I see what you mean about SOCKS being an "extra" issue. Still, I don't think that SOCKS requires an entire lecture. I think an "advanced" lecture on secure systems would be best for it, covering SOCKS as well other subjects such as, for example, a case study of an existing network deployment (firewall, NAT, SOCKS, email/procmail, Squid/SpamAssasin, ...). Still, if you think that's too much, I'll gladly settle for a "side" solution.
Erez On Thursday 07 July 2005 19:36, you wrote: > Hi Erez, > > I'll actually start writing the topics from Sunday, and then I'll be able > to know what I will add, when it comes to securing systems and hardening > existing systems. > > I'd first like to talk about the concepts, so people will know what it is > about, then I'll extend a bit. I wish that people will care more about > securing their systems, in many issues that they might not think of. I'll > also provide examples. That's the first thing that comes to my mind. In > the end I'll ask if people want special in-depth future lectures about > specific subjects which I'll raise. There's a lot to cover, and I still > haven't decided if I go in-depth from the beginning, giving a series of > lectures, or to give one (maximum two) lectures about all the concepts > which I'd thought of, and then let the audience choose how and what they > want to hear about in the future. I'll provide more details about it in > the following week. > > The question is if you want your issue solved as a side-issue (and then > it's still a question of quality time), or you want a special lecture > about it, since SOCKS is a nice issue which we haven't discussed yet, and > your problem (which bothers other people as well) included in a lecture > about SOCKS, deserves a lecture of its own. > > Adir. > > On Thu, 7 Jul 2005, Erez Hadad wrote: > > Hi Adir, > > > > > > As we agreed, here's a reminder: Can you please add stuff about > > integrating a SOCKS server with a standard Linux firewall, e.g. iptables? > > > > SOCKS is a server that usually resides on a network gateway and enables > > applications running on internal machines to open inbound sockets (i.e. > > sockets that can receive connections initiated from outside). Data > > recieved through that socket is forwarded to the SOCKS client application > > on the internal machine. That way, if the internal network is masked > > behind NAT, applications can still behave as if they are running on the > > gateway itself. There are many Linux SOCKS servers: SOCKS5, Dante, > > Delegate, etc. > > > > To my best knowledge, SOCKS servers are usually installed as stand-alone > > "firewalls", which do not support NAT and all the other iptables > > features. On the other hand, iptables by itself does not provide a SOCKS > > service. Combining them together should be the answer. > > > > I do not know of any open-source Linux firewall project that integrates > > SOCKS. The closest match I could find is Astaro Linux (www.astaro.com) > > but that's a commercial product. > > > > It is possible, of course, to install an ad-hoc iptables firewall with > > rules that leave open all the inbound connections directed at the local > > machine where a SOCKS server is running. However, such a solution is very > > insecure: any application that opens an inbound socket on the gateway (by > > mistake or not) becomes a target for attacks. A slightly better solution > > would be to forward all incoming connections to a dedicated SOCKS > > machine, but, again, the SOCKS machine becomes the problem, since its > > entire port range is open to the outside. > > > > A much better solution would be to really integrate the SOCKS server and > > the firewall: whenever the SOCKS server wishes to open or close an > > inbound socket, it would notify the firewall or modify its rules. That > > way, the firewall protects all the port range all the time. Still, as I > > said, I could not find anything like it. Even more upsetting is that > > Windows has this working out of the box, either as true SOCKS or as some > > proprietary MS mechanism.. > > > > > > Erez > > > > > > > > ------------------------------------------------------------------------- > >- Haifa Linux Club Mailing List (http://www.haifux.org) > > To unsub send an empty message to [EMAIL PROTECTED] -------------------------------------------------------------------------- Haifa Linux Club Mailing List (http://www.haifux.org) To unsub send an empty message to [EMAIL PROTECTED]
