RE: some tunnelling help needed

From: Black, Braden (BBlack_at_VSCat.com)
Date: 02/17/04

  • Next message: Greg Wooledge: "Re: Verifying the host fingerprint"
    Date: Tue, 17 Feb 2004 14:05:48 -0500
    To: "Payal Rathod" <payal-ssh@staticky.com>
    
    

    On Tue, Feb 17, 2004 at 11:42:10AM -0500, Black, Braden wrote:
    >
    > You forgot the '-g' option, to allow remote hosts to
    > connect to the local
    > port. Otherwise, the port is just bound to the loopback
    > interface. Also, I

    I ill try it the first time tomorrow.

    > would suggest opening the tunnel on an internal host as
    > opposed to doing it
    > directly on the firewall.

    Can you expand on this please? What exactly do you mean? Thanks a lot
    <--SNIP-->

    When you use the '-g' option for local port forwarding, ssh opens the
    designated local port on *all* interfaces. The implication here is that if
    you do this on a firewall device, the port will be listening even on the
    external interface. "No problem", you think, "I've got my snazzy
    pf/iptables/whatever scripts that will deny access to that port from
    external sources". Right-o. Should you drop your packet filter for some
    reason or introduce a misconfiguration into the ruleset, you'll also
    potentially open a hole right through your firewall and into your (or
    someone else's) network.

    It's just not worth the risk, IMHO. Firewalls should not run other services
    when it can be helped. Ergo, if you have another box inside the chewy part
    of your network, set up the tunnel there instead of running it on the
    firewall.

    My $.02

    - Braden


  • Next message: Greg Wooledge: "Re: Verifying the host fingerprint"