I like the ability to ssh in from the internal network. It allows me to do
things that the WEB interface doesn't.
1. Manage software that the web interface doesn't handle such as snort, IDS.
2. View real time logging like "tail -f /var/log/messages" and other logs.
3. What if I want to add some custimized IDS software or firewall add on apps
later?
Our plans for the firewall are to set it up on a system without a keyboard,
mouse or monitor. SSH would be a necessity to do anything that can't be done
by the web interface.
I believe in using the web interface for what it is designed to handle. To
try to configure stuff through a shell that is in the web interface would be
dumb. But taking away the ssh capability is like removing a the latch on the
hood of a car because you should never have to go under the hood. Sometimes
it is necessary to ssh in because the developers can't think of everything.
Steve
On Saturday 10 March 2001 13:54, you wrote:
> In the wise words of philippe Libat:
> > Jay Beale a écrit :
> > > I'm currently looking at the firewall design and am a litle curious:
> >
> > great.
> >
> > > How many of you are ssh-ing into the firewall box?
> >
> > many admin users are using the ssh remote connection instead of telnet.
> > It's more secure, isn'it ? :=)
>
> HEee heee. Yes. :)
>
> But I was under the impression that the system was intended to only be
> administered through the web interface. Given the internals of the
> configuration system, someone trying to configure through file edits AND
> through the web interface would quite possibly find their changes not
> taking effect, or at least interfering with each other.
>
> The other reason it would be helpful is that if someone will only be
> administering the system via the web interface, we can lock down the rest
> even more tightly...
>
> > > If you are, why? Just to look around or do you prefer to admin the
> > > box via shell-access?
> >
> > Sorry i dont't understand the question ?
> > To look around what ?, it's not a game, or a trip.
> > Are you connecting to your cisco or 3COM gateway just to look around ?
>
> No, that's my whole point. I'm not connecting to my Cisco or 3COM gateway
> at all. I've turned the telnet option off on my Cisco. I administer the
> Cisco router through a dedicated serial interface, or at least through a
> dedicated interface...
>
> > Of course, we are using remote connection, if your web session was
> > closed, or if you want to
> > do some admin tasks not included in the web tool, you can do it with a
> > remote connection.
>
> Yes, this is the part I worry about. Why not remove the ssh capability,
> or restrict it to one interface? We can try to encourage people to use
> the web interface, right?
>
> - Jay
