Topic: I need to turn off external web server completely

[Tim Litwiller]

My isp has decided that they will block at the router any account found running a web server - I think that means that if thier scanner find a port 80 that doesn't error it blocks that mac address.

So I need a way to completely and positivly block me sme 6 from answering port 80 on the external interface.

I do web design as a hobby so I would really like to keep web access and also virtual domain and admin access on the internal address.

If anyone has any Iideas I would sure appreciate it.

Thanks

[Terry]

Although it's not a direct answer to your question, this is what I do.  My ISP says the same thing, so, all my domains are setup as virtual domains.  Then, I rename the primary html folder to html%old%.  When you go to my server by IP you get a "You are not authorized to view this page", but all my virtual domains are accessable by URL.  So, unless my ISP starts packet monitoring to find my URL, it seems to them like I do have a web server, but not a public one.  This has kept them happy so far, if they ever say anything I'll have to switch to a company that does allow servers (that is an option for me) and they'll lose my $40/mnth.  Not that I think they'd really care about it.

[Nathan Fowler]

/sbin/ipchains -A input -p tcp --dport 80 -j DENY -i ethX

Where ethX is your external interface.

[Boris]

If you don't need external access, switch your server to "private server-gateway" mode. It will ignore all the requests from outside while alow you to do your development and internet sharing.

[Tim]

thanks all,  for the replies  

Terry, their script hits port 80 and if anything replies other than a timeout you get black listed.

I fixed it by adding my private ip address in the 05Bind* of the apache config instead of * which is the default.  So apache does listen on the external ip at all.  If they complain again I will add the firewall rule.

Boris, I tried the private gateway mode and even tho I couldn't pull up a web page apache still responded so it wasn't good enough.

[Boris]

When I tested SME5.6 in the Private Server-gateway mode from outside it doesn't show any open ports.

[Tim]

That is what I would have thought was the correct configuration for that setting, but may since this machine had already been setup the other way and a bunch of virtual domains etc setup it didn't change everything when I change the setting

[Boris]

If it didn't behave as it suppose to, I would call it "bug" and contact mitel with info on it.

[Rob Wellesley]

Nathan Fowler wrote:
>
> /sbin/ipchains -A input -p tcp --dport 80 -j DENY -i ethX
>

/sbin/ipchains?  don't you mean iptables?

rob

[Nathan Fowler]

Rob, you're absolutely right, some how I missed SME 6.

iptables -A input -p tcp --dport 80 -j DROP -i ethX

[Rob Wellesley]

Nathan Fowler wrote:
>
> Rob, you're absolutely right, some how I missed SME 6.
>
> iptables -A input -p tcp --dport 80 -j DROP -i ethX

Your welcome - and thanks for all your great posts.

rob

[Charlie Brady]

Nathan Fowler wrote:

> /sbin/ipchains -A input -p tcp --dport 80 -j DENY -i ethX
>
> Where ethX is your external interface.

I'd recommend instead using the built-in feature:

/sbin/e-smith/config setprop httpd-e-smith access private
/sbin/e-smith/signal-event remoteaccess-update

Charlie

[Boris]

Charlie,
is anywhere list of those gems? I mean list of the configuration options. I know that this question has been asked before, but new db structure likely includes tons of the options one may find extremely useful.

[Rob Wellesley]

Boris wrote:

> is anywhere list of those gems?

# /sbin/e-smith

keep hitting the tab key


rob

[Boris]

Rob,
It is not what I've asked.
Where are commands like /sbin/e-smith/config, /sbin/e-smith/db, /sbin/e-smith/signal-event etc... and they are widely used, but config options like
/sbin/e-smith/config setprop httpd-e-smith access private
are not that obvious. If property for the service is not listed in the configuration file and assumed its default state it is hard to guess if its exist unless its listed somewhere.