[off topic] Configuring an IP blind Apache server

Dan Mahoney, System Admin danm at prime.gushi.org
Mon May 1 20:32:23 UTC 2006

On Mon, 1 May 2006, Michael Holstein wrote:

>> The idea is a system wide solution that allows any user group to
>> install any semi-random PHP/MySQL frob without having to hack around
>> trying to find and disable its IP logging.
> Then do as Dan just suggested and forward it using your firewall .. advantage 
> there is you can still "ban" a user if you see the need by inserting the 
> appropriate DENY rule above your forward one.
> Note that other "things" in your network may still log the traffic though .. 
> (most hardware firewalls, for example) .. so be sure you know what the 
> end-to-end security is at least as far as your perimeter router.(*)

although, be forewarned, at least with the kernel answer above, if the 
address is on the same machine, you *will* see the source side of the TCP 
connection.  This is a "feature" of BSD's forwarding mechanism -- so 
rinetd may be better suited for this.  I had thought that you simply 
wanted a web server to not know which address it itself was listening on 
(which also works for this).


> /mike.
> (*): well .. unless you use AT&T as an ISP, since we know they forward 
> everything to the ($3_letter_agency) anyway.


"It would be bad."

-Egon Spengler, "Ghostbusters"

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org

More information about the tor-talk mailing list