[TriLUG] DDNS (and maybe DHCP) on host not router, was: enabling SSH into private network

Fri Jan 4 12:40:42 EST 2008

<warning: ascii art/>

Tom Roche Thu, 03 Jan 2008 22:09:01 -0500
 >>> I noticed the DI-604 lacked DDNS support, as did the BEFW1S4.
 >>> However, at the Durham Food Co-op we already have a Linksys
 >>> WRT54Gv5 in service, and that *does* have DDNS support.

Lance A. Brown Thu, 03 Jan 2008 23:29:23 -0500
 >> A security nit: Do you need to worry about keeping the POS traffic
 >> segregated from other traffic such as random wireless use?

For the testbed, it's a nit, but for deployment, it's a requirement
emphasized by the POS docs

http://www.wedge.coop/is4c/installation/connect.html
 >>>> A word on security. We re-emphasize that your point of sales
 >>>> network has to be an internal network. Leaving your lanes and
 >>>> server accessible from the internet is tantamount to leaving your
 >>>> books and cash boxes out in the streets. At the risk of stating
 >>>> the obvious, do not simply plug your lanes and servers into the
 >>>> WAN router. Have at least one firewall between your outside
 >>>> router and your internal network, even though the WAN router may
 >>>> claim to be a firewall. It is especially important in our case
 >>>> because all the computers in an IS4C network are web servers. Set
 >>>> firewall rules. Use hosts.allow, hosts.deny, iptables, httpd.conf
 >>>> settings, and all other means to lock down your system. Remember
 >>>> that you need redundant security measures and that user names and
 >>>> passwords by themselves are not sufficient to guarantee security.
 >>>> Be careful of your wireless access points. Don't make the mistake
 >>>> of allowing computers in the neighborhood to connect to your
 >>>> wireless router, be given an internal IP via dhcp, and gain
 >>>> access to everything.

FWIW my current sketch is like

http://www.durhamfoodcoop.org/sites/default/files/postPOSnetworkDiagram-200712271322.png

but I know that has problems (e.g. firewall position, securing the
VoIP and the hydra). (More on that later, but feel free to make
suggestions now. As soon as I figure out how to make Drupal let me
post the Dia file, I'll put that up and folks can just edit that as
desired.)

Anyway, the desire to keep wireless off the POS makes me go ...

Alan Porter Fri, 04 Jan 2008 09:06:26 -0500
 > For what it's worth... the DDNS client does not have to run on the
 > router... it can run on any PC on your private network.

 > The same goes for DHCP. You *could* make the backend machine do DDNS
 > and/or DHCP.

... "oooh!" Suppose I revert to network like

                                   lane
                                  /
Roadrunner -- Surfboard -- DI-604 -- laptop
                                  \
                                   backend

and I need to be able to do two things from outside the network:

0 ssh into backend. I can do this by forwarding 22 to backend and

ssh dfc2 at dfctestwall.dyndns.org

1 ssh into lane. I can do that now the old-fashioned, character-
   building way (ssh into backend, open shell on lane), but plan to do
   that via netcat on backend, like

ssh dfc3 at dfctestwall.dyndns.org

In both cases I'm using the DDNSed FQDN of the router. ISTM you're
saying I could do, e.g.

ssh dfc2 at backend.durhamfoodcoop.org # SSH to backend
ssh dfc3 at backend.durhamfoodcoop.org # SSH to lane

correct? If so, that would WFM. How to do DDNS on one of the PN hosts?
Feel free to point to doc. (DHCP would also be of interest, but the
DI-604 seems to be doing that just fine.)

TIA, Tom Roche <Tom_Roche at pobox.com>