On 1/19/23 13:15, Tom Browder wrote:
I am trying to use my new public static IP for my Debian PC which is ready for it security-wise (thanks to advice from this ML; note I will initially allow access only via ssh from the IP address of one of my remote hosts). I know how to turn on public access in their router, but it's not clear what the results will be. I have queried the AT&T community but no answer yet. The question is: when I set the router to allow public access, does it only allow access to devices assigned to one of the public IPs (i.e., it does NOT allow access to devices using DHCP)? It seems to me logically that should be true, but I just need some confirmation before I open up to the public. (And I will start by limit Thanks. -Tom
If your AT&T U-verse residential gateway is anything like mine (Pace 5268AC FXN), it will have a web server/ control panel accessed by connecting a computer via an RJ-45 Ethernet port or via Wi-Fi, and browsing to a specific IPv4 address (mine uses 192.168.1.254). Doing so with Debian 11.6 and Firefox, I see a web page with 4 tabs and the "Home" tab active. If I select Settings -> Firewall, I see a Status page with the rules I have defined. If I select Applications, Pinholes and DMZ, I see a web page with two parts -- "Select a computer" and "Edit firewall settings for this computer". If click the link for my UniFi Security Gateway in the first part (you would choose your Debian server here), the second part updates and I see three choices:
- Maximum protection -- this means no incoming Internet traffic will be forwarded to the selected host.
- Allow individual applications -- this means incoming Internet traffic that matches the specific protocols/ ports that I have configured will be forwarded to the selected host. I have configured my AT&T gateway to route Internet incoming SSH traffic and Internet incoming VPN traffic to my UniFi Security Gateway.
- Allow all applications -- this means all incoming Internet traffic will be forwarded to the selected host.
I suggest that you start with the second option and SSH traffic.On a related note, you might want your static IP to be accessible via a Fully Qualified Domain Name. You have at least two choices:
- Add an entry to the /etc/hosts file on the remote host(s) (e.g. your laptop), so that it can find your static IP when you enter the FQDN (e.g. when you are remote with a laptop and want to connecting to your Debian host with ssh(1)).
- If you have a domain name and DNS hosting, add a DNS record to your DNS hosting service so that any host connected to the Internet can find your static IP by name.
I own and recommend "Networking for System Administrators" by Lucas: https://mwl.io/nonfiction/networking#n4sa HTH, David