Hi. Great system. Managed to finally read the man pound and that opened
my eyes to how to get it working, after googling for 2 days :-)  But now
that I have everything working, I am worried that I need to do some
thing to protect the port that zope is working on. Here is my setup:
I have a deian linux box running the minimum non-gui system I can
install. I apt-get zope and also pound. Configured everything, and I can
see me plone sites by doing the following in my browser on another local
PC. http://xxx.x.x.xxx:8081/mysite  (this is straight to the port 8081
that zope is running on).  I can also get to it in my browser on anoter
local PC. http://xxx.x.x.xxx/mysite (this is because pound is monitoring
default port 80 and getting the pages form the backend zope on port
8081). So far so good. However, if I put this machine on the Internet
with a valid IP address, won't people be port scanning and finding the
"less hardened" zope port 8081, and possibly attack that?  Should I do
something further like run a firewall on this linux box itself? I don't
get the concent here.  I understand that if I ran pound on it's own
server, and the backend was on a second box (which could be either on
the Internet OR inside my firewall) I could "hide" this exposure to port
8081 by having that box inside a firewall (e.g. linksys or firebox).  My
problem is, I can't (for various reasons) run this setup on 2 boxes.

I was thinking that there must be a way to block port 8081 from being
seen or accessed outside the linux box itself, and only have it accesed
by internal programs (e.g. pound). How can I do some ting like this.  I
really want to have the hardest box as I can.

From my working :-) pound.cfg...
ListenHTTP 192.1.2.173,80

UrlGroup ".*"
BackEnd 127.0.0.1,8081,1
EndGroup

Note that I am using the machines IP address in the listenHTTP part -
that is a valid IP dedicated to me inside my network for testing only,
and would eventually be my valid IP for the Internet.
The 127.0.0.1 is my local machine IP right? So that means pound is send
"internally" to the zope/plone system installed and running on the same
box. I am thinking out loud here that if I block (somehow) the port 8081
from outside eyes, that pound can still get to it (zope) on 8081 inside?

Why am I doing all this and not just using the zope as my server?
Because all the postings that how-tos and books have scared the Cxxx out
of me - that zope is not "production server" etc.

I appreciate any advice you can give here.

Jamie T. Robe
Automation Team Leader
The Planning Commission
(813)272-5940

> If you could turn the clock back 20 years, what changes would you have
> made to improve your community today?
> Now, turn it forward 20 years - Make an impact on tomorrow today...
> www.PLAN2025.org
> 

Jamie, I don't quite understand what you want to do.

You've got a Zope server running on a system, correct?

That system is connected to the internet, yes?

Do you want the Zope site to be accesible via the Internet, or not?

If you want the Zope site accesible by the outside world, then you're
going to need to enable traffic to whatever port it is running on, no
matter how many firewalls or proxy servers you put it behind.

Also, is there any particular reason why you want to run Pound in front
of Zope if it's on the same box and you've got just the one Zope server?

Finally, the medical students and staff at Newcastle University (and all
the other sites we host) would definitely argue the point about Zope not
being a 'production server'. It's as 'production server' as you make it
(in our case, extremely high performance and failure resistant.. with
help from Pound of course!).

 John Snowdon - IT Support Specialist
-==========================================-
 School of Medical Education Development
 Faculty of Medical Sciences Computing
 University of Newcastle

-----Original Message-----
From: Jamie Robe [mailto:robej(at)plancom.org] 
Sent: 07 October 2005 15:27
To: pound(at)apsis.ch
Subject: [Pound Mailing List] Pound and Zope on same server, how do I
protect the zope port?


