Expose a range of ports to the internet #59

Closed
opened 2021-10-29 22:16:23 +00:00 by a · 17 comments
Owner

It might be a good idea to expose a block of ports to the internet for our users' web hosting and stuff. Sounds like terrible security, so we should think through this before taking action.

It might be a good idea to expose a block of ports to the internet for our users' web hosting and stuff. Sounds like terrible security, so we should think through this before taking action.
a added this to the v5.0 milestone 2021-10-29 22:16:23 +00:00
a added the
enhancement
help wanted
security
labels 2021-10-29 22:16:23 +00:00
a self-assigned this 2021-10-29 22:16:23 +00:00
a added this to the (deleted) project 2021-10-29 22:16:24 +00:00
a changed title from Expose a block of ports to the internet to Expose a range of ports to the internet 2021-10-30 00:31:18 +00:00
a modified the milestone from v5.0 to v6.0 2021-11-03 00:39:02 +00:00
Author
Owner

I opened up ports 42000 to 42999 in the firewall since these ports aren't used by any applications.

I opened up ports 42000 to 42999 in the firewall since these ports aren't used by any applications.
a closed this issue 2021-11-13 03:24:57 +00:00
Author
Owner

OK, it looks like those ports are sometimes used by apps so let's open up ports 4200 to 4299 instead.

OK, it looks like those ports are [sometimes used by apps](https://en.wikipedia.org/wiki/Ephemeral_port) so let's open up ports 4200 to 4299 instead.
Author
Owner

Yeah let's not do this for now since I don't think it's good for security.

Yeah let's not do this for now since I don't think it's good for security.
Author
Owner

SSH port forwarding is much better for security, and you guys can always ask if you would like a port opened up.

SSH port forwarding is much better for security, and you guys can always ask if you would like a port opened up.
a reopened this issue 2022-03-31 21:42:56 +00:00
Author
Owner

OK, let's do this correctly this time. According to /proc/sys/net/ipv4/ip_local_port_range, 32768 is the lowest port number that ephemeral ports so we can't safely expose anything above that. Anything below 1024 is only allowed to be binded on by root. How about we expose 10 ports in the remaining range?

OK, let's do this correctly this time. According to `/proc/sys/net/ipv4/ip_local_port_range`, 32768 is the lowest port number that [ephemeral ports](https://en.wikipedia.org/wiki/Ephemeral_port) so we can't safely expose anything above that. Anything below 1024 is only allowed to be binded on by root. How about we expose 10 ports in the remaining range?
Author
Owner

Another option could be to use nginx to do the proxying, since this would add greater security from TLS encryption at the expense of only being able to proxy HTTP connections.

Another option could be to use nginx to do the proxying, since this would add greater security from TLS encryption at the expense of only being able to proxy HTTP connections.
Author
Owner

@notaiden What are your thoughts on this?

@notaiden What are your thoughts on this?
Owner

It sounds good! I think exposing ports isn't all that secure, but if you can make it secure that sounds great!

It sounds good! I think exposing ports isn't all that secure, but if you can make it secure that sounds great!
a started working 2022-04-01 12:38:33 +00:00
Author
Owner

I don't think the ports 4200-4209 are used much so I'll make 0.exozy.me through 9.exozy.me proxy those ports.

I don't think the ports 4200-4209 are [used much](https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers) so I'll make 0.exozy.me through 9.exozy.me proxy those ports.
Author
Owner

OK, I added this to our nginx configs.

OK, I added this to our nginx configs.
a closed this issue 2022-04-01 13:06:10 +00:00
a stopped working 2022-04-01 13:06:10 +00:00
27 minutes 37 seconds
Owner

@Ta180m I can't seem to use this

I've created an index.html file in a subdirectory and ran php -S localhost:4200 yet when I try to open https://0.exozy.me I get 502 Bad Gateway

@Ta180m I can't seem to use this I've created an index.html file in a subdirectory and ran `php -S localhost:4200` yet when I try to open https://0.exozy.me I get `502 Bad Gateway`
notaiden reopened this issue 2022-04-02 21:41:40 +00:00
Author
Owner

@Ta180m I can't seem to use this

I've created an index.html file in a subdirectory and ran php -S localhost:4200 yet when I try to open https://0.exozy.me I get 502 Bad Gateway

Is PHP running the server on 0.0.0.0 or ::? The nginx port proxying only works with IPv4.

> @Ta180m I can't seem to use this > > I've created an index.html file in a subdirectory and ran `php -S localhost:4200` yet when I try to open https://0.exozy.me I get `502 Bad Gateway` Is PHP running the server on `0.0.0.0` or `::`? The nginx port proxying only works with IPv4.
Author
Owner

Basically, you should use 127.0.0.1 instead of localhost.

Basically, you should use `127.0.0.1` instead of `localhost`.
a closed this issue 2022-04-02 23:03:10 +00:00
Owner

oh ok, thanks!

oh ok, thanks!
Author
Owner

OK, this is now fixed using dnsmasq. I'm not sure if this solution is brittle, but it seems to work. You can now either use IPv4 or IPv6 for the proxied ports! 🎉

OK, this is now fixed using `dnsmasq`. I'm not sure if this solution is brittle, but it seems to work. You can now either use IPv4 or IPv6 for the proxied ports! 🎉
Author
Owner

How about also opening up ports 4200 to 4209 in our firewall? I'm not sure of the security implications of this though.

How about also opening up ports 4200 to 4209 in our firewall? I'm not sure of the security implications of this though.
a reopened this issue 2022-09-05 20:00:29 +00:00
a modified the milestone from v6.0 to v9.0 2022-09-05 20:01:12 +00:00
Author
Owner

I opened 4200 to 4209.

I opened 4200 to 4209.
a closed this issue 2022-09-07 18:04:31 +00:00
Sign in to join this conversation.
No Milestone
No project
No Assignees
2 Participants
Notifications
Total Time Spent: 27 minutes 37 seconds
a
27 minutes 37 seconds
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: exozyme/exozyme#59
No description provided.