AW: restrict access

2021-05-25 Thread Walter Harms 
yes, under normal circumstances you would use iptables to block the port. But 
when you are forced to byte-counting and you do not want to install other 
programms (and maintains them) on your embedded system, this is clearly an 
option.

re,
 wh

Von: Steffen Nurpmeso 
Gesendet: Dienstag, 25. Mai 2021 02:40:50
An: Walter Harms
Cc: dropbear@ucc.asn.au
Betreff: Re: restrict access

WARNUNG: Diese E-Mail kam von außerhalb der Organisation. Klicken Sie nicht auf 
Links oder öffnen Sie keine Anhänge, es sei denn, Sie kennen den/die 
Absender*in und wissen, dass der Inhalt sicher ist.


Walter Harms wrote in
 :
 |I did a little experiment and it worked.
 |
 | if (fnmatch("192.168.1.*",remote_host,FNM_PATHNAME) != 0)
 |   goto out;
 |
 |this will allow only connections from 192.168.1.* to the server
 |that shows the change can be very simple. I did not try with more compli\
 |cated situations. The limits of this approach needs to be evaluated.

Since the begin of this thread this sounds like a 100% firewall
thing to me.  Why would you like to compile this in?

I mean, i can imagine the NetBSD/FreeBSD black(now block)list
approach in which a server software who "knows" what has happened
acts via a hook instead of let some expensive log parser
reevaluate state which is known in the moment the log happens.

But this?  I am not an administrator and thus firewall guru, but
i for example have in my net-qos.sh:fwcore_start() (heavily
vaporised this is)

   change_chain INPUT
   new_chain i_good i_alien i_sshorvpn i_tcp_new

   add_rule -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

   add_rule -j i_good
   add_rule -j i_alien

   add_rule -p tcp --syn -m conntrack --ctstate NEW -j i_tcp_new

   change_chain i_tcp_new

   fwcore_has_i ssh && add_rule -p tcp --dport ${p_ssh} -j i_sshorvpn

   change_chain i_sshorvpn

So and in here you can allow or deny ssh-specific anyway you want
to, add, remove and change, use "-m recent" and hitcounts etc.,
and all without recompilation.  (Having real address and/or CIDR
tables which could be managed separately would be cool though.)

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

Re: restrict access

2021-05-25 Thread Hans Harder 
or when you have no root access...

On Tue, May 25, 2021 at 11:14 AM Walter Harms  wrote:
>
> yes, under normal circumstances you would use iptables to block the port. But 
> when you are forced to byte-counting and you do not want to install other 
> programms (and maintains them) on your embedded system, this is clearly an 
> option.
>
> re,
>  wh
> 
> Von: Steffen Nurpmeso 
> Gesendet: Dienstag, 25. Mai 2021 02:40:50
> An: Walter Harms
> Cc: dropbear@ucc.asn.au
> Betreff: Re: restrict access
>
> WARNUNG: Diese E-Mail kam von außerhalb der Organisation. Klicken Sie nicht 
> auf Links oder öffnen Sie keine Anhänge, es sei denn, Sie kennen den/die 
> Absender*in und wissen, dass der Inhalt sicher ist.
>
>
> Walter Harms wrote in
>  :
>  |I did a little experiment and it worked.
>  |
>  | if (fnmatch("192.168.1.*",remote_host,FNM_PATHNAME) != 0)
>  |   goto out;
>  |
>  |this will allow only connections from 192.168.1.* to the server
>  |that shows the change can be very simple. I did not try with more compli\
>  |cated situations. The limits of this approach needs to be evaluated.
>
> Since the begin of this thread this sounds like a 100% firewall
> thing to me.  Why would you like to compile this in?
>
> I mean, i can imagine the NetBSD/FreeBSD black(now block)list
> approach in which a server software who "knows" what has happened
> acts via a hook instead of let some expensive log parser
> reevaluate state which is known in the moment the log happens.
>
> But this?  I am not an administrator and thus firewall guru, but
> i for example have in my net-qos.sh:fwcore_start() (heavily
> vaporised this is)
>
>change_chain INPUT
>new_chain i_good i_alien i_sshorvpn i_tcp_new
>
>add_rule -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>
>add_rule -j i_good
>add_rule -j i_alien
>
>add_rule -p tcp --syn -m conntrack --ctstate NEW -j i_tcp_new
>
>change_chain i_tcp_new
>
>fwcore_has_i ssh && add_rule -p tcp --dport ${p_ssh} -j i_sshorvpn
>
>change_chain i_sshorvpn
>
> So and in here you can allow or deny ssh-specific anyway you want
> to, add, remove and change, use "-m recent" and hitcounts etc.,
> and all without recompilation.  (Having real address and/or CIDR
> tables which could be managed separately would be cool though.)
>
> --steffen
> |
> |Der Kragenbaer,The moon bear,
> |der holt sich munter   he cheerfully and one by one
> |einen nach dem anderen runter  wa.ks himself off
> |(By Robert Gernhardt)