[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [off topic] Configuring an IP blind Apache server



On Mon, 1 May 2006, Michael Holstein wrote:

The idea is a system wide solution that allows any user group to
install any semi-random PHP/MySQL frob without having to hack around
trying to find and disable its IP logging.

Then do as Dan just suggested and forward it using your firewall .. advantage there is you can still "ban" a user if you see the need by inserting the appropriate DENY rule above your forward one.


Note that other "things" in your network may still log the traffic though .. (most hardware firewalls, for example) .. so be sure you know what the end-to-end security is at least as far as your perimeter router.(*)

although, be forewarned, at least with the kernel answer above, if the address is on the same machine, you *will* see the source side of the TCP connection. This is a "feature" of BSD's forwarding mechanism -- so rinetd may be better suited for this. I had thought that you simply wanted a web server to not know which address it itself was listening on (which also works for this).


-Dan



/mike.

(*): well .. unless you use AT&T as an ISP, since we know they forward everything to the ($3_letter_agency) anyway.


--

"It would be bad."

-Egon Spengler, "Ghostbusters"

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------