Linux Format forums Forum Index Linux Format forums
Help, discussion, magazine feedback and more
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

[LXF153] Disconnected Debian question

Post new topic   Reply to topic    Linux Format forums Forum Index -> Magazine and coverdiscs
View previous topic :: View next topic  
Author Message
LXF regular

Joined: Tue Mar 27, 2007 2:49 am
Posts: 2435

PostPosted: Wed Jan 11, 2012 3:46 am    Post subject: [LXF153] Disconnected Debian question Reply with quote

In LXF 153 James Grant asks about how to update a LAN with no connection to the internet and a network mirror is advised, with a separate harddrive to update this system. Although factually very correct and do-able, it is going to be a PITA to maintain. There is another method...

Now, I am aware that there's a very good reason for the system James describes not to have an internet connection, but with a few precautions system safety can remain uncompromised. The first action is to install a 2nd network card. I assume the server, as it's a stand-alone device, also runs a DHCP and DNS server. The latter is of no concern (and may even be omitted at James' workplace) but the former will play a role in securing the system against unwanted attention. This new network card will be connected to the company network and must be declared in /etc/network/interfaces as obtaining an IP address of said network via its DHCP server. However, it should not do so automatically!

Next step involves some scripting (I'll leave that to James Wink) to do the following:
  • check if all clients have released their leases on the DHCP server of the stand-alone system
  • start eth1, update the mirror, then shutdown eth1 again
Why only perform the update if all clients have returned their IP leases? Simple: if no other machine is online and connected, there's no chance of getting infected that way Wink It is therefore important that all PC's connected to this LAN are properly shut down before the cronjob starts that updates the mirror. Furthermore: because the script shuts down the extra NIC (eth1), there can be no connection from the company network, and potential hazards coming from there, to this confined LAN.

With a bit more scripting this can be expanded to include the latest updates to the 4 LAN machines James referred to, by having the mirror update early in the weekend, when traffic levels at most company networks are low, and using WoL (Wake on LAN) packets to awake the machines about 2 hrs before workers are scheduled to arrive Monday morning and push the updates on each machine (in effect: having the script log in on each machine and force a dist-upgrade) Smile

Do note that although the server has 2 NIC's, it is not a proxy! As there are no bridging rules to route traffic from the internal LAN to the company network (or vice versa) no machine on this LAN will have a connection to the internet, even if it would be online during the time the mirror is updating itself!

I hope Mr Grant will read this and gives it a try, and perhaps others in a similar situation will find it of benefit too Smile I could have written in to LXF, but this is so much more convenient Wink (and direct Razz)
Back to top
View user's profile Send private message
View previous topic :: View next topic  
Display posts from previous:   
Post new topic   Reply to topic    Linux Format forums Forum Index -> Magazine and coverdiscs All times are GMT
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Linux Format forums topic RSS feed 

Powered by phpBB © 2001, 2005 phpBB Group

Copyright 2011 Future Publishing, all rights reserved.

Web hosting by UKFast