Hi. Great system. Managed to finally read the man pound and that opened
my eyes to how to get it working, after googling for 2 days :-)  But now
that I have everything working, I am worried that I need to do some
thing to protect the port that zope is working on. Here is my setup:
I have a deian linux box running the minimum non-gui system I can
install. I apt-get zope and also pound. Configured everything, and I can
see me plone sites by doing the following in my browser on another local
PC. MailScanner warning: numerical links are often malicious:
http://xxx.x.x.xxx:8081/mysite  (this is straight to the port 8081 that
zope is running on).  I can also get to it in my browser on anoter local
PC. MailScanner warning: numerical links are often malicious:
http://xxx.x.x.xxx/mysite (this is because pound is monitoring default
port 80 and getting the pages form the backend zope on port 8081). So
far so good. However, if I put this machine on the Internet with a valid
IP address, won't people be port scanning and finding the "less
hardened" zope port 8081, and possibly attack that?  Should I do
something further like run a firewall on this linux box itself? I don't
get the concent here.  I understand that if I ran pound on it's own
server, and the backend was on a second box (which could be either on
the Internet OR inside my firewall) I could "hide" this exposure to port
8081 by having that box inside a firewall (e.g. linksys or firebox).  My
problem is, I can't (for various reasons) run this setup on 2 boxes.
I was thinking that there must be a way to block port 8081 from being
seen or accessed outside the linux box itself, and only have it accesed
by internal programs (e.g. pound). How can I do some ting like this.  I
really want to have the hardest box as I can.
From my working :-) pound.cfg... 
ListenHTTP 192.1.2.173,80 
UrlGroup ".*" 
BackEnd 127.0.0.1,8081,1 
EndGroup 
Note that I am using the machines IP address in the listenHTTP part -
that is a valid IP dedicated to me inside my network for testing only,
and would eventually be my valid IP for the Internet.
The 127.0.0.1 is my local machine IP right? So that means pound is send
"internally" to the zope/plone system installed and running on the same
box. I am thinking out loud here that if I block (somehow) the port 8081
from outside eyes, that pound can still get to it (zope) on 8081 inside?
Why am I doing all this and not just using the zope as my server?
Because all the postings that how-tos and books have scared the Cxxx out
of me - that zope is not "production server" etc.
I appreciate any advice you can give here. 
Jamie T. Robe 
Automation Team Leader 
The Planning Commission 
(813)272-5940 
If you could turn the clock back 20 years, what changes would you have
made to improve your community today? 
Now, turn it forward 20 years - Make an impact on tomorrow today...
www.PLAN2025.org 

Hi,

in short :) you can use firewalling, best for you use should be
iptables. You can block access to port 8081 from everywhere instead
localhost or some another ip and you can sleep well :)

This is not up to pound, it is only about firewalling...

Fri, Oct 07, 2005 ve 10:26:42AM -0400, Jamie Robe napsal:
> Hi. Great system. Managed to finally read the man pound and that opened
> my eyes to how to get it working, after googling for 2 days :-)  But now
> that I have everything working, I am worried that I need to do some
> thing to protect the port that zope is working on. Here is my setup:
> I have a deian linux box running the minimum non-gui system I can
> install. I apt-get zope and also pound. Configured everything, and I can
> see me plone sites by doing the following in my browser on another local
> PC. http://xxx.x.x.xxx:8081/mysite  (this is straight to the port 8081
> that zope is running on).  I can also get to it in my browser on anoter
> local PC. http://xxx.x.x.xxx/mysite (this is because pound is monitoring
> default port 80 and getting the pages form the backend zope on port
> 8081). So far so good. However, if I put this machine on the Internet
> with a valid IP address, won't people be port scanning and finding the
> "less hardened" zope port 8081, and possibly attack that?  Should I do
> something further like run a firewall on this linux box itself? I don't
> get the concent here.  I understand that if I ran pound on it's own
> server, and the backend was on a second box (which could be either on
> the Internet OR inside my firewall) I could "hide" this exposure to port
> 8081 by having that box inside a firewall (e.g. linksys or firebox).  My
> problem is, I can't (for various reasons) run this setup on 2 boxes.
> 
> I was thinking that there must be a way to block port 8081 from being
> seen or accessed outside the linux box itself, and only have it accesed
> by internal programs (e.g. pound). How can I do some ting like this.  I
> really want to have the hardest box as I can.
> 
> From my working :-) pound.cfg...
> ListenHTTP 192.1.2.173,80
> 
> UrlGroup ".*"
> BackEnd 127.0.0.1,8081,1
> EndGroup
> 
> Note that I am using the machines IP address in the listenHTTP part -
> that is a valid IP dedicated to me inside my network for testing only,
> and would eventually be my valid IP for the Internet.
> The 127.0.0.1 is my local machine IP right? So that means pound is send
> "internally" to the zope/plone system installed and running on the same
> box. I am thinking out loud here that if I block (somehow) the port 8081
> from outside eyes, that pound can still get to it (zope) on 8081 inside?
> 
> Why am I doing all this and not just using the zope as my server?
> Because all the postings that how-tos and books have scared the Cxxx out
> of me - that zope is not "production server" etc.
> 
> I appreciate any advice you can give here.
> 
> Jamie T. Robe
> Automation Team Leader
> The Planning Commission
> (813)272-5940
> 
> > If you could turn the clock back 20 years, what changes would you have
> > made to improve your community today?
> > Now, turn it forward 20 years - Make an impact on tomorrow today...
> > www.PLAN2025.org

