Help with web publishing

[Juniper]

Hi , I Shared my App and it had an IP address 10.1.1

or something like that. I went to my browser and logged in all ok.

Now I went to the public Library and typed in the same address and nothing.

What do I have to do to get my App so others can use it?

I have no experience in these internet things.

Regards

[Keith LaMarre]

the Address that you are using (10.1.1.1) is an internal address used by your router (probably An Apple Airport or Extreme) and so is only available on your internal network. To publish something externally, you will have to learn a little bit about routers and port forwarding.

[Juniper]

Thank you Keith

I thought it would be more involved that the "one click" publishing shown in the tutorial videos

[Genx]

Technically that's not FM's fault though... You can't reduce the complexity of network security, otherwise networks just plain old ain't secure.

If you have a search around the forums you'll find plenty of information relating to port forwarding and setting up IWP for external use.

[Juniper]

Thank you, I had just searched for port forwarding

and found your reply. I will get this working today

I hope. I will procrastinate later if I can be bothered

[Genx]

Lol, sorry that note is for me to remind me not to procrastinate like i'm doing now :)

[Vaughan]

"...otherwise networks just plain old ain't secure"

Actually, port forwarding has nothing to do with network security. It's about being cheap and nasty.

Each ISP has a limited set of IP numbers assigned to them. When you sign up they give you ONE of these precious IP numbers (and that number might even be dynamic and change over time but that's another story). Let's say they give you 138.25.32.19.

When you set up your router at home to share your internet connection with all your computers, printers, home security systems, refrigerators and toasters, the router needs to do some fancy tricks to allow it to happen. Firstly, it creates a whole "fake" internet inside your house. Then it routes (translates) the IP numbers from your fake internet to the one real IP number the ISP gave you, 138.25.32.19, every time one of the devices need to communicate with the real internet. To the real internet you really only have one IP device at your place -- the router.

So how can you set up a web server on one box and a FM Server on another at home and share them with people on the real internet if you only have one real IP address? Port forwarding. You might only have one real IP address, but that address can have many ports associated with it.

You need to set your router up to associate a port on the real internet IP number with an IP number on your fake internet. This requires some self-assembly.

If you set up a web server on port 8080 and a FMP server on port 8888, then for people on the real internet the address of your web server is 138.25.32.19:8080 and the FM server would be 138.25.32.19:8888. People on the real internet then need to specify your real IP number followed by the port number you set up to access that machine on your home network.

So the port forwarding thing isn't about security, it's about overcoming the limitation that your ISP only gives you one real IP number.

[Juniper]

Thanks Vaughan,

Do I have to set up my Mac as Appache server to allow IWP?

I only want to see this working on a browser on another computer for testing. Later I will copy my application to a rented server.

The trouble is I an learning OS X, FileMaker, writing an application and publishing it , this week.

Next week I have to work.

[Vaughan]

"I only want to see this working on a browser on another computer for testing."

So forget about setting up port forwarding, it's only needed of you want to view the iwp from outside your home network.

"Later I will copy my application to a rented server."

It's got to be a server running FM Server Advanced, it cannot go on just any old web server.

[Juniper]

Thank's

Oh! not any old server. Well I will try to make my Mac the server, to start with. Will I need to run Appache?

[Vaughan]

"Will I need to run Appache?"

I dunno, having never used IWP. Just follow the directions, rinse and repeat.

[Juniper]

I tried to rinse and repeat but my washer won't go. the refrigerators and toasters have used my ONE and only IP number.

Thank's for your help . I will now finish the App and Publish later.

[Genx]

Actually, port forwarding has nothing to do with network security.

Really Vaughan? That's a bit of a rash statement to make don't you think?

So i take it you have all your ports open with a whole bunch of unsecured applications behind them? Or better yet no applications whatsoever behind them?

You don't run hardware and software firewalls that corporations spend hundreds of thousands of dollars a year on to stop malicious attacks over unsecured ports?

Your not afraid of DOS or DDoS attacks or someone hijacking your PC or streaming fraudulent data to badly written applications?

Port forwarding has EVERYTHING to do with security, it allows you to control the type and source of traffic that is able to flow in and out of your network, where that traffic flows to, and how its communicated to other machines when inside.

If that is indeed your philosophy though, why don't you open a few ports up and tell me your ip? :)

[Vaughan]

From Wikipedia http://en.wikipedia.org/wiki/Port_forwarding

-- start quote

Port forwarding (sometimes referred to as tunneling) is the act of forwarding a network port from one network node to another. This technique can allow an external user to reach a port on a private IP address (inside a LAN) from the outside via a NAT-enabled router.

...

Traditional port forwarding allows the entire world access to the forwarded port, reducing network security slightly."

-- end quote

Port forwarding is done by routers. On the server you've forwarded to inside the LAN, you'd still only have those ports open you need, and have the rest closed.

The term "reducing network security slightly" refers to the fact that the WHOLE WORLD now has has access to the server port, not just devices from within the LAN. But that's the price of granting access to the outside.

[Genx]

So just wanting to make sure again, you think that a router will protect your network completely?

Again Vaughan, what's your ip eh?

[Vaughan]

Genx, you miss the point. Port forwarding is about granting access to a server that's inside a LAN to people who are OUTSIDE the LAN.

You wouldn't port forward to a web server hosting the intranet site, because it's solely for internal consumption. But you would port-forward to the server that's hosting the public web site.

