[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [off topic] Configuring an IP blind Apache server
On Mon, 1 May 2006, Michael Holstein wrote:
The idea is a system wide solution that allows any user group to
install any semi-random PHP/MySQL frob without having to hack around
trying to find and disable its IP logging.
Then do as Dan just suggested and forward it using your firewall .. advantage
there is you can still "ban" a user if you see the need by inserting the
appropriate DENY rule above your forward one.
Note that other "things" in your network may still log the traffic though ..
(most hardware firewalls, for example) .. so be sure you know what the
end-to-end security is at least as far as your perimeter router.(*)
although, be forewarned, at least with the kernel answer above, if the
address is on the same machine, you *will* see the source side of the TCP
connection. This is a "feature" of BSD's forwarding mechanism -- so
rinetd may be better suited for this. I had thought that you simply
wanted a web server to not know which address it itself was listening on
(which also works for this).
(*): well .. unless you use AT&T as an ISP, since we know they forward
everything to the ($3_letter_agency) anyway.
"It would be bad."
-Egon Spengler, "Ghostbusters"
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM