HOSTS and the internet

mfrogg

So I know you can use Hosts file in windows to kind of pre-dns lookup names. This works great when blocking ad sites and such from your computer. What I'm interested in, I don't know if I can accomplish without a vpn setup.

What I want to do is use Hosts to say a computer in my workgroup is over the net at another IP.

Ie - CompA, CompB, CompC are behind a router with a netIp of 72.16.2.15.
CompD is behind a router with a netIP 186.4.4.5

can I put in the CompA, B, and C Hosts files :

CompD 186.4.4.5

Then access it from CompA as \\CompD\? I'm sure ports would have to be forwarded and stuff.

The more I think about it, the more VPN seems a must for this thing, but I'm curious if this workaround might work?

Do I even know what I'm asking? Not sure...

twmjr

mfrogg wrote: »

So I know you can use Hosts file in windows to kind of pre-dns lookup names. This works great when blocking ad sites and such from your computer. What I'm interested in, I don't know if I can accomplish without a vpn setup.

What I want to do is use Hosts to say a computer in my workgroup is over the net at another IP.

Ie - CompA, CompB, CompC are behind a router with a netIp of 72.16.2.15.
CompD is behind a router with a netIP 186.4.4.5

can I put in the CompA, B, and C Hosts files :

CompD 186.4.4.5

Then access it from CompA as \\CompD\? I'm sure ports would have to be forwarded and stuff.

The more I think about it, the more VPN seems a must for this thing, but I'm curious if this workaround might work?

Do I even know what I'm asking? Not sure...

Presuming you do the appropriate work setting up the access (e.g. Windows file share), there is no reason this wouldn't work. You can map CompD to that IP in the hosts file just fine -- basically, if you can get to a point where you can access the machine at \\186.4.4.5\, you can put the line you have there in your hosts file and \\CompD\ will do the same thing.

xzzy

All you're doing is implementing DNS (well, sort of) for your local machine, so if going to "\\186.4.4.5\" would get you to the right address, putting compd in the hosts file will allow you to use \\CompD\.

The gotcha is the routing. If CompD is using NAT (or in modern parlance, a firewall), the connection won't work because most firewalls don't allow incoming connections. You'll have to set up port forwarding for this to work.

stigweard

Use a vpn, it's much more secure. Opening windows network sharing to the world is a horrible idea.

mfrogg

yeah - dreamspark's letting me try WS08 R2 Standard - up to 250 vpn connections incoming. Only need at most 15. heh.

The problem is, I'm using an SQL Server Express, and my clients look for "compD" as the server for their program. But the clients are around the country, and I'm in WI. So I was hoping pointing compD in their hosts to my router with various points enabled would help. Though the ports for SQL Server express are only 2.. I think it'd work, because the program would look for that host and there's no sharing going on, just the SQL ports.. hot dang, maybe...

Dedian

If I understand you correctly, you'd still be opening two ports to the interwebs, which isn't the safest thing to do (though, I don't know much about SQL express security)

xzzy

Dedian wrote: »

If I understand you correctly, you'd still be opening two ports to the interwebs, which isn't the safest thing to do (though, I don't know much about SQL express security)

It's not exactly dangerous either. The internet couldn't function if all ports were blocked.

You just have to trust the software that is listening on those ports. Keeping the software up to date is fairly important.

Dedian

xzzy wrote: »

Dedian wrote: »

If I understand you correctly, you'd still be opening two ports to the interwebs, which isn't the safest thing to do (though, I don't know much about SQL express security)

It's not exactly dangerous either. The internet couldn't function if all ports were blocked.

You just have to trust the software that is listening on those ports. Keeping the software up to date is fairly important.

Inbound ports, not outbound

Besides, MS SQL Server best practices says pretty clearly: "Do not expose a server that is running SQL Server to the public Internet." (http://download.microsoft.com/download/8/5/e/85eea4fa-b3bb-4426-97d0-7f7151b2011c/SQL2005SecBestPract.doc)

xzzy

Yeah, exactly. Without inbound ports, the internet would cease to function. Block off port 80 and see how long it takes for your web server to stop seeing traffic.

Obviously exposing a database to the internet is risky, but it's not impossible to protect.

Dedian

Perhaps that should have read "...open two additional ports...", does that make more sense?

exoplasm

You are definitely going to want a VPN for this, whether you set it up with your windows server or use Hamachi or Tunngle or whatever else you want. You definitely do not want to expose SQL to the internet, and no "just 2 ports!" is no excuse.

When XP was still fairly new I had figured out you could run IIS on it and I thought it was cool. So I put that in, then turned on FTP. I don't remember if I just didn't have a firewall/NAT or what, but my computer was owned and unusable within 12 hours.

On another occasion I had an old box with Win2000 running SQL Server 2000 and the SQL Slammer worm took down my entire LAN until I figured it out (I don't think this particular problem is a concern anymore, though).

So, yeah, don't expose services to the 'net unless you have them properly set up to do so. A web server is usually safe to open up port 80 on, since you know it doesn't work otherwise. A database server (or any non-public facing service) should never be exposed directly and ideally should be firewalled behind the webserver that uses it.

TL;DR: use vpn