Both the intranet and extra-net servers still need to have exactly the same security and firewalls set up on them, because attacks can come from both inside the LAN and outside. (Only there are more people outside the LAN so there is more chance of attack, but that's beside the point really.)

[Vaughan]

"Again Vaughan, what's your ip eh?"

I'm currently inside a private LAN, so my IP is useless to you: there might be hundreds of computers around the world with the same IP address, because there are hundreds of private LANS sitting behind routers. I have no idea what the real public internet address is: it'd probably map to the organisation's web proxy server anyway.

On the other hand the address I original posted 138.25.32.19 was the IP address of my computer at a University I worked at: it was a *real* IP address, because that university was part of the backbone of AARNET who originally set up the internet in Australia in 1986. There is only one computer on the whole internet with that IP number.

That's the difference: it was on the *real* internet. My current Macintosh is sitting on a fake internet, like the vast majority of internet users.

[Genx]

You're missing the point.

The side effect of having ports open in your environment is that they are hackable and they do have vulnerabilities -- they are as vulnerable as the software sitting behind them.

As for the odd's... dunno, 6 billion people, vs. 20 people at your place. I think there's a larger chance that hackers are going to exist outside of your organization, not in it.

In any case, you said port forwarding had nothing to do with security. Not directly no... but then again what do viruses have to do with Windows? Windows is an OS it exists to run programs, not to be infected with viruses, on that basis it should never get a virus right?

[Genx]

I didn't ask for your private ip, I asked for your external IP, just like the one you'd hand out to people to access your IWP solution.

[Genx]

it'd probably map to the organisation's web proxy server anyway.

Trace route it, you'll find it pretty quick.

[Vaughan]

Well, according to http://whatismyipaddress.com/ my IP address is 210.193.203.50. Which is weird because my system preferences says it's 192.168.45.131.

So lets say I get that server to forward port 8888 to my computer, where I'm running FM Server (yes I know I need more ports to server FMS). You'd be connecting to 210.193.203.50:8888. Apart from somebody hitting the port serving FM Server mercilessly for giggles, how can you attack any other port on my computer even if they are open? You cannot directly see it because you're direcrtly communicating only with the router, and the router is communicating with me. FM Server sees all traffic as originating from the router.

I think we've both got our hands on the same tiger except you've got its legs and I have its tail. :)

[AudioFreak]

Well, according to http://whatismyipaddress.com/ my IP address is 210.193.203.50. Which is weird because my system preferences says it's 192.168.45.131.

How can that be?

Ip Masking? Zone Alarm does it. Depends on firewall settings I believe.

[Genx]

192.168.45.131 is your internal ip silly.

[AudioFreak]

Vaughn why .45 rather than .0 or .1?

[Vaughan]

"Vaughn why .45 rather than .0 or .1"

Because it's a large organisation and they have set up subnets, including some in other cities. Subnets help compartmentalise network traffic. Who remembers LocalTalk or "thin" Ethernet?

"192.168.45.131 is your internal ip silly."

Yes I *knew* that, silly. :)

[Genx]

Because you can..

Local networks have the following options:

10.0.0.0 – 10.255.255.255 - gives around 16 million addresses as far as i remember

172.16.0.0 – 172.31.255.255 - around 1 million

192.168.0.0 – 192.168.255.255 - around 65,000.

[AudioFreak]

Yeah was just curious...thats the range we put our printers in :)

[Genx]

Lol, Vaughan, I could be way off here, but you work for the AFC?

[Vaughan]

Most certainly... did you glean that form the IP number or its DNS name? Can you tell anything else? (hint: they're black and lacy today!)

That youripnumber web site displays a map that was pretty accurateT I'm in Wolloomooloo (gotta love that name) on the south side of the Harbour.

[Genx]

(hint: they're black and lacy today!)

Lol, I am sooooo not going to go there.

[Vaughan]

... and that's a good place to end the topic for today. :)

[Juniper]

Hi My Published site in my broswer is http://10.0.0.1:80/fmi/iwp/res/iwp_home.html

my ip is 121.221.3.87

can you see it in your browser ?

[Genx]

No, you haven't forwarded port 80 correctly - and the address you should be giving us to test is:

http://121.221.3.87/fmi/iwp

[Juniper]

http://10.0.0.1:591/fmi/iwp will get my test app in my browser. Using port 591 as found in FM documentation.

do internet people now have to use http://121.221.3.87:591/fmi/iwp.

The only thing I can change in FileMaker is the port number

As far as I know this still does not work.

It is interesting that http://10.0.0.1 would get me the application file page, now it gets me Test Page for Apache installation ?

[Genx]

Apart from somebody hitting the port serving FM Server mercilessly for giggles, how can you attack any other port on my computer even if they are open? You cannot directly see it because you're direcrtly communicating only with the router, and the router is communicating with me.

Vaughan, coming back to that for a moment. Hacking is not about getting directly to your computer, its about infiltrating a network. Hacking is about getting past a router, once you're past the router you can go wherever you want, ports don't matter inside a network, only ip's that uniquely identify each and every machine do. Hitting your computer from outside the network would be like trying to rob a bank from outside a building - probably possible, but not practicle.

As for how you would attack other open ports besides ones you are directly communicating through i.e. the FM ports -- its called port scanning, and if you've got a cheap router, it won't pick up a scanning that can try to communicate with all ports in a matter of a few minutes, otherwise, it takes a few days to do it "under the radar". In either case, its fairly easy to identify insecure ports.