RE: some tunnelling help needed

From: Black, Braden (BBlack_at_VSCat.com)
Date: 02/17/04

  • Next message: Greg Wooledge: "Re: Verifying the host fingerprint"
    Date: Tue, 17 Feb 2004 14:05:48 -0500
    To: "Payal Rathod" <payal-ssh@staticky.com>
    
    

    On Tue, Feb 17, 2004 at 11:42:10AM -0500, Black, Braden wrote:
    >
    > You forgot the '-g' option, to allow remote hosts to
    > connect to the local
    > port. Otherwise, the port is just bound to the loopback
    > interface. Also, I

    I ill try it the first time tomorrow.

    > would suggest opening the tunnel on an internal host as
    > opposed to doing it
    > directly on the firewall.

    Can you expand on this please? What exactly do you mean? Thanks a lot
    <--SNIP-->

    When you use the '-g' option for local port forwarding, ssh opens the
    designated local port on *all* interfaces. The implication here is that if
    you do this on a firewall device, the port will be listening even on the
    external interface. "No problem", you think, "I've got my snazzy
    pf/iptables/whatever scripts that will deny access to that port from
    external sources". Right-o. Should you drop your packet filter for some
    reason or introduce a misconfiguration into the ruleset, you'll also
    potentially open a hole right through your firewall and into your (or
    someone else's) network.

    It's just not worth the risk, IMHO. Firewalls should not run other services
    when it can be helped. Ergo, if you have another box inside the chewy part
    of your network, set up the tunnel there instead of running it on the
    firewall.

    My $.02

    - Braden


  • Next message: Greg Wooledge: "Re: Verifying the host fingerprint"

    Relevant Pages

    • Re: Turning on Media Sharing in WMP11
      ... I believe it forms quite a reasonable network media device. ... Turning on SSDP (it was disabled as was uPnP) to Manual and then UPnP ... If there is a firewall, or NAT, built into your ... You need to open port s: ...
      (microsoft.public.windowsmedia.player)
    • Re: May need to move from SBS because of connection issues
      ... Just to make sure you are clear regarding port 4125, ... access remote systems and you are behind a firewall on a non-SBS network, ... established that RWW worked TO your SBS network from outside. ... have been proof that the required ports were forwarded to the SBS server. ...
      (microsoft.public.windows.server.sbs)
    • Re: Identifying Internet Attacks
      ... contain the hacker to a particular machine, leave the machine on the network ... Some firewall software such as ... open ports; however, this will not identify which program is using the port. ... firewall logs, the IIS web and ftp server logs and Windows security event ...
      (microsoft.public.inetserver.iis.security)
    • Re: Leopard Firewall Warning
      ... machines on a particular network can access a port. ... The new scheme is an XP-style application based firewall; ... This, as an example, allows an attacker, once ...
      (uk.comp.sys.mac)
    • Netscreen 5GT VIPs and Bridge Mode
      ... I currently have a Netscreen 5GT-AV Firewall connected to a Netcomm ... The modem is in non-bridged mode and its LAN ... The Netscreens Untrust Interface (connected ... I have port forwarding set ...
      (comp.security.firewalls)