-- 
 .''`. Ondra 'Kepi' Kudlik
: :' : Debian GNU/Linux User
`. `'
  `-   http://www.nosoftwarepatents.com/cz/m/intro/index.html 

On Fri, 2005-10-07 at 10:26 -0400, Jamie Robe wrote:
> Hi. Great system. Managed to finally read the man pound and that
> opened my eyes to how to get it working, after googling for 2 days :-)
> But now that I have everything working, I am worried that I need to do
> some thing to protect the port that zope is working on. Here is my
> setup:
> 
> I have a deian linux box running the minimum non-gui system I can
> install. I apt-get zope and also pound. Configured everything, and I
> can see me plone sites by doing the following in my browser on another
> local PC. http://xxx.x.x.xxx:8081/mysite  (this is straight to the
> port 8081 that zope is running on).  I can also get to it in my
> browser on anoter local PC. http://xxx.x.x.xxx/mysite (this is because
> pound is monitoring default port 80 and getting the pages form the
> backend zope on port 8081). So far so good. However, if I put this
> machine on the Internet with a valid IP address, won't people be port
> scanning and finding the "less hardened" zope port 8081, and possibly
> attack that?  Should I do something further like run a firewall on
> this linux box itself? I don't get the concent here.  I understand
> that if I ran pound on it's own server, and the backend was on a
> second box (which could be either on the Internet OR inside my
> firewall) I could "hide" this exposure to port 8081 by having that box
> inside a firewall (e.g. linksys or firebox).  My problem is, I can't
> (for various reasons) run this setup on 2 boxes.
> 
> I was thinking that there must be a way to block port 8081 from being
> seen or accessed outside the linux box itself, and only have it
> accesed by internal programs (e.g. pound). How can I do some ting like
> this.  I really want to have the hardest box as I can.
> 
> From my working :-) pound.cfg… 
> ListenHTTP 192.1.2.173,80
> 
> UrlGroup ".*" 
> BackEnd 127.0.0.1,8081,1 
> EndGroup
> 
> Note that I am using the machines IP address in the listenHTTP part -
> that is a valid IP dedicated to me inside my network for testing only,
> and would eventually be my valid IP for the Internet.
> 
> The 127.0.0.1 is my local machine IP right? So that means pound is
> send "internally" to the zope/plone system installed and running on
> the same box. I am thinking out loud here that if I block (somehow)
> the port 8081 from outside eyes, that pound can still get to it (zope)
> on 8081 inside?
> 
> Why am I doing all this and not just using the zope as my server?
> Because all the postings that how-tos and books have scared the Cxxx
> out of me - that zope is not "production server" etc.
> 
> I appreciate any advice you can give here.
> 
> Jamie T. Robe 
> Automation Team Leader 
> The Planning Commission 
> (813)272-5940

This is not a Pound issue, but rather firewalling and Zope
configuration.

