Re: [leaf-user] How do I punch a dynamic hole thru firewall?
Duke Ionescu said: [This was originally posted to the LRP mailing list, where I was spat upon :] How is the old LRP list? Haven't seen that since the mass exodus of users and developers. I tried searching thru it via the web archive once, and all I found was spam. :-) Is Dave Cinege still doing any development with LRP? I thought he wanted to stick with that Butterfly project of his instead. (sorry; I don't have an answer for your question :-) -- PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF Member, LEAF Project http://leaf.sourceforge.netAIM: MikeLeone Public Key - http://www.mike-leone.com/~turgon/turgon-public-key.asc ( Memoriam ) ;===;() # # # #:: # # # #:: # # # #:: # # # #:: # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # Random Thought: -- --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] How do I punch a dynamic hole thru firewall?
Hi canonical ways could be ssh tunneling or a VPN HTH Erich Duke Ionescu wrote the following at 21:16 11.09.2002: [This was originally posted to the LRP mailing list, where I was spat upon :] I'm running LRP, more exactly Dachstein (thx for all your work Charles!). I've been running LRP for many a year and everything works great. What I need is an idea. This may be a bit OT, but I'm looking for advice from someone who's used LRP or BusyBox extensively. Here's the problem: I've opened samba ports for my static IP @ home, and it works great. However, a co-worker is not as fortunate to have a static IP. How do I dynamically punch a hole for him (ports 137-139, 445) so he can access our samba server too? The most straightforward solution I could find is for him to ssh into the LRP box and open the ports himself (...and then close them!). This could be automated via a script (i.e. /usr/bin/opensesame 1.2.3.4). However, this is a bit of a pain and for users not as computer literate as my co-worker it would not even be an option. Has anyone run into this before, what creative solutions have you found? Is there a de-facto way you guys do this sort of thang? Thx --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] How do I punch a dynamic hole thru firewall?
Duke, On Wed, 11 Sep 2002 15:16:37 -0400 you wrote: [This was originally posted to the LRP mailing list, where I was spat upon :] I'm running LRP, more exactly Dachstein (thx for all your work Charles!). I've been running LRP for many a year and everything works great. What I need is an idea. This may be a bit OT, but I'm looking for advice from someone who's used LRP or BusyBox extensively. Not sure I qualify, but have a suggestion to expand on your ssh idea anyhow. :) Here's the problem: I've opened samba ports for my static IP @ home, and it works great. However, a co-worker is not as fortunate to have a static IP. How do I dynamically punch a hole for him (ports 137-139, 445) so he can access our samba server too? Just for the record, even with source filtering, SMB over untrusted networks is insecure. (Sorry, I couldn't continue in good conscious without stating that, even though it's probably obvious to most everyone here.) Obviously it's more difficult to exploit with filtering based on source address. VPN-based access is the (more) secure access mechanism. The most straightforward solution I could find is for him to ssh into the LRP box and open the ports himself (...and then close them!). This could be automated via a script (i.e. /usr/bin/opensesame 1.2.3.4). However, this is a bit of a pain and for users not as computer literate as my co-worker it would not even be an option. If you were to use the .ssh/rc file or command option in a .ssh/authorization (for key-based authentication) and the SSH_CLIENT environment veriable, you could automate this pretty far... Set command=/usr/bin/toggle_smb_access in .ssh/authorization (tested) or run it and then exit from $HOME/.ssh/rc (not tested, but seems viable from reading sshd manpage). toggle_smb_access could be written so that it looks up $SSH_CLIENT in a simple data file. If it does not find $SSH_CLIENT, it would run the appropriate ipchains commands to allow access and update the data file. If $SSH_CLIENT is already in the data file, run a different set of ipchains commands to disable access. Have the script echo something like Access enabled. or Access disabled., respectively, after it finished executing so the users can see confirmation of the state change. Then have users run a plink.exe[1] one-liner (if they're using Win32): plink.exe [EMAIL PROTECTED] Use a desktop shortcut on their desktop if you want to make it easy for them. I didn't include all the gory details, but that should be enough to get you going if you decide to use the automated ssh approach. VPN access would definitely be more secure though. HTH, Brad [1] http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html Has anyone run into this before, what creative solutions have you found? Is there a de-facto way you guys do this sort of thang? Thx --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] How do I punch a dynamic hole thru firewall?
On Wednesday 11 September 2002 14:16, Duke Ionescu wrote: I'm running LRP, more exactly Dachstein (thx for all your work Charles!). I've been running LRP for many a year and everything works great. What I need is an idea. This may be a bit OT, but I'm looking for advice from someone who's used LRP or BusyBox extensively. Here's the problem: LEAF, not LRP, please! I've opened samba ports for my static IP @ home, and it works great. However, a co-worker is not as fortunate to have a static IP. How do I dynamically punch a hole for him (ports 137-139, 445) so he can access our samba server too? The most straightforward solution I could find is for him to ssh into the LRP box and open the ports himself (...and then close them!). This could be automated via a script (i.e. /usr/bin/opensesame 1.2.3.4). However, this is a bit of a pain and for users not as computer literate as my co-worker it would not even be an option. Has anyone run into this before, what creative solutions have you found? Is there a de-facto way you guys do this sort of thang? There isn't a standard way of doing this. The few of us that are using a similar setup to this simply add a ping script like you have come up with. It really can't be integrated into the network setup because you have no way of knowing the remote address (dyndns?) BEFORE loading the ruleset w/o opening the box to possible exploit. The most reasonable alternative is to use a SSH tunnel or VPN as has been suggested. Opening your NetBIOS ports is about the biggest hole you could put in a system. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] How do I punch a dynamic hole thru firewall?
I've seen this in portsentry where are defined to block an IP. One way to this is to make a weblet page (can we authenticate in weblet?) and allow it to execute a script or a shorwall command to allow an IP and ports. The problem is the system cannot know the user is done with automatically. The user has to again come in thro' weblet and delete that specific rule in iptables - again script driven thro' weblet. You will also encounter problems if that specific user is on a dynamic IP ISP dial-up. He might disconnect and connect again when his IP is likely to change thus negating this rule. One possibility is to define a road-warrior connection in ipsec and allow ipsec thro' to the network. If the samba service is available to the network, the ipsec connection should also be able to access the samba service. loc - loc is also on in shorwall. I've not done this and hence am not speaking from experience but logic having used different subsystems. HTH Mohan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Duke Ionescu Sent: 12 September 2002 00:47 To: [EMAIL PROTECTED] Subject: [leaf-user] How do I punch a dynamic hole thru firewall? [This was originally posted to the LRP mailing list, where I was spat upon :] I'm running LRP, more exactly Dachstein (thx for all your work Charles!). I've been running LRP for many a year and everything works great. What I need is an idea. This may be a bit OT, but I'm looking for advice from someone who's used LRP or BusyBox extensively. Here's the problem: I've opened samba ports for my static IP @ home, and it works great. However, a co-worker is not as fortunate to have a static IP. How do I dynamically punch a hole for him (ports 137-139, 445) so he can access our samba server too? The most straightforward solution I could find is for him to ssh into the LRP box and open the ports himself (...and then close them!). This could be automated via a script (i.e. /usr/bin/opensesame 1.2.3.4). However, this is a bit of a pain and for users not as computer literate as my co-worker it would not even be an option. Has anyone run into this before, what creative solutions have you found? Is there a de-facto way you guys do this sort of thang? Thx --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- In remembrance www.osdn.com/911/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html