Tim: >> The DNS records need to be fixed before all else. They need to be >> held on a public DNS server that propagates them to the other DNS >> servers. Jack Craig: > First I get my static IP from AT&T actually a block of eight > addresses of which only the first do they agree to pass through. > > > Second this used to work. I get my static IP from AT&T in a block of > actually eight addresses only the first of which do they agree to > pass through so I have been using DNS via name HTTP HTTPS for some > time and only since I've upgraded to fedora 30 to have I had this dns > battle . Sounds ok. One test would be to see if an outsider can ping your public IP that's supposed to allow traffic through. Though, that will only work if your system responds to pings. The other test is for someone to try and browse your webserver at your public IP. Your public IP has to route through to your own server. You will probably have to explain your network topology to us. Which I've seen you do, in general, further below. But is your public IP in a range of "customer" addresses, or public IPs? If it's within the range allocated to an ISPs clients, other networks around the world will consider your IP to be risky. You'd find doing mail a problem, at least. > Networksolutions is my registrar, they provide to the world my domain > name my primary and secondary DNS servers so I guess that's the > external place where you were referring to? Yes. > So AT&T provides the internet road, networksolutions provides the > signage along the road to my place . > > isn't it the way it supposed to work? Yes. By the look of things you need to reconfigure your DNS records. Point the A record for your domain, and the www. subdomain at your webserver's IP. Point your MX record at whoever handles mail to your domain name. Point the NS record at the name servers for your domain. >> If your plan is for you to run your webserver on your own computer >> and for people to connect to it, you have to find out if that's >> actually possible with your ISP. Many will forbid it, or their >> network structure makes it nearly impossible. And you'll need to >> be able to handle all the attacks you'll be under. There probably >> isn't a website on the planet that someone isn't trying to exploit. > I was hoping that wireguard would provide that kind of coverage via > vpn.. > I have two routers in my access path the first one is the AT&T > router and its firewall is set to forward packets only from ports 53 > for 43 and 80 those packets alone are forwarded to my internal server > internal router which in turn contacts in my server on my 10.0.0 net If you're also doing HTTPS, there will need to be port "443" passed through, too. I'm guessing "43" was a typo. Both routers and your computer will have to allow through the ports. I see no point in trying to be your own DNS server, though. HTTPS *could* be a curly one to solve in your situation. Certificates can tied to an IP address. While an outsider will be connecting to your public IP forwarded through, your webserver will be using its local IP, and the cert wouldn't match. *If* the cert has to match your public IP, you'd need to set your computer's IP to be your public one. But that may not be the case with you. Solve the DNS problem first. > I thought that having two firewalls between me in the world would be > a larger advantage but it sounds like what you're saying is that > people can penetrate that no matter what. that's depressing. While firewalls can prevent unwanted connections through a network, they don't protect you from things that are done through the allowed connections. Your webserver will have to be able to handle people trying to exploit it. On my public website, the error logs are full of people trying to connect to known exploits in wordpress and various other software suites that people run on webservers. I don't run those things, so they just get errors. You'll also need to be able to handle the legitimate traffic. You'll have multiple crawlers from search engines, including many you've never heard of, as well as actual people browsing it. That's why I don't run my public website on my own system. _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure