Re: Off Topic...Public IPs
- From: Philip Herlihy <thiswillbounceback@xxxxxxx>
- Date: Mon, 26 May 2008 16:13:24 +0100
Philip Herlihy wrote:
nick wrote:On May 22, 2:55 pm, Philip Herlihy <thiswillbounceb...@xxxxxxx> wrote:nick wrote:I have a client that bought a block if IP addresses from Bellsouth. He1) It's the "subnet mask" that determines which addresses are "local"
wants to assign those IP addresses to various systems in his office so
he can RDP to them directly. I have a few questions about this...
1. When configuring a block of addresses how does the router know it
has a block? What I mean is, does the router get one static IP, and
through that router we can configure the other systems statically?
2. Wouldn't exposing a domain client system to the Internet, with a
public IP, be a big security risk?
and which have to be passed to a gateway (router). Typically a router
has one subnet on one side, and one or more on the other, often with the
router dishing out addresses to the "internal" subnets via DHCP. The
notion of "Subnet Mask" comes from bitwise comparison operations, and
can be hard to get your head around.
Example: a common IP address and subnet mask combination is:
192.168.1.1 with subnet mask 255.255.255.0
The ".0" here effectively means "any", so any address starting with
192.168.1 is to be considered local (ie part of the subnet), and doesn't
need to be diverted elsewhere. A router has two subnets (sometimes
more), typically one internal and one external. A router will often
incorporate a firewall which allows control over which connections are
allowed to pass from one side to the other. If you put your "various
systems" on the external subnet, then the router/firewall can't control
what reaches them, and so they would need well-maintained firewalls
(presumably software ones) themselves.
What I've done to achieve the same thing is buy a decent firewall/router
which allows "virtual servers". I can specify that an incoming
connection on port 9876 (say) should be routed to machine 6 on port 3389
(which will be picked up by Remote Desktop), which a connection on 9875
(say) should go to machine 5, again on port 3389. In the Remote Desktop
client you simply put the entry port number after the router's IP
address, so if you have a modem/router with a public IP address of
123.456.789.123, you'd enter "123.456.789.123:9876" in the RDC address
box. Much more secure than opening up the whole machine.
2) Yes.
Phil, London
So why would we need a block of public addresses? Is that for exposing
more than one system to the Internet? I've always just done NAT on the
router like you suggest. But this was confusing me. Supposedly the
client wants to RDP directly to his machine without using port
numbers. I don't see what the big deal would be.
Thanks for the reply.
If the client wants to RDP directly to his machine without quoting a port number then either the machine has to have a public IP address, or it has to be the one machine behind a router to which the router diverts the default RDP port (3389). But it would be little trouble to set up an environment variable to translate "graphics" to 123.456.789.321:8765 - client types "graphics" in the box and gets the machine he wants. I'm assuming that would work - if it doesn't, you can always save an RDP shortcut - that I have done.
The big deal is security. If you put a machine directly on the Internet it will be picked up by automated port scans and then automated hacking attacks, so you need to be running a software firewall. The Windows firewall has been enough to reduce the incidence of "worms" to a trickle instead of a flood, although it's rather basic, so what you suggest is at least feasible. However, unless you have many machines, a NAT router/firewall gateway offers far more control over what traffic can enter your network, while providing near-transparent access for legitimate traffic. If you do have many machines, it would be better to assign your IP addresses to a series of such gateways, each of which could provide NAT services to a whole family of computers. But it's a large network that would need more than one. In theory, each gateway could support at least 253 client computers per supported subnet, and many more if the 10.x.x.x number range is used. In practice, cheaper firewalls have limitations due to processing capacity. The Netgear FVS114 is terrific value for a really small network, but I found it gasps for air when serving ten busy machines.
I understand that having a block of IP addresses which share a common subnet mask is only useful if they are physically connected on the same cable.
Caveat: my networking experience is confined to relatively small networks, and there may be further contributions from people with wider knowledge. One of the good things about answering queries on newsgroups is that it makes you clarify your own understanding of things, and that can bring corrections from others, which means I get to learn something new too!
Phil
No, using environment variables doesn't work - not even with % signs on either side!
Phil
.
- References:
- Off Topic...Public IPs
- From: nick
- Re: Off Topic...Public IPs
- From: Philip Herlihy
- Re: Off Topic...Public IPs
- From: nick
- Re: Off Topic...Public IPs
- From: Philip Herlihy
- Off Topic...Public IPs
- Prev by Date: Re: Off Topic...Public IPs
- Next by Date: Re: Can I shut off WAN ports and still stay on a LAN
- Previous by thread: Re: Off Topic...Public IPs
- Next by thread: Can I shut off WAN ports and still stay on a LAN
- Index(es):
Relevant Pages
|