The easiest way is to have Zope only listen on 127.0.0.1:8081. Since
your local interface is not accessible from the outside world the
problem is solved.

How to do it: define ip-address in your zope.conf to be 127.0.0.1. By
default Zope listens on all available interfaces, but you can limit it
to a single interface.

If instead for some reason you actually want remote direct access to
Zope you can still limit that. For example:

iptables -P INPUT DROP
iptables -A INPUT -s 192.1.2.0/24 --proto tcp --dport 8081 --syn -j
ACCEPT
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT

would allow only hosts on the 192.1.2.xxx access to Zope. (BTW,
shouldn't that be 192.168.2.xxx?)
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

Hi John,
What I want to have is Zope running on the same box as pound, the whole
thing on a single IP address, with the outside world able to get the
plone site(s) using the default port 80. I want to do this in order to:
(1) "pound sanitizes http requests" - many people online and in the
various plone books mention this as important. I don't really know
how/why this is handled "better" by something like pound or apache or
squid that by zope server.
(2) For example in Plone Live book (I have read all plone related books
that I can get my hands on) page 340-340, a big discussion about how
Zserver is not a "production web server". How "almost all production
Zope sites  run 'behind' Apache", and so on.  Based on what you are
saying, I am wondering if this isn't all some apache-centric people
wanting to run zope the same way they run other websites...
(3) I am completely open to the idea of running a zope only web server,
if this is as secure as other arrangements - I am totally at a loss as
what is the best approach.  Do you run pound on a PC in your DMZ and
then use backend zope servers sitting inside your firewall?  If you do,
do they have to have a valid (internet) IP or can you somehow use an
internal IP?
(4) I would really like to use pound, so I am ready for the future
expansion of having more linux servers running zope.  Then pound would
make more sense for me, using it's load balancing.

I am open to advice on any of the above. Thanks!

Jamie T. Robe
Automation Team Leader
The Planning Commission
(813)272-5940

>If you could turn the clock back 20 years, what changes would you have
made to improve your community today?
>Now, turn it forward 20 years - Make an impact on tomorrow today...
www.PLAN2025.org


-----Original Message-----
From: John Snowdon [mailto:J.P.Snowdon(at)newcastle.ac.uk] 
Sent: Friday, October 07, 2005 10:44 AM
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] Pound and Zope on same server, how do
I protect the zope port?


Jamie, I don't quite understand what you want to do.

You've got a Zope server running on a system, correct?

That system is connected to the internet, yes?

Do you want the Zope site to be accesible via the Internet, or not?

If you want the Zope site accesible by the outside world, then you're
going to need to enable traffic to whatever port it is running on, no
matter how many firewalls or proxy servers you put it behind.

Also, is there any particular reason why you want to run Pound in front
of Zope if it's on the same box and you've got just the one Zope server?

Finally, the medical students and staff at Newcastle University (and all
the other sites we host) would definitely argue the point about Zope not
being a 'production server'. It's as 'production server' as you make it
(in our case, extremely high performance and failure resistant.. with
help from Pound of course!).

 John Snowdon - IT Support Specialist
-==========================================-
 School of Medical Education Development
 Faculty of Medical Sciences Computing
 University of Newcastle

-----Original Message-----
From: Jamie Robe [mailto:robej(at)plancom.org] 
Sent: 07 October 2005 15:27
To: pound(at)apsis.ch
Subject: [Pound Mailing List] Pound and Zope on same server, how do I
protect the zope port?


