RE: some tunnelling help needed
From: Black, Braden (BBlack_at_VSCat.com)
Date: 02/17/04
- Previous message: Nicholas Nam: "RE: some tunnelling help needed"
- Maybe in reply to: Payal Rathod: "some tunnelling help needed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 17 Feb 2004 14:05:48 -0500 To: "Payal Rathod" <payal-ssh@staticky.com>
On Tue, Feb 17, 2004 at 11:42:10AM -0500, Black, Braden wrote:
>
> You forgot the '-g' option, to allow remote hosts to
> connect to the local
> port. Otherwise, the port is just bound to the loopback
> interface. Also, I
I ill try it the first time tomorrow.
> would suggest opening the tunnel on an internal host as
> opposed to doing it
> directly on the firewall.
Can you expand on this please? What exactly do you mean? Thanks a lot
<--SNIP-->
When you use the '-g' option for local port forwarding, ssh opens the
designated local port on *all* interfaces. The implication here is that if
you do this on a firewall device, the port will be listening even on the
external interface. "No problem", you think, "I've got my snazzy
pf/iptables/whatever scripts that will deny access to that port from
external sources". Right-o. Should you drop your packet filter for some
reason or introduce a misconfiguration into the ruleset, you'll also
potentially open a hole right through your firewall and into your (or
someone else's) network.
It's just not worth the risk, IMHO. Firewalls should not run other services
when it can be helped. Ergo, if you have another box inside the chewy part
of your network, set up the tunnel there instead of running it on the
firewall.
My $.02
- Braden
- Previous message: Nicholas Nam: "RE: some tunnelling help needed"
- Maybe in reply to: Payal Rathod: "some tunnelling help needed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
