[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Forwarding SSH connections.

To: Robert Johannes <rjohanne@piper.hamline.edu>
Subject: Re: Forwarding SSH connections.
From: Truman Boyes <truman@research.suspicious.org>
Date: Sun, 1 Apr 2001 04:31:14 -0400 (EDT)
Cc: "N. Nordman" <_nino@home.se>, Tim Jones <t0psecret@yahoo.com>,misc@openbsd.org

absolutely should no users ever have logins to your firewall. potentially
your entire perimeter security model could be smashed, the machines behind
the firewall hacked, and you could spend weeks doing forensic analysis of
all of your systems.

what you want probably is a machine in a DMZ that runs a hardened OS,
stripped down as much as possible, and preferrably password checking
through kerberos or other means.

you can open a pinhole in the firewall to allow access from that jump host
in the DMZ to specific hosts/protocols/ports inside the internal network. 

cheers,
.truman.boyes.
--------------
Experience is the one thing you get, right after you need it

On Fri, 30 Mar 2001, Robert Johannes wrote:

> Isn't there a security implication with this?  I mean, this is essentially
> transfering the burden of security from your firewall to the internal
> machine.  In otherwords, if someone manages to guess/crack your passwd,
> would
> you rather they logged into the firewall, or logged into the machine
> behind the firewall?  I'm debating a similar setup, and I think it is
> probably more secure if the cracker logs into your firewall, where he/she
> will be jailed for a while until they figure out how to get out of
> there.  If they log directly into the machine behind the firewall from the
> outside, then their work is done.  Anybody sees my point?
> 
> robert
> 
> On Fri, 30 Mar 2001, N. Nordman wrote:
> 
> > Either do it with ipfilter(www.ipfilter.org) and rdr or take a look at 
> > port forwarding with ssh(man ssh).
> > 
> > On Friday 30 March 2001 17:41, Tim Jones wrote:
> > > Hi.
> > >
> > > I new to UNIX so I have what probably is a beginner
> > > type of question.  I have an OpenBSD firewall and
> > > another OpenBSD machine behind it that I like to be
> > > able to access from work.  What I do now is SSH into
> > > the firewall and then SSH into the machine behind it.
> > > I'm wondering if there is a way that my SSH connection
> > > can be automatically forwarded from the firewall to
> > > the machine behind it?  I'm thinking that perhaps I
> > > can set it so that when a SSH to a certain port on the
> > > firewall, the connection is automatically forwarded.
> > > Can anyone help?
> > >
> > > Thanks!
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Get email at your own domain with Yahoo! Mail.
> > > http://personal.mail.yahoo.com/?.refer=text
> > 
> > 
> 
>

Prev by Date: Re: replacing a network card problems.
Next by Date: Re: Amiga 2000 Problems
Prev by thread: Re: replacing a network card problems.
Next by thread: Re: stripped OpebBSD (more whining)
Index(es):
- Date
- Thread