Hi. Great system. Managed to finally read the man pound and that opened
my eyes to how to get it working, after googling for 2 days :-)  But now
that I have everything working, I am worried that I need to do some
thing to protect the port that zope is working on. Here is my setup: I
have a deian linux box running the minimum non-gui system I can install.
I apt-get zope and also pound. Configured everything, and I can see me
plone sites by doing the following in my browser on another local PC.
MailScanner warning: numerical links are often malicious:
http://xxx.x.x.xxx:8081/mysite  (this is straight to the port 8081 that
zope is running on).  I can also get to it in my browser on anoter local
PC. MailScanner warning: numerical links are often malicious:
http://xxx.x.x.xxx/mysite (this is because pound is monitoring default
port 80 and getting the pages form the backend zope on port 8081). So
far so good. However, if I put this machine on the Internet with a valid
IP address, won't people be port scanning and finding the "less
hardened" zope port 8081, and possibly attack that?  Should I do
something further like run a firewall on this linux box itself? I don't
get the concent here.  I understand that if I ran pound on it's own
server, and the backend was on a second box (which could be either on
the Internet OR inside my firewall) I could "hide" this exposure to port
8081 by having that box inside a firewall (e.g. linksys or firebox).  My
problem is, I can't (for various reasons) run this setup on 2 boxes. I
was thinking that there must be a way to block port 8081 from being seen
or accessed outside the linux box itself, and only have it accesed by
internal programs (e.g. pound). How can I do some ting like this.  I
really want to have the hardest box as I can. From my working :-)
pound.cfg... 
ListenHTTP 192.1.2.173,80 
UrlGroup ".*" 
BackEnd 127.0.0.1,8081,1 
EndGroup 
Note that I am using the machines IP address in the listenHTTP part -
that is a valid IP dedicated to me inside my network for testing only,
and would eventually be my valid IP for the Internet. The 127.0.0.1 is
my local machine IP right? So that means pound is send "internally" to
the zope/plone system installed and running on the same box. I am
thinking out loud here that if I block (somehow) the port 8081 from
outside eyes, that pound can still get to it (zope) on 8081 inside? Why
am I doing all this and not just using the zope as my server? Because
all the postings that how-tos and books have scared the Cxxx out of me -
that zope is not "production server" etc. I appreciate any advice you
can give here. 
Jamie T. Robe 
Automation Team Leader 
The Planning Commission 
(813)272-5940 
If you could turn the clock back 20 years, what changes would you have
made to improve your community today? 
Now, turn it forward 20 years - Make an impact on tomorrow today...
www.PLAN2025.org 

-- 
To unsubscribe send an email with subject 'unsubscribe' to
pound(at)apsis.ch. Please contact roseg(at)apsis.ch for questions.
http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-10/1128
695202000/1128696231000

just have your "real server" bind to localhost:port

Jamie Robe wrote:
> Hi. Great system. Managed to finally read the man pound and that opened 
> my eyes to how to get it working, after googling for 2 days :-)  But now 
> that I have everything working, I am worried that I need to do some 
> thing to protect the port that zope is working on. Here is my setup:
> 
> I have a deian linux box running the minimum non-gui system I can 
> install. I apt-get zope and also pound. Configured everything, and I can 
> see me plone sites by doing the following in my browser on another local 
> PC. _http://xxx.x.x.xxx:8081/mysite_  (this is straight to the port 8081 
> that zope is running on).  I can also get to it in my browser on anoter 
> local PC. _http://xxx.x.x.xxx/mysite_ (this is because pound is 
> monitoring default port 80 and getting the pages form the backend zope 
> on port 8081). So far so good. However, if I put this machine on the 
> Internet with a valid IP address, won't people be port scanning and 
> finding the "less hardened" zope port 8081, and possibly attack that?  
> Should I do something further like run a firewall on this linux box 
> itself? I don't get the concent here.  I understand that if I ran pound 
> on it's own server, and the backend was on a second box (which could be 
> either on the Internet OR inside my firewall) I could "hide" this 
> exposure to port 8081 by having that box inside a firewall (e.g. linksys 
> or firebox).  My problem is, I can't (for various reasons) run this 
> setup on 2 boxes.
> 
> I was thinking that there must be a way to block port 8081 from being 
> seen or accessed outside the linux box itself, and only have it accesed 
> by internal programs (e.g. pound). How can I do some ting like this.  I 
> really want to have the hardest box as I can.
> 
>  From my working :-) pound.cfg…
> ListenHTTP 192.1.2.173,80
> 
> UrlGroup ".*"
> BackEnd 127.0.0.1,8081,1
> EndGroup
> 
> Note that I am using the machines IP address in the listenHTTP part - 
> that is a valid IP dedicated to me inside my network for testing only, 
> and would eventually be my valid IP for the Internet.
> 
> The 127.0.0.1 is my local machine IP right? So that means pound is send 
> "internally" to the zope/plone system installed and running on the same 
> box. I am thinking out loud here that if I block (somehow) the port 8081 
> from outside eyes, that pound can still get to it (zope) on 8081 inside?
> 
> Why am I doing all this and not just using the zope as my server? 
> Because all the postings that how-tos and books have scared the Cxxx out 
> of me - that zope is not "production server" etc.
> 
> I appreciate any advice you can give here.
> 
> Jamie T. Robe
> Automation Team Leader
> The Planning Commission
> (813)272-5940
> 
> If you could turn the clock back 20 years, what changes would you have 
> made to improve your community today?
> Now, turn it forward 20 years - Make an impact on tomorrow today...   
> ___www.PLAN2025.org_ <file://www.PLAN2025.org>
> 

