I want to connect a Fedora server to the internet from my home router and am wondering if running it on a virtual LAN (on the router) insulates it 100% from my home network (on a different virtual LAN). I don’t want to expose my home network to the internet. Thanks.
This is more about your router’s capability of insulating your server’s VLAN from your home network’s VLAN than Fedora Server’s security.
No, it is not but this is not Fedora but router configuration. In principle the idea is OK, hosts on VLAN1 cannot communicate directly with hosts on VLAN2, but only via the router. Especially if they are connected via a managed switch where you define which port is on which VLAN. So the rest is configuration on the router: block all internet originating traffic to homenet and server, and open only the necessary ports to server. And block traffic originating from Fedora server VLAN to the home network VLAN. Of course, Fedora server already includes a good firewall providing another layer of security where you can forbid outgoing traffic to homenet.
for better security i recommend use somthing better router firmware like pfsense and while connecting home server look into ports which are open only open those you really need to. changing default ports may help and if you need to open multiple ports use a load balancer. and make sure your system is uptodate always with all fixes available all the time maybe with a cron job
Thanks for your response. I have 3 questions:
You start by answering “No” to my question, but then go on to make it sound like it could be done. Do you think the solution you suggested is incomplete?
Do you think it’s better to configure vlan on router or get a switch to handle vlans?
How about ports that both home and server use?
I suggest that you place the server in a DMZ if possible.
From what I understand, using DMZ opens everything for a particular machine (zero firewall and all ports open). This does not sound like a very secure solution for a server. It seems that mostly gamers use this as they figure there is not much an attacker can do with their gaming consoles and have difficulty with port forwarding.
If you know another approach, please let me know.
@td211 DMZ is all ports open. According to my provider, it has be avoided unless the system behind is very well secured. In any case there should be no DNS or SMB port open, then you get shut off from the internet.
Your question was 100% isolation. Answer is no, unless you configure the router with appropriate rules. Without countermeasures, traffic between VLAN’s could be possible via the router.
As far I know, VLAN has to be defined on the router. If you have a managed switch in between, you can couple each outlet to a VLAN, or translate e.g. VLAN1 to VLAN 0 causing clients to run without modification. If you have multiple LAN ouputs on the router, you have physical separation and subnetting + firewall rules should be sufficient.
Fedora is able to connect to a VLAN on a wire, meaning that a hacker having root rights can connect to another VLAN on the same wire. A managed switch prevents this by filtering out only one VLAN.
- If you want to open a port on both home and server, this is by definition of NAT not possible. If you want SSH on server and home, you have to map e.g. server 22 to outside 2022 and home 22 to outside 3022.
If you use IPv6, this does not apply, every IPv6 address is global unique and you can have as much webservers as you want on standard HTTPS.
Yes, but isn’t Fedora shipped with
firewalld by default? Why not configure that to protect the server’s ports?
Doesn’t the machine in the DMZ have contact with the other machines on the network?
It can communicate with some internal devices through a firewall. I recommend that you read more on this.
As more of a general suggestion.
- Identify the services you want to provide with your server and the ports/protocols that need to be allowed inside and outside your network for these to work.
- Research the security capabilities of your operating system and home router to determine if they are sufficient for what you are trying to do.
This can be a very complicated question depending on what your are attempting to host.
@td211 Totally agree, Fedora offers a good firewall and many Linux systems will be directly connected to the internet, so DMZ is in principle no issue. But it should be a well tested and stable system. But at home, testing and exploring software, network and VPN, I’m glad to have my providers router blocking everything which I do not have explicitly enabled, and I avoid DMZ. Any packet trapped in the first firewall cannot harm the second, if I do something wrong.
@td211 I think the Wikipedia DMZ describes more the professional situation: a zone between two firewalls. If I put my home router in DMZ, the DMZ is an one-IP zone exposed to the internet, but all other hosts are directly reachable from the DMZ host.
Not that problem if the DMZ host is a second router, but not to be recommended if it is a normal PC. As the O.P. is able to create VLAN’s, it’s much more like a real DMZ.
If you want to connect a Fedora Server from your home router, I guess you may have a typical home internet connection: one IPv4 address and probably a /64 IPv6 network. In such a case, neither a vlan nor a DMZ is a usable option. These solutions are based on more than one IP resp. subnet.
