Den 15 jul 2013 14:55 skrev "Nick Daly" <[email protected]>: > > > Quoting Timur Mehrvarz (2013-07-15 07:05:29) > >> Hi, is there an agreed upon best practice on how to separate public > >> http services from those that shall only be accessible on the private > >> network? Private only services could be offered on a separate port and > >> the firewall would ensure that access to this port is shielded. One > >> could also offer public + private services on the same port, but make > >> sure - within the code - that private services will only respond to > >> requests coming from the internal network. Any other options? How do > >> you prefer to handle this? Thanks. > > Which private network do you mean? I can think of two: > > 1. The internal network (intranet) that my FreedomBox runs on (the > home network, with IPs usually in the range of 192.168...).
In my LAN I got 2000::/3 or fe80::/10. We should not ignore IPv6, as that is just a way of building infrastructure that's not old even before we start > 2. The private network produced by my authenticated friends connecting > to my FreedomBox to use services I provide. IpSec is part of IPv6, so that should be a possible solution. We "just" need to distribute keys. > 1 is easy: we're serving services on the internal network, so we can > ignore the larger Internet all together. > > 2 is more difficult but can be accomplished through a number of tools > like SSH forwarding, Tor Hidden Services, or GNUnet applications. In > that case, you're looking to authenticate the user before providing > the service. In case 1, authentication was assumed by the fact that > the user was on your network (assuming your network is secure...). > > Different use cases could require different methods, and we'd better > make sure we plan for supporting at least one of the common methods > for v2, at least. Jonas, could you put up a wiki page detailing your > thoughts on the goals of first few releases? I think they're pretty > much what I was thinking, but they might be a little more developed. > > On Mon, Jul 15, 2013 at 5:31 AM, Jonas Smedegaard <[email protected]> wrote: > > Good idea to try map out what are best practices for different contexts. > > Jonas, I concur! I think the mailing list might be a good place for > discussing the ideas though, a more permanent wiki page seems > appropriate when we have more solid solutions. > > Nick ___________________________________________ > Freedombox-discuss mailing list > [email protected] > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
_______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
