Topic: preventing e-smith not to display private ip to internet

[Renan Nepomuceno]

To All,

    How can I block the ip of the private users to be able to not see it on the internet. Because when I access the www.taruo.net and check there if my private ip can be see in my big suprise it appear. I think this is a security flaw on e-smith ( test it with version 5.5 below) if not can someone help to block it.


Thanks
 
   renan

[Andrew Rosenau]

If I understand you correcty what u want is impossibly, as this is handled at the DNS level, when you type in your domain name dns must resolve to your ip.

[Renan Nepomuceno]

Andrew,

        But I think the dns that must be resolved for the IP is the public not the private ip.
        And also I test this one when I connect using my pc that is
connected through a firewall equipment and it did not appear on their
website only my public ip.

best regards,
  renan

[scharman]

I had a similar problem with getting a dynamic dns update via a webpage.

The issue is that e-smith 5.5 has squid configured configured to tell external networks your internal ip address via the X-Forwarded-For: HTTP field.  You need to edit the /etc/squid/squid.conf file (or specifically the template for it), to set the "forwarded_for" field to "off".

ie. there should exists a line in your /etc/squid/squid.conf file that looks like "forwarded_for off".

The reason it is on, is so that external web sites can individualise the web experience or whatever to individual users through a NAT'd proxy.

Cheers
Scharry

[Renan Nepomuceno]

Scharry,

        Thanks for your information regarding the private ip issue but I'm little novice it altering the config of e-smith, can you help little bit of what files do I need to alter and what should I put the file/s.

Best regards,
 renan

[scharman]

you need to add a file called "99forwarded_for" in your
"/etc/e-smith/templates/etc/squid/squid.conf/" directory containing the
line "forwarded_for off" like this:


#> cd /etc/e-smith/templates/etc/squid/squid.conf
#> cat > 99forwarded_for
forwarded_for off

#> /etc/e-smith/events/actions/proxy-conf
#> tail -1 /etc/squid/squid.conf
forwarded_for off
#>

and you are done mate.  Technically you are supposed to add in custom mods in the custom templates directories, but to be honest, I've always been to lazy to do that  Just note that if you upgrade your e-smith install or install a security blade, it may alter some of your scripts and remove the above changes.

Hope it helps
Cheers
Scharry

[scharman]

a couple of things, just to clarify

(1) you need to do the above logged in as root
(2) means to press ctrl-d to send EOF.  If you don't understand, just create the 99forwarded_for file using "vi" or something
(3) you need restart (or reload) squid once you have finished.  You can do this by typing "service squid restart".

Cheers
Scharry

[Renan Nepomuceno]

Scharman,

          Thanks scharman for your reply, I already done what you told me and now my private ip is not visible on internet but how can I really tighten up my security regarding the squid issue, because right now when I check my pc and test it again with the site of www.taruo.net my private ip is not visible but the name of my server and the port using of it is visible and also the keepalive numbers of the squid. If yes how can I do that and if not can I use the masquerading of e-smith.
          Can you point to me some site or any e-smith howto regarding how to configuring it for masquerading, ( just like the PAT do )

best regards,
   renan