Re: Firewall advice
From: glassgnost (dlindnerSPAMBLOCKED@socal.rr.com)Date: 08/27/02
- Next message: glassgnost: "(no subject)"
- Previous message: Don Quixote: "Re: Norton Internet Security Redirector is crashing my computer"
- In reply to: : "Re: Firewall advice"
- Next in thread: Robert R Kircher, Jr.: "Re: Firewall advice"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: glassgnost <dlindnerSPAMBLOCKED@socal.rr.com> Date: Tue, 27 Aug 2002 06:01:36 GMT
Four Star Computers wrote:
> The VPN will only way for outside users to connect. what ports will I need
> to leave open/monitor for VPN to Work?
> Will I need to have any others open for the Terminal Server Client to use or
> will it confine all its traffic to the VPN tunnel?
>
> Most of the users inside the LAN do not have Internet access but email is
> allowed to some. Other than the Terminal Server that The remote Users are
> connecting to via VPN, no other services are to be visible to the outside.
>
> Are iptables/ipchains internal Unix/Linux commands or are they external
> programs?
> Ditto for PoPToP?
You'll need 1723 open for PPTP on your PPP interface - if you're using
old ipchains you'd be allowing inbound on the unpriv'd ports anyway.
You'll need to let 3389 in from the PPTP sessions. Either set up the
clients to specify their IP's in the session (and give them space in
your internal network), or try this: set up the "dummy" adapter on it's
own subnet, and have it do the proxying in the PPTP session, and use
that subnet for the client addys. Allow ONLY that subnet (or specific
IP's if only a few clients) to route through. How paranoid do you want
to be? No need to trust the PPTP clients fully. You can do this AND have
the clients hit specific IP's, and use a randomized sequence instead of
a predictable block of addys.
Security though Obscurity alone is foolish - but playing musical chairs
with the ports and/or addys as an additional layer can be useful.
Remember, pretty much all OS's can route now. If a client is
compromised, you could be giving someone a free ride inside.
You can set up the clients with dynamic DNS names as a means of
controlling access to 1723. It won't contain a compromised client, but
it will let you run the ports in "stealth" mode to the rest of the world.
If you want to set up access on a timer, just use AT or cron to run
scripts enabling/disabling either the route or the port. Or the poptop
daemon. Or all three. ;)
Ipchains/iptables are, by strict definition IIRC, external programs and
the actual firewalling is in the kernel. Standard distro stuff BTW.
PoPToP is available at http://www.poptop.org
You'll want to do the ppp mods to get MS-Chap2 encrypted passwords. Just
follow the cookbook at the poptop site, you should do fine.
I had to do some manual editing in conf.modules to get mine working, but
that's also in the docs.
FWIW, sonicwall has a model that does 56K PPP outbound - though intended
as a backup option, it'll probably do the job. I don't want to
discourage you from learning, I'm just considering that your time may be
worth sonicwall's price...
Have fun. :)
-- Mystical Reverend Doktor glassgnost, Minister of Unnatural Selection -- dlindner (at) socal (dot) rr (dot) com -- Eternal Salvation or Triple Your Money Back! http://www.subgenius.com ...or kill me!Chinese saying: "He who speak with forked tongue, not need chopsticks."
- Next message: glassgnost: "(no subject)"
- Previous message: Don Quixote: "Re: Norton Internet Security Redirector is crashing my computer"
- In reply to: : "Re: Firewall advice"
- Next in thread: Robert R Kircher, Jr.: "Re: Firewall advice"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
