[NCLUG] ipchains and firewalls

[rosing at peakfive.com]

>Okay, so you have, say, a DSL line or something.  You plug some
>firewall/masq/NAT box (F) into that one IP, and on the other side, you
>keep all your other machines (B) safe.   In the meantime, you have
>another box (A) somewhere on the public internet.  Maybe at work or
>something.  You would like to start xeyes on machine A and have the eyes
>show up on B.

This is pretty much what I want to do.

>I *think* it would work, I just wouldn't do it. :)
> ...
>But what I would do is FROM B, SSH out to A using the X flag.  If A

There's a problem here because it will take just about an act of
congress to allow me to use ssh from B to A.  I can ssh from B to A'
and then telnet from A' to A.  A and A' are behind another firewall.
After I telnet to A and try and run xeyes I get an error message:
X connection to corsair:10.0 broken (explicit kill or server shutdown).

>Another thing:  if you do use a Linux box for 'F', you can also look
>into CIPE (Crypto IP Encapsulation).  When correctly configured, it
>makes two remote networks directly routable, as if they were actually on
>the same network.  Its pretty neat, once you get it all set up.

hmmm, the same bureaucracy that won't let me run ssh might not know
about this.

>What you probably get for free is the ability for outside parties to send X events
>to the Xserver machine claiming to be from 130.20.118.155 - while this takes a
>small amount of creativity, it does yeild keyboard access to shell windows.
>The attacker then has the ability to launch arbitrary command lines on your behalf.
>This is an old attack, I'm not sure anything has changed to help close it.

I always wondered about that.  I guess the only thing I can do is open
the hole only when needed.