[GTALUG] Routing and/or Proxying

Bob Jonkman bjonkman at sobac.com
Sat Sep 3 17:52:38 EDT 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Giles: Do the computers you maintain need to accept arbitrary
inbound connections from the external system? Or other systems?

If not, then in this scenario they're really clients to the external
system's server(s). In this case you can use a NAT router, where all
outbound connections come from the same IP address. Any external
servers they connect to can exchange data.

If your application servers do need to accept arbitrary inbound
connections are there inbound port duplicates? ie. Are there multiple
computers that need to accept HTTP traffic on port 80? Or FTP? or SSH?
If not, then you can still use a NAT router, but you'll need to set up
inbound port forwarding.

For both these scenarios a consumer-level router has the smarts to
accomplish your task, although I'd recommend something a bit more
robust like pfSense.

If you do need to accept arbitrary inbound requests on duplicate port
numbers for different servers then I don't see an easy way to do that
on one IP address... (needs an application-level router that can
determine what hostname is being addressed, what used to be called a
"bastion server").

- --Bob.



On 2016-09-03 11:05 AM, Giles Orr via talk wrote:
> I think I'm having trouble finding an answer to my questions
> largely because I don't fully know how to express them, so I'm
> going to try to do so here and see if another member of this list
> can take my English language fuzzy logic and turn it into
> question(s) that can more easily be answered ...
> 
> I'm running application servers that have to make queries to
> servers behind a firewall.  The firewall (not in my control) has to
> be configured to admit IP addresses.  Getting addresses added to
> the firewall can be slow.  So it seems to me the best way to do
> this would be to set up a couple of proxy servers with fixed/known
> IPs so that the application servers (fluctuating headcount and IPs)
> could make their requests through the proxy servers - which are
> known to the firewall.
> 
> This makes sense in my head so far.  But here's the problem: I'd
> like to send all network traffic from the application servers
> through the proxy servers, regardless of content, port,
> destination, anything. But in saying that, it begins to sound more
> like "routing" than "proxying", and enforcing this seems like it
> might be tricky on the open internet.  And authentication of some
> sort would seem to be needed to prevent bad actors using the proxy
> to access stuff behind the firewall.
> 
> A VPN is a possibility, but not one I'm enthusiastic about: I
> tackled OpenVPN a few months back, and after a day and a half and
> very little progress my brains started to slide out my ears.  But
> if that's what I need to do, I'll get back on it.
> 
> Thanks!
> 

- -- 


- --
Bob Jonkman <bjonkman at sobac.com>          Phone: +1-519-635-9413
SOBAC Microcomputer Services             http://sobac.com/sobac/
Software   ---   Office & Business Automation   ---   Consulting
GnuPG Fngrprnt:04F7 742B 8F54 C40A E115 26C2 B912 89B0 D2CC E5EA



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Ensure confidentiality, authenticity, non-repudiability

iEYEARECAAYFAlfLRhwACgkQuRKJsNLM5epCHQCgx32wJXGXklEwfZOhvYheCj8O
xggAoN/FGW0ondBWCo3+b7UxuFU+XR45
=xp3k
-----END PGP SIGNATURE-----

More information about the talk mailing list