-- 


-alex

------------------------
Alexander N. Spitzer
Deploy Solutions

Jamie Robe wrote:

>(1) "pound sanitizes http requests" - many people online and in the
>various plone books mention this as important. I don't really know
>how/why this is handled "better" by something like pound or apache or
>squid that by zope server.
>  
>
This is important because it can eliminate the possibility that your 
application programmers might have accidentally left a hole or that your 
web server might respond poorly to malformed requests.  Remember, your 
web server is a complex beast while pound is very simple and has been 
scrutinized line by line for defects that might leave security holes.

At the very least any defects in pound are likely to be very different 
from the defects in Zserver so you will still wind up safer.

>(2) ... a big discussion about how
>Zserver is not a "production web server". ... Based on what you are
>saying, I am wondering if this isn't all some apache-centric people
>wanting to run zope the same way they run other websites...
>  
>
Partially.  I would recommend running a firewall ahead of pound ahead of 
any web-server whatsoever.  It isn't a matter of "production quality".  
It is a matter of good practice.

>(3) I am completely open to the idea of running a zope only web server,
>if this is as secure as other arrangements 
>
It really isn't.

>... Do you run pound on a PC in your DMZ and
>then use backend zope servers sitting inside your firewall?  
>
That is a common configuration.

>If you do,
>do they have to have a valid (internet) IP or can you somehow use an
>internal IP?
>  
>
You should be able to use an internal address combined with some 
firewall rules.

>I am open to advice on any of the above. 
>
You are on the right track.  Don't stop now!

-- 
Ted Dunning
Chief Scientist
Veoh Networks

Robert! That worked.  Thanks, and also to everyone for helping me so
quickly.
This is what I did:
Edited my /etc/zope2.8/plone-site/zope.conf with pico, changed the one
line that was commented out:  #  ip-address 127.0.0.1        
Just removed the # commenting it out.  Then rstarted the whole Pc to be
sure. It works as I desired. I can access my plone pages thru the
http://192.1.2.173/site but not the zope server at
http://192.1.2.173:8081/site.  Zope is now all internal to the machine
and invisible to outside world , except thru pound!

I don't fully understand what your suggestion does below, but I will
research iptables:
>If instead for some reason you actually want remote direct access to
Zope you can still limit >that. For example:
>
>
>iptables -P INPUT DROP
>iptables -A INPUT -s 192.1.2.0/24 --proto tcp --dport 8081 --syn -j
ACCEPT iptables -A INPUT >-m state --state ESTABLISHED -j ACCEPT
>
>would allow only hosts on the 192.1.2.xxx access to Zope. (BTW,
shouldn't that be >192.168.2.xxx?)

