"Would it be too restrictive to restrict ssh to the internal interface?"
I think that with a firewall it should be mandatory to restrict ssh to the
internal network. That's one less hole on the outside. However, maybe you
could make it configurable from the web interface. I would put a warning on
the configuration, though.
Steve
On Sunday 11 March 2001 15:19, you wrote:
> Those are good points.
>
> I think I was thinking too much of things like LRP and Coyote Linux,
> instead of the full power of cookfire.
>
> Would it be too restrictive to restrict ssh to the internal interface?
>
> - Jay
>
> In the wise words of Stephen Thomas:
> > I like the ability to ssh in from the internal network. It allows me to
> > do things that the WEB interface doesn't.
> >
> > 1. Manage software that the web interface doesn't handle such as snort,
> > IDS. 2. View real time logging like "tail -f /var/log/messages" and other
> > logs. 3. What if I want to add some custimized IDS software or firewall
> > add on apps later?
> >
> > Our plans for the firewall are to set it up on a system without a
> > keyboard, mouse or monitor. SSH would be a necessity to do anything that
> > can't be done by the web interface.
> >
> > I believe in using the web interface for what it is designed to handle.
> > To try to configure stuff through a shell that is in the web interface
> > would be dumb. But taking away the ssh capability is like removing a the
> > latch on the hood of a car because you should never have to go under the
> > hood. Sometimes it is necessary to ssh in because the developers can't
> > think of everything.
> >
> >
> > Steve
> >
> > On Saturday 10 March 2001 13:54, you wrote:
> > > In the wise words of philippe Libat:
> > > > Jay Beale a écrit :
> > > > > I'm currently looking at the firewall design and am a litle
> > > > > curious:
> > > >
> > > > great.
> > > >
> > > > > How many of you are ssh-ing into the firewall box?
> > > >
> > > > many admin users are using the ssh remote connection instead of
> > > > telnet. It's more secure, isn'it ? :=)
> > >
> > > HEee heee. Yes. :)
> > >
> > > But I was under the impression that the system was intended to only be
> > > administered through the web interface. Given the internals of the
> > > configuration system, someone trying to configure through file edits
> > > AND through the web interface would quite possibly find their changes
> > > not taking effect, or at least interfering with each other.
> > >
> > > The other reason it would be helpful is that if someone will only be
> > > administering the system via the web interface, we can lock down the
> > > rest even more tightly...
> > >
> > > > > If you are, why? Just to look around or do you prefer to admin
> > > > > the box via shell-access?
> > > >
> > > > Sorry i dont't understand the question ?
> > > > To look around what ?, it's not a game, or a trip.
> > > > Are you connecting to your cisco or 3COM gateway just to look around
> > > > ?
> > >
> > > No, that's my whole point. I'm not connecting to my Cisco or 3COM
> > > gateway at all. I've turned the telnet option off on my Cisco. I
> > > administer the Cisco router through a dedicated serial interface, or at
> > > least through a dedicated interface...
> > >
> > > > Of course, we are using remote connection, if your web session was
> > > > closed, or if you want to
> > > > do some admin tasks not included in the web tool, you can do it with
> > > > a remote connection.
> > >
> > > Yes, this is the part I worry about. Why not remove the ssh
> > > capability, or restrict it to one interface? We can try to encourage
> > > people to use the web interface, right?
> > >
> > > - Jay