In such a case, you need an “exposed host”. The router blocks all incoming connections as it used to do except for the port for those services that you enable for the exposed host. The router takes care of forwarding the incoming traffic of these ports to the exposed host only. If you use a switch (inside or outside the router) for the connections in the home network, the other devices cannot even “see” the relevant packets.
And Fedora Server includes a firewall, of course, and it is configured as secure as possible right from the beginning (as part of the initial installation). Fedora Server is the least critical component in this scenario.
Actually the DMZ is a very usable option.
The server is assigned to the DMZ, the router is configured to port forward the appropriate ports to the host in the DMZ, and it works very well. The server needs to be appropriately isolated from the remainder of the hosts on the LAN, partly by the firewall on each system, partly by the firewall on the server in the DMZ, partly by the router.
It is up to the user exactly which ports to open up, how to configure it, and how to securely prevent intrusion beyond the DMZ host, but that scenario is exactly what the DMZ was designed for. It allows outside access to user configured services on the DMZ host, with much less risk to other hosts on the LAN.
On LANs where there is only one PC this is different, but as long as the user has more than one system it is possible to designate one as the DMZ server and isolate the remainder from the main risk.
I can see the use case for a DMZ but I don’t see how it could be more secure than isolating the server on a virtual LAN that never interacts with the home network. Is it that the home network can still connect by local LAN to the server in a DMZ? Wouldn’t such a local connection be a security risk in case the server became compromised?
I’ve some troubles with DMZ definition. Take the unlikely worst-case scenario: you run a website, but a hacker uses a severe flaw in e.g. wordpress/php and gets shell access on root level. DMZ in business means a space with some openings to the internet followed by a second firewall before the company LAN without any opening from the DMZ.
At home, if you open a port or worse, use “home DMZ”, one host is exposed to the internet. Following the definition above, your complete home network immediately transforms into a DMZ…
Anyhow, if your router allows VLAN, and either the router and/or a following managed switch defines exactly one VLAN for one network cable, you have a separation on a higher level than IP subnet, and even a hacker with root cannot reach the LAN without access to router/switch management, if the router is properly fire-walled. Next better would be a second router for your LAN behind with complete block on WAN, this mimics the company DMZ. Example could be a provider’s router with the server connected, and a second router with better Wifi for LAN and WLAN.
And if you run a complicated website with php and mysql and soon, a further option could be a container, in which the root user has no root access outside the container…
I have to say that second router can cause severe problems with IPv6 depending on routers and/or provider limitations, something to consider for future.
So here I would connect server to provider router in a DMZ and then connect second router to provider router in LAN port rather than WAN port? Wouldn’t it be better to use WAN and a new subnet for second router?
DMS is a usable option, of course, provided you have at least 2 IP subnets. A common home internet connection receives just one IP(v4) address from the provider. And in such a case, DMZ is not a usable option. A DMZ works on IP level to determine the final destination of a data packet.
As soon as you talk about “port forwarding” you don’t talk about DMZ, but about an “exposed host”. To determine the final packet destination, you don’t use the IP address but the service, i.d. the port number(s).
This may sound a bit like splitting hairs, but in technical details it is best to use exact terminology and the associated technical concept. And this is different for DMZ and Exposed Host.
It is not more or less secure, it is a different technical concept for different purposes and different attack vectors. If your home router gets just one (public) IPv4 address, you can’t use a DMZ as protection against attacks from the public network, as explained above. You have to use an “exposed host” that is part of your private network behind the public facing “home router” using a private, non routeable IP network, just as any other device. In this case, you may have the problem to prevent, that an external attacker my use e.g. some of the many php exploits for a harmful activity on the private network. There are several options. Many “home routers” provide the option to use one port of the integrated switch as a “guest network”, that can’t connect to the other internal network ports but just to the outside world. That “guest network” may use addresses from the same subnet as all other computers in the private network, or not. It does not matter, the isolation is done on the hardware level. And technically you don’t have a DMZ, but a similar separating effect (in some ways even stricter). Other manufacturers may offer vlan instead. Then you need to map incoming packets to a subnet based on the port used. I am not sure if this really works reasonably. But if it does, it’s safe as well as securely as you can do it with software.
But all this has nothing to do with a server in particular, but with the home router used, network topology, and the network drivers of the OS.
Thanks for the very precise explanation. I think I got it now, but I don’t understand why all average home routers have a DMZ setting if, as you say, it is impossible with a single home IP.