PDA

View Full Version : Remote access: is external IP loopback allowed?



Mark Lanctot
2006-11-24, 13:33
I'm trying to set up remote access.

I did this once before but my configuration was a bit simpler - I didn't have a Smoothwall box in the way!

All my testing is hampered by the fact that I do not have access from a remote IP, so I have to try to do all testing from within my own IP.

I'd like to set up an SSH tunnel but that's REALLY complicated and not working right now for me. So, baby steps first, I'd like to get regular access to the port 9000 SlimServer page first.

Should it come up if I enter in:

http://<my *external* IP>:9000

?

For sure, internal IPs work, i.e. 127.0.0.1, and my internal LAN IP. But is a loopback from an external IP allowed like that?

I can't get the page to load, but grc.com reports that port 9000 is open, which means I may be OK but trying to do something that's just not allowed. Obviously I've whitelisted my own external IP in SlimServer's allowed IPs, but even when I allow all IPs, the page is blocked.

I've forwarded port 9000 from within Smoothwall. When I do this, grc.com reports the port as open. When I disable that rule, grc.com reports it stealthed again, so I think it might be working, I just can't get the page to load on my machine.

I may put the SSH questions in another thread.

peter
2006-11-25, 02:05
On Fri, 24 Nov 2006 12:33:36 -0800, "Mark Lanctot"
<Mark.Lanctot.2hsnkb1164400501 (AT) no-mx (DOT) forums.slimdevices.com> said:
>
> I'd like to set up an SSH tunnel but that's REALLY complicated and not
> working right now for me. So, baby steps first, I'd like to get
> regular access to the port 9000 SlimServer page first.

Why don't you have a look at the Hamachi P2P VPN package.
It's really easy to configure and use (much easier than ssh).
You probably don't even need to open ports on your firewall.

I've used it for a while and I liked the simplicity. Unfortunately a
very restrictive firewall at work forced me to switch to openvpn, wich
works well also, but is not quite so simple.

Regards,
Peter

radish
2006-11-25, 09:11
Should it come up if I enter in:

http://<my *external* IP>:9000

It would, assuming nothing is blocking it. However, you mention smoothwall and that is almost certainly blocking loopback like that, as it's a common firewall rule to block internal IPs from requesting the external interface.

Mark Lanctot
2006-11-25, 09:21
It would, assuming nothing is blocking it. However, you mention smoothwall and that is almost certainly blocking loopback like that, as it's a common firewall rule to block internal IPs from requesting the external interface.

Could be, I would have thought that it would log it in its firewall log - it didn't.

Mark Lanctot
2006-11-25, 09:22
On Fri, 24 Nov 2006 12:33:36 -0800, "Mark Lanctot"
<Mark.Lanctot.2hsnkb1164400501 (AT) no-mx (DOT) forums.slimdevices.com> said:
>
> I'd like to set up an SSH tunnel but that's REALLY complicated and not
> working right now for me. So, baby steps first, I'd like to get
> regular access to the port 9000 SlimServer page first.

Why don't you have a look at the Hamachi P2P VPN package.
It's really easy to configure and use (much easier than ssh).
You probably don't even need to open ports on your firewall.

I've used it for a while and I liked the simplicity. Unfortunately a
very restrictive firewall at work forced me to switch to openvpn, wich
works well also, but is not quite so simple.

Regards,
Peter

Hamachi sounds great but unfortunately the remote machine is running Windows 98, Hamachi isn't compatible with Windows 98.

Mark Lanctot
2006-11-25, 10:23
Could be, I would have thought that it would log it in its firewall log - it didn't.

Well I guess Smoothwall was doing something without telling me, because external access is working just fine on a true remote machine.

I'll try increasing security, because my only form of defence right now is "Block IP addresses", whitelisting the one allowed.

JJZolx
2006-11-25, 11:17
Well I guess Smoothwall was doing something without telling me, because external access is working just fine on a true remote machine.

I'll try increasing security, because my only form of defence right now is "Block IP addresses", whitelisting the one allowed.
Sometimes that's all you need. I've done this to permit a friend to listen to selections served from my SlimServer. On my firewall I mapped the external IP address to the SlimServer internal ip:port and permitted access only to the IP address of his home cable connection.

From work I have a VPN nailed up between our firewall and mine at home. Then I just connect to the internal (192.168..) address of the SlimServer, as the VPN connection routes between the subnets.