Re: [PLUG] Can't access to Webserver Packet Filter OpenBSD. Need help please!

[Rich Kulawiec <rsk@gsp.org>]

On Mon, Feb 13, 2017 at 11:17:40PM -0500, sebastien yapo wrote:
> Thanks for your help. How can I make it without paying for additional fee
> for Public IP address?

The address ranges enumerated in RFC 1918 (and others) are
reserved for various functions.  See also:

	Reserved IP Addresses
	https://en.wikipedia.org/wiki/Reserved_IP_addresses

Any router or firewall or other device out there on the 'net should
refuse to forward packets with source or destination addresses in
those ranges, because they should never be observed on the public
Internet.  (If they are, it's because something is misconfigured
and they're leaking out through it.)

So if you want to provide a network service on the public Internet,
you'll need a public IP address so that the service is reachable.
And you'll need your ISP to route traffic to/from that address.

Now...you have *some* kind of public address (otherwise you can't
reach the Internet) but it's probably dynamically allocated
by your ISP each time you connect.  "dynamically allocated
address" and "publicly visible services" aren't a good match
because of the name resolution problem, i.e., "www.example.net"
has to resolve to whatever the IP address is today in order
for anyone to reach it by name.  There are things like
"dynamic dns" services that partially solve that problem by causing
hostnames to resolve (in near real-time) to whatever the current
IP address is.  And in some use cases, this suffices.

But you'll likely face another problem, which is that many ISPs
block incoming connections to consumer networks (for various
reasons including security, abuse, and ToS).  So even if you
use a dynamic DNS service to fix the name resolution problem,
it's possible that incoming TCP connections to port 80 won't
get through their infrastructure.

So this would probably be a good time to have a conversation with
an engineer at your ISP and find out (a) if they're willing to
allocate a static IP address to you for free or cheaply (b) if not,
then what mechanism do they use for dynamic IP addresses and
(c) what their filtering policy is on inbound connections.

If they say (a) no and (b) DHCP or similar, then you can likely solve
that problem by using any of the various free/cheap dynamic DNS
providers.  If they say (c) no, then you're out of luck absent
trickery like tunneling, and that's probably not worth it.  At that
point it'd probably be easier/cheaper to look into a small virtual
machine at Panix or one of the other providers.  If you have
relatively modest needs, e.g., "a web server with 5G of space
and mostly static content" then you can get by with a fairly
minimal virtual machine and thus fairly minimal cost.

---rsk
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug