Thread: apache2 configuration question
View Single Post

  #7 (permalink)  
Old 09-03-2006
Larry Bristol
 
Posts: n/a
Default Re: apache2 configuration question
Richard Kimber wrote:

> Thanks. I had assumed that Listen 127.0.0.1:80 meant that apache would
> only serve pages to a user on that machine, and that that was a way of
> preventing any other machine from accessing the pages, and that to allow
> any other machine to access them I had to include that machine's address,
> or allow everyone by not specifying an IP.

No, that is merely to address:port to which the Apache2 server is going to
listen for requests to service. It has nothing to do with the IP address
of the machine(s) requesting service.

> So, do I block external access just with the firewall, and simply allow
> local machines in the firewall rules, rather than doing it via apache
> configuration?

Essentially, the answer is yes. Whether you need to have an active firewall
depends on whether your local network is visible to the Internet.

For example, my local network uses a private subnet (192.168.1.*/24). There
is a large set of subnets that are treated as private; 192.168.*.*/16 are
all private IP addresses, and there are several other ranges that are
considered private as well. As I understand it, no router will forward
data packets in or out of a private subnet unless it is doing some sort of
network address translation (NAT). What this means, in essence, is that
the only data packets coming out of your network onto the Internet are
those that have been translated (by NAT running in your router) into some
public IP address (typically the one assigned to your router by your ISP
when you first connect). The only data pockets coming into your network
are those that are translated (again by NAT running on your router) into
your private subnet. In such an environment, your router is acting as a
firewall, screening out all incoming traffic other than responses to
packets the router sent out in the first place. It also means that your
Apache2 server is invisible to the Internet, and can be accessed only by
machines running within your private subnet.

In some cases, your local network may be assigned a subnet of static public
IP addresses. [Not too many ordinary ISPs do this for home networks
because public IP addresses must be unique across the entire Internet,
making them valuable (and expensive) commodities.] Since this makes every
machine on your LAN visible to the Internet, you would be well advised to
run a firewall.

[See Bob Hauck's reply, also.]

--
Larry Bristol --- The Double Luck
http://www.doubleluck.com

Reply With Quote