Re: oops again

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 07/06/04 

Date: Mon, 5 Jul 2004 19:17:44 -0700

192.168.x.y is an unroutable IP. It means machines outside the local subnet
cannot reference your machine using that IP because no intervening router
will "route" that request.

64.2.x.y is likely your WAN IP of your broadband/modem connection. This is
an IP that any machine can reference and is routable.

Just because you cannot get http://192.168.x.y/index.html or
http://64.2.?.?/index.html to work does not mean that your server is
inaccessible from the outside. It only shows that YOU cannot access it from
your network client but says nothing about whether the server is actually
inaccessible from the outside. Only by knowing how you configured
networking from your server on up can you determine this.

As for blocking port 80 from the firewall, it depends. Most firewalls
prevent outsiders from seeing your machines. They usually do not prevent
you from seeing outside machines.

This is one possible network configuration --
Internet <--> ISP <--> Router (64.2.?.?) (HW Firewall) <--> Your PC, Server,
etc on the local network (192.168.x.y)

You configure the Firewall on the Router to just block every single port.
This blocks anyone from the outside from ever seeing any of your local
network but does not prevent your PCs from contacting the Internet.

When you want expose the web server on the local network to the internet,
you open up port 80 on the Firewall and forward outside traffic to port 80
to the internal IP (192.168.x.y) of your web server. To the outside world,
64.2.?.?:80 exists; the router takes care of routing 64.2.?.?:80 requests to
192.168.x.y:80 of your web server, based on your forwarding rule.

Now, just because you opened port 80 does NOT mean that it is accessible.
Frequently, ISP will block port 80 traffic from the Internet -- so that even
though your 64.2.?.?:80 exists, traffic coming from the Internet get dropped
if it's for port 80.

As you can see, networking is just about names (i.e. protocol, IP, Port,
etc) and connections (the wires between all devices, the routers, the PCs,
etc). Anything along the connection between the client and server can
choose to filter traffic one way or the other (i.e. ISP filtering inbound
port 80, your firewall filtering all inbound ports, etc), and the names are
important to route requests to/from locations along the connections.

I suggest you search for information on basic networking knowledge before
attempting what you are trying to do, so that you clearly understand what is
going on and the security ramifications. 

-- 
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"dawg3294" <dawg3294@discussions.microsoft.com> wrote in message
news:B705A2BC-9540-4A31-8706-DCE2149283AC@microsoft.com...
Sorry for the double postings, I keep hitting my normal "paste" keyboard
shortcut, and it seems to post the message.  Lemme try again:
thanks.  That was helpful.
You're right, my computer has an ip of 192.168.x.y.  I'm new to networking.
What is the significance of that number?  Does it mean that it is a private
ip that is not accessible from the outside?  Does it mean that my ip is
proxied?
When i go to one of those "what is my ip" sites, they say 64.2.?.?
When I go home, and try to http://192.168.x.y/index.html or
http://64.2.?.?/index.html, it does not work.   Is there another way someone
can access the server if I can't http to those ips?
Also, is blocking port 80 from the firewall a viable option?  Will blocking
port 80 stop people from seeing in, stop me from seeing out to other sites,
or both?
"dawg3294" wrote:
> thanks.  That was helpful.
>
> You're right, my computer has an ip of 192.168.x.y.  I'm new to
networking.
> What is the significance of that number?  Does it mean
>
> When i go to one of those "what is my ip" sites, they say
>
> "David Wang [Msft]" wrote:
>
> > When you install IIS5, it is going to listen on all network interfaces
by
> > default. I do not know whether your internet access from the test server
is
> > via direct connection or proxied.  If it is direct connection (i.e. the
test
> > server is connected to the broadband modem), then your test server is
live
> > on the Internet and is probably already hacked if unpatched.  If it is
> > proxied (i.e. test server is attached to a hub/switch with an internal
IP
> > address, and the broadband modem is connected to some other device which
> > manages internal/external IP address mapping), then you're probably Ok,
but
> > you still need to patch the server.
> >
> > I would seriously consider flattening this server and starting over if
you
> > suspect anything on the box, to be safe.
> >
> > Network-based attacks do not need domains -- they need an IP address.
> >
> > Personally, for testing ASPX pages, there are two approaches.
> > 1. Use Cassini, which is a simple-minded ASP.Net web server useful only
for
> > testing ASP.Net pages.  Check out www.asp.net for more info
> > 2a.  Install the Microsoft Loopback adapter (go to add a new HW Network
> > Card, and loopback is one of the choices)
> >   b. Manually configure the IP of the loopback to a private,
non-routable
> > address (like 192.168.x.y)
> >   c. Configure your websites on IIS to only listen on the IP from 2b
> >   d. (Optionally) configure IP Security in IIS to deny access to all but
> > localhost
> >
> > In both cases, access to the ASPX page is localhost only.
> >
> > -- 
> > //David
> > IIS
> > This posting is provided "AS IS" with no warranties, and confers no
rights.
> > //
> > "dawg3294" <dawg3294@discussions.microsoft.com> wrote in message
> > news:059FE7FF-F87B-4851-9844-E800A5265D77@microsoft.com...
> > I am using IIS 5 to run a test server.   (I use it to test my aspx
> > pages before uploading them to my real server, which outsiders
> > can see. The server that it is on  has access to the internet, but
> > I have never set the IIS server to  allow outsiders to view the
> > website.
> >
> > Is there any way outsiders can access the website/server? I
> > would prefer they not be able to. As I understand it, I would
> > have to register my domain before IIS hacker vulnerabilities
> > become an issue. Or does the fact that my computer has
> > internet access make it possible for people/viruses to access
> > the server somehow?
> >
> > Thanks for any enlightenment. I'm new at this. Also, any
> > articles you can point me towards for further research would be
> > appreciated.
> >
> >
> >

Relevant Pages

  • Re: Outgoing POP3 email missing/lost/not received
    ... ISP's mail server instead of the domain name on the ... SUMMARY OF SETTINGS FOR CONFIGURE E-MAIL AND INTERNET ... Internet Connection Wizard. ... After the wizard completes, the following network connection ...
    (microsoft.public.windows.server.sbs)
  • Re: Linux als Router
    ... # Enter all trusted network interfaces here. ... # which should be available to the internet and set FW_ROUTE to yes. ... space separated list of ports, ... # Packets to silently reject without log message. ...
    (de.comp.os.unix.linux.misc)
  • RE: Printing from Win9x clients stops
    ... > and make sure this software does not interfere with SBS Server. ... > clients, please disable it and try again. ... Create a local printer and redirect the port to the network server. ...
    (microsoft.public.windows.server.sbs)
  • Re: Connect the SBS to a remote IIS for Internet Printing
    ... the server can access the Internet with no problems at all. ... Checking network connection, and after a few seconds it says The ... the problem is cause by the configuration of ISA. ...
    (microsoft.public.windows.server.sbs)
  • Re: ISA 2006 Basic Configuration
    ... Why would we point Preferred DNS to itself? ... Configuring the Internal Network Interface ... In the Internet Protocol Properties dialog box, ... Select the Use the following DNS server addresses option. ...
    (microsoft.public.isa.configuration)