come up with something so that if machine 1 has the server program that machine 2 can access machine1 just by using machine1 in the browser. So far I've only found example.com and I'd rather not use that. I likely asked the question poorly but also didn't have any idea how to better phrase the ask - - -sorry. Thanks for the ideas though!
I tend to use .lan for my local dns names. zeroconf uses .local for local dns names. https://en.wikipedia.org/wiki/.local -- Len Sorensen
On Wed, 22 Jan 2020 at 12:16, James Knott via talk <talk@gtalug.org> wrote:
On 2020-01-22 12:05 PM, Lennart Sorensen via talk wrote:
I tend to use .lan for my local dns names.
I have my own registered domain, so that's what I use.
Big "+1" on that... I use a local subset of a TLD I own. There is NO risk of some surprise happening as a consequence of ICANN delegating a new TLD. I seem to recall there being a problem when the new gTLDs came along where printers (HP, most likely) started pinging at outside names because "that would never happen" wound up happening. It sure would be nice if ICANN or IETF were to declare a TLD or three as being the TLD equivalent to "non-routable local private IPs" like 192.168.*.*, but this hasn't happened. -- When confronted by a difficult problem, solve it by reducing it to the question, "How would the Lone Ranger handle this?"
On Wed, Jan 22, 2020 at 02:12:40PM -0500, Christopher Browne via talk wrote:
Big "+1" on that...
I use a local subset of a TLD I own. There is NO risk of some surprise happening as a consequence of ICANN delegating a new TLD.
I seem to recall there being a problem when the new gTLDs came along where printers (HP, most likely) started pinging at outside names because "that would never happen" wound up happening.
It sure would be nice if ICANN or IETF were to declare a TLD or three as being the TLD equivalent to "non-routable local private IPs" like 192.168.*.*, but this hasn't happened.
Well RFC 6761 does reserve: .invalid .test .localhost So that at least is a few that could be used especially that last one. -- Len Sorensen
On Wed, 22 Jan 2020 at 14:25, Lennart Sorensen via talk <talk@gtalug.org> wrote:
.invalid .test .localhost
So that at least is a few that could be used especially that last one.
Except if you follow the RFC, for .localhost "Name resolution APIs and libraries SHOULD recognize localhost names as special and SHOULD always return the IP loopback address for address queries and negative responses for all other query types. Name resolution APIs SHOULD NOT send queries for localhost names to their configured caching DNS server(s). And for .invalid "Name resolution APIs and libraries SHOULD recognize "invalid" names as special and SHOULD always return immediate negative responses. So that leaves only .test -- Scott
On Wed, Jan 22, 2020 at 02:56:07PM -0500, Scott Allen via talk wrote:
Except if you follow the RFC, for .localhost "Name resolution APIs and libraries SHOULD recognize localhost names as special and SHOULD always return the IP loopback address for address queries and negative responses for all other query types. Name resolution APIs SHOULD NOT send queries for localhost names to their configured caching DNS server(s).
And for .invalid "Name resolution APIs and libraries SHOULD recognize "invalid" names as special and SHOULD always return immediate negative responses.
So that leaves only .test
Oh yeah, I missed that detail. I think I will stick with .lan for now. -- Len Sorensen
On 2020-01-22 2:12 p.m., Christopher Browne via talk wrote:
On Wed, 22 Jan 2020 at 12:16, James Knott via talk <talk@gtalug.org <mailto:talk@gtalug.org>> wrote:
On 2020-01-22 12:05 PM, Lennart Sorensen via talk wrote: > I tend to use .lan for my local dns names.
I have my own registered domain, so that's what I use.
Another option is to use DHCP with IPs given out based on the MAC address. For name resolution you can add mappings in to /etc/hosts or use a local name server. -- Cheers! Kevin. http://www.ve3syb.ca/ | "Nerds make the shiny things that https://www.patreon.com/KevinCozens | distract the mouth-breathers, and | that's why we're powerful" Owner of Elecraft K2 #2172 | #include <disclaimer/favourite> | --Chris Hardwick
participants (10)
-
Christopher Browne -
D. Hugh Redelmeier -
James Knott -
James Medeiros -
John Sellens -
Kevin Cozens -
lsorense@csclub.uwaterloo.ca -
o1bigtenor -
Scott Allen -
Znoteer