"Firewalls --- why you need 'em, how to defeat 'em, Part Deux."
Part one focused on the security aspects of firewalls.
Part two will briefly describe ways to defeat firewalls, but in a
constructive
manner.
++++
I get questions all the time on a certain web forum from lusers asking
how to defeat firewalls, and usually the seekers are up to no good.
Being a system administrator, it's not in my best interests to instruct
them in the finer points of circumventing security, because I might end
up being the victim of their (or someone else reading my posts) attacks.
However, as linux geeks, we can use our security devices in ways that
enhance our online experience. We talked at length about using ssh to
connect to devices behind our firewalls. Scott also gave extended
explanations about neat tricks that can be done using ssh, IPsec, and
IPv6.
FOr instance, we can use ssh to connect to (or through) our firewall and
access our desktop computer or server sitting behind it. Since we are
using ssh, all of our traffic is encrypted. Also, we can use ssh to
tunnel X applications running on our desktops at home to our remote
computers at work, for instance. This is way cool. We can check mail,
run a browser, or whatever, as if we were sitting at home at our desktop
machines.
We also discussed using our firewall boxes to forward ports. This is a
common practice. Normally you would run a webserver behind your
firewall, forwarding port 80 on your outside NIC to port 80 on your
internal server. Obviously this works for any port and any service. I do
this myself, with an assortment of services sitting on random ports on
my firewall, and I can connect at will to specific boxen at home just by
changing the port I can connecting to.
I mentioned that I am currently working on a solution for windows users
to be able to connect from home to their work computers using VNC. When
either of the computers (A or D, assuming you are sitting at A, behind
firewall B, connecting over the net to firewall C, and attempting to
access computer D at work) is running linux, the problem has a trivial
solution. However, if both A and D are windows, it gets a little harder.
I have a solution in mind, and will be testing it in a few days. If it
works, I'll post a howto (and start making money from some of my clients
who would like to use this hack).
-- Joey Kelly Linux consultant in New Orleans, Louisiana, USA http://kellynet.dhs.org --- Alcohol and Calculus don't mix. Never drink and derive. ___________________ Nolug mailing list nolug@nolug.orgReceived on 10/18/02
This archive was generated by hypermail 2.2.0 : 12/19/08 EST