[fw-wiz] Best-of-breed Proxies (was Re: Proxy Firewalls ...)

From: Bennett Todd (bet@rahul.net)
Date: 01/30/03 

From: Bennett Todd <bet@rahul.net>
To: "Marcus J. Ranum" <mjr@ranum.com>
Date: Thu Jan 30 13:22:01 2003

This is a terrific list to work up. Of course it changes over
time....

2003-01-30T11:47:21 Marcus J. Ranum:
> tn-gw ssh

For a gateway, I've constructed a highly restrictive ssh proxy
setup.

It used a chrooted sshd with private passwd/shadow files in the
chroot jail. The login shell for the users in that private passwd
was a teensy C program, that looked up the $LOGNAME in a private
config file to get a destination host, and execed an ssh client to
that host. This prevented all port forwardings and the like.

This was work-for-hire, and I no longer have that code and couldn't
give it away if I did, but such a C wrapper is awfully trivial to
write.

> smap postfix

While I like Postfix best for such applications, another candidate I
wouldn't criticize is qmail. Different strengths and weaknesses,
appeals to some folks.

> dns bind, chrooted (finally)

djbdns --- dnscache is deal for use as a firewall DNS proxy.

-Bennett