The IP I gave, 192.1.2.xxx is how our internal agency network is set up.
Does that sound problematic? One thing always seems to lead to another
:-)


Alexander, thanks also. Does "just have your "real server" bind to
localhost:port" mean the same thing as we did above?  This whole
localhost thing is starting to make sense to me.
Thanks, Jamie

> The IP I gave, 192.1.2.xxx is how our internal agency network is set up.
> Does that sound problematic? One thing always seems to lead to another
> :-)

Yes, horribly problematic.  Someone else owns those addresses.  Please
refer whomever set up your network to RFC 1918
(http://www.faqs.org/rfcs/rfc1918.html), which states that 256 class C
subnets numbered 192.168.0-255.x are available for private use.  That
definitely does not include all of 192.x.x.x.  I'm sure these guys would
prefer that you didn't use their IP addresses:


CustName:   Bolt Beranek and Newman Inc.
Address:    70 Fawcett Street
City:       Cambridge
StateProv:  MA
PostalCode: 02138
Country:    US
RegDate:
Updated:    2005-05-09

NetRange:   192.1.2.0 - 192.1.2.255
CIDR:       192.1.2.0/24
NetName:    BBN-TOKYO


I've also worked for a company that had addresses in non-192.168 parts of
the 192 block.  Quite annoying.  Also, depending on the setup, replies to
certain requests may get routed to these guys instead of you.  You may
even be unknowingly spamming them with all kinds of traffic.


Bill

>
> Robert! That worked.  Thanks, and also to everyone for helping me so
> quickly.
> This is what I did:
> Edited my /etc/zope2.8/plone-site/zope.conf with pico, changed the one
> line that was commented out:  #  ip-address 127.0.0.1
> Just removed the # commenting it out.  Then rstarted the whole Pc to be
> sure. It works as I desired. I can access my plone pages thru the
> http://192.1.2.173/site but not the zope server at
> http://192.1.2.173:8081/site.  Zope is now all internal to the machine
> and invisible to outside world , except thru pound!

Next time you could also check with 'netstat -lp --ip' to see which
programm listens where.

>
> I don't fully understand what your suggestion does below, but I will
> research iptables:

To make your life much easier I stronlgy recommend you look at Shorewall,
which is a very good iptables/netfilter configuration tool.
http://www.shorewall.net/ also has very good docs.

Regards,
Simon

>>If instead for some reason you actually want remote direct access to
> Zope you can still limit >that. For example:
>>
>>
>>iptables -P INPUT DROP
>>iptables -A INPUT -s 192.1.2.0/24 --proto tcp --dport 8081 --syn -j
> ACCEPT iptables -A INPUT >-m state --state ESTABLISHED -j ACCEPT
>>
>>would allow only hosts on the 192.1.2.xxx access to Zope. (BTW,
> shouldn't that be >192.168.2.xxx?)
>
> The IP I gave, 192.1.2.xxx is how our internal agency network is set up.
> Does that sound problematic? One thing always seems to lead to another
> :-)
>
>
> Alexander, thanks also. Does "just have your "real server" bind to
> localhost:port" mean the same thing as we did above?  This whole
> localhost thing is starting to make sense to me.
> Thanks, Jamie
>
> --
> To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
>
http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-10/1128695202000/1128710306000
>
>

Jamie Robe wrote:
> Alexander, thanks also. Does "just have your "real server" bind to
> localhost:port" mean the same thing as we did above?  This whole
> localhost thing is starting to make sense to me.

no, it is different:

for instance, the default install of apache listen on port 80 across ALL 
interfaces... that is to say port 80 will answer for all interfaces such as:

http://localhost
http://192.1.2.173
http://myvirtualinterface-a
http://myvirtualinterface-b
etc...


if you modify the http.conf file, and change
Listen 80
to
Listen 127.0.0.1:80


then apache will only bind to port 80 on the localhost interface, and 
thus cannot be hit from anywhere but http://localhost.

I do not know anything about Zope (whether it is its own webserver, or 
relies on something else like apache) but I bet you can configure it to 
only bind to localhost:8081 (and not bind to 8081 in the internet facing 
interface.)

-- 


-alex

------------------------
Alexander N. Spitzer
Deploy Solutions