[Freedombox-discuss] public + private http services

Anders Jackson anders.jackson at gmail.com
Mon Jul 15 15:59:51 UTC 2013

Den 15 jul 2013 14:55 skrev "Nick Daly" <nick.m.daly at gmail.com>:
> > Quoting Timur Mehrvarz (2013-07-15 07:05:29)
> >> Hi, is there an agreed upon best practice on how to separate public
> >> http services from those that shall only be accessible on the private
> >> network? Private only services could be offered on a separate port and
> >> the firewall would ensure that access to this port is shielded. One
> >> could also offer public + private services on the same port, but make
> >> sure - within the code - that private services will only respond to
> >> requests coming from the internal network. Any other options? How do
> >> you prefer to handle this? Thanks.
> Which private network do you mean?  I can think of two:
> 1. The internal network (intranet) that my FreedomBox runs on (the
> home network, with IPs usually in the range of 192.168...).

In my LAN I got 2000::/3 or fe80::/10. We should not ignore IPv6, as that
is just a way of building infrastructure that's not old even before we start

> 2. The private network produced by my authenticated friends connecting
> to my FreedomBox to use services I provide.

IpSec is part of IPv6, so that should be a possible solution. We "just"
need to distribute keys.

> 1 is easy: we're serving services on the internal network, so we can
> ignore the larger Internet all together.
> 2 is more difficult but can be accomplished through a number of tools
> like SSH forwarding, Tor Hidden Services, or GNUnet applications.  In
> that case, you're looking to authenticate the user before providing
> the service.  In case 1, authentication was assumed by the fact that
> the user was on your network (assuming your network is secure...).
> Different use cases could require different methods, and we'd better
> make sure we plan for supporting at least one of the common methods
> for v2, at least.  Jonas, could you put up a wiki page detailing your
> thoughts on the goals of first few releases?  I think they're pretty
> much what I was thinking, but they might be a little more developed.
> On Mon, Jul 15, 2013 at 5:31 AM, Jonas Smedegaard <dr at jones.dk> wrote:
> > Good idea to try map out what are best practices for different contexts.
> Jonas, I concur!  I think the mailing list might be a good place for
> discussing the ideas though, a more permanent wiki page seems
> appropriate when we have more solid solutions.
> Nick ___________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20130715/d9f7b093/attachment.html>

More information about the Freedombox-discuss mailing list