[NCLUG] ipchains and firewalls
Neil Doane
caine at vasoftware.com
Fri Jan 25 11:05:07 MST 2002
Dood, smoothwall. I'm telling you, all this pain can be gone. :)
Neil
* Michael Dwyer (mdwyer at sixthdimension.com) on [01-24-02 15:09] did utter:
> rosing at peakfive.com wrote:
> >
> > Mike wrote:
> >
> > >On the other hand, I would personally suggest that you lose this rule,
> > >and instead use the -X flag on SSH to transmit your X sessions securely.
> >
> > I can't ssh to the machine of interest. I could probably ssh from
> > that machine to my machine, assuming I know how to set it up. But then
> > would I still need some entry in ipchains to allow ssh in?
>
> Eh, I'm not entirely sure what you are trying to do. It would probably
> take a bar napkin, or at least some ascii art for me to figure out what
> you are trying to do...
>
> > >Most of the ones that I have seen (Linksys) will allow you to designate
> > >a single DMZ machine, which incomming traffic is routed to. IPChains
> >
> > If I understand the DMZ machine idea it means I have one machine
> > that's open to the world for everything? I can't do that.
>
> That would seem to be what it did. The filtering rules may have been a
> bit more robust, though. I think the DMZ idea is just the easiest way
> for a non-networking kind of user to get his work done... I think in
> Beginner mode, you just designated a DMZ host. In Advanced mode, you
> can carefully specify where you wanted everything to go.
> I'm afraid I can't give you a good answer, though. I just quickly set
> one up for a friend. I use Linux boxes in my own networks.
>
> > This got me thinking of another problem. I only have one ip address
> > but I want to set up a network using masquerading. I also want to
> > start an X job on a machine outside the firewall and have it display on
> > one machine inside the firewall. It's always the same machine. On
> > the remote machine I set the display variable to the one ip address I
> > have. Something needs to route the packets to the one machine where I
> > want the display. Can I do this with ipchains? Can I do this with
> > linksys?
>
> Okay, so you have, say, a DSL line or something. You plug some
> firewall/masq/NAT box (F) into that one IP, and on the other side, you
> keep all your other machines (B) safe. In the meantime, you have
> another box (A) somewhere on the public internet. Maybe at work or
> something. You would like to start xeyes on machine A and have the eyes
> show up on B.
>
> A portfw rule similar to your original one would probably work. You
> would set the display to your firewall IP address, and your firewall
> would translate that address over to your internal machine.
>
> I *think* it would work, I just wouldn't do it. :)
>
> 216.17.1.2 12.1.2.3 192.168.1.5
> A-----(internet)-----F--|<---(intranet)-----B
> Rule: fwd X11 to 192.168.1.5
>
> But what I would do is FROM B, SSH out to A using the X flag. If A
> allows X forwarding (/etc/ssh/sshd_config) then it will automatically
> set the DISPLAY and if you consequently run xeyes, it will show up on
> your local screen, and be encrypted from end to end to boot. This also
> doesn't require any additional firewall rules, aside from the existing
> MASQ rules.
>
> Another thing: if you do use a Linux box for 'F', you can also look
> into CIPE (Crypto IP Encapsulation). When correctly configured, it
> makes two remote networks directly routable, as if they were actually on
> the same network. Its pretty neat, once you get it all set up.
> _______________________________________________
> NCLUG mailing list
> NCLUG at nclug.org
> http://www.nclug.org/mailman/listinfo/nclug
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
. /._ o /
/|//- / / caine at vasoftware.com
/ ''- / /__ caine at antediluvian.org
'
~~ http://angryflower.com/bobsqu.gif ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
More information about the NCLUG
mailing list