On Fri, 8 Jul 2005, Erez Hadad wrote:
Still, I don't think that SOCKS requires an entire lecture. I think an
"advanced" lecture on secure systems would be best for it, covering SOCKS as
well other subjects such as, for example, a case study of an existing network
deployment (firewall, NAT, SOCKS, email/procmail, Squid/SpamAssasin, ...).
That's a good idea :) Lifting the glove.
Still, if you think that's too much, I'll gladly settle for a "side" solution.
I'm afraid that a "side" solution won't satisfy you nor the audience,
unless it's planned that there's enough time to cover your issue as much
as needed. However, Your idea about an advanced lecture is a better one,
and will be taken into consideration as well.
Adir.
Erez
On Thursday 07 July 2005 19:36, you wrote:
Hi Erez,
I'll actually start writing the topics from Sunday, and then I'll be able
to know what I will add, when it comes to securing systems and hardening
existing systems.
I'd first like to talk about the concepts, so people will know what it is
about, then I'll extend a bit. I wish that people will care more about
securing their systems, in many issues that they might not think of. I'll
also provide examples. That's the first thing that comes to my mind. In
the end I'll ask if people want special in-depth future lectures about
specific subjects which I'll raise. There's a lot to cover, and I still
haven't decided if I go in-depth from the beginning, giving a series of
lectures, or to give one (maximum two) lectures about all the concepts
which I'd thought of, and then let the audience choose how and what they
want to hear about in the future. I'll provide more details about it in
the following week.
The question is if you want your issue solved as a side-issue (and then
it's still a question of quality time), or you want a special lecture
about it, since SOCKS is a nice issue which we haven't discussed yet, and
your problem (which bothers other people as well) included in a lecture
about SOCKS, deserves a lecture of its own.
Adir.
On Thu, 7 Jul 2005, Erez Hadad wrote:
Hi Adir,
As we agreed, here's a reminder: Can you please add stuff about
integrating a SOCKS server with a standard Linux firewall, e.g. iptables?
SOCKS is a server that usually resides on a network gateway and enables
applications running on internal machines to open inbound sockets (i.e.
sockets that can receive connections initiated from outside). Data
recieved through that socket is forwarded to the SOCKS client application
on the internal machine. That way, if the internal network is masked
behind NAT, applications can still behave as if they are running on the
gateway itself. There are many Linux SOCKS servers: SOCKS5, Dante,
Delegate, etc.
To my best knowledge, SOCKS servers are usually installed as stand-alone
"firewalls", which do not support NAT and all the other iptables
features. On the other hand, iptables by itself does not provide a SOCKS
service. Combining them together should be the answer.
I do not know of any open-source Linux firewall project that integrates
SOCKS. The closest match I could find is Astaro Linux (www.astaro.com)
but that's a commercial product.
It is possible, of course, to install an ad-hoc iptables firewall with
rules that leave open all the inbound connections directed at the local
machine where a SOCKS server is running. However, such a solution is very
insecure: any application that opens an inbound socket on the gateway (by
mistake or not) becomes a target for attacks. A slightly better solution
would be to forward all incoming connections to a dedicated SOCKS
machine, but, again, the SOCKS machine becomes the problem, since its
entire port range is open to the outside.
A much better solution would be to really integrate the SOCKS server and
the firewall: whenever the SOCKS server wishes to open or close an
inbound socket, it would notify the firewall or modify its rules. That
way, the firewall protects all the port range all the time. Still, as I
said, I could not find anything like it. Even more upsetting is that
Windows has this working out of the box, either as true SOCKS or as some
proprietary MS mechanism..
Erez
-------------------------------------------------------------------------
- Haifa Linux Club Mailing List (http://www.haifux.org)
To unsub send an empty message to [EMAIL PROTECTED]
--------------------------------------------------------------------------
Haifa Linux Club Mailing List (http://www.haifux.org)
To unsub send an empty message to [EMAIL PROTECTED]
