On 9/1/06, mop <[EMAIL PROTECTED]> wrote:
Hi
I have a home network set up with an OpenBSD gateway which is bridged to an
ADSL router, two Windows XP machines and assortment of old boxes I play
around with, and a few IP's available to me. What I want is remote access
back to my windows boxes probably using VNC, and to be able to ssh to my
gateway and into my network. At least one of the sites I wish to connect
from uses a web proxy and I would have to tunnel through it.
What software/techniques can people suggest, and how much of a risk am I
exposing myself to by doing this? I have survived this far without it, but
it would be nice to have. Can I do it without it showing up in a port scan?
Now to the pf question. My policy for everything blocked from entering the
network is that it is dropped with no reply. I have several ports forwarded
to my Windows box, mainly for file sharing over IRC so they are only open
when I wish to do a DCC send. I would like to drop error messages coming
from my windows box when those ports are closed so no one got curious as to
why those ports replied and nothing else did.
As I allow everying exiting the network to keep state, how would I block
these packets? I know it probably doesn't get me much in the way of
security, but it is an interesting problem. Any suggestions?
Any suggestions would be greatly appreciated. Regards,
How about using authpf for the port forwarding? You want the ports
forwarded, you ssh to the box, and they are open. You're finished, you
finish ssh session, they are closed.
Also, for VNC, you want to use that over an encrypted channel, either
ssh tunnel, or otherwise (OpenVPN or IPSec comes to mind).
As for ssh not showing on a port scan... Not likely that a ful port
scan is not going to pick it up, though you could play with passive OS
detection, and block nmap, that could provide a bit more of
obscurity...
As for going through a proxy, it depends how it is set up. ssh does
have an option to use proxy, but that depends on the proxy
configuration obviously... And you may have some success moving port
ssh listens on to 80 or 443 (I personally prefer the latter, as it's
rather less likely for anyone to look closer at the traffic passing
there). But that again depends on the proxy in question.
Kim
--
viq
