Those are good points.
I think I was thinking too much of things like LRP and Coyote Linux, instead of
the full power of cookfire.
Would it be too restrictive to restrict ssh to the internal interface?
- Jay
In the wise words of Stephen Thomas:
> I like the ability to ssh in from the internal network. It allows me to do
> things that the WEB interface doesn't.
>
> 1. Manage software that the web interface doesn't handle such as snort, IDS.
> 2. View real time logging like "tail -f /var/log/messages" and other logs.
> 3. What if I want to add some custimized IDS software or firewall add on apps
> later?
>
> Our plans for the firewall are to set it up on a system without a keyboard,
> mouse or monitor. SSH would be a necessity to do anything that can't be done
> by the web interface.
>
> I believe in using the web interface for what it is designed to handle. To
> try to configure stuff through a shell that is in the web interface would be
> dumb. But taking away the ssh capability is like removing a the latch on the
> hood of a car because you should never have to go under the hood. Sometimes
> it is necessary to ssh in because the developers can't think of everything.
>
>
> Steve
>
> On Saturday 10 March 2001 13:54, you wrote:
> > In the wise words of philippe Libat:
> > > Jay Beale a écrit :
> > > > I'm currently looking at the firewall design and am a litle curious:
> > >
> > > great.
> > >
> > > > How many of you are ssh-ing into the firewall box?
> > >
> > > many admin users are using the ssh remote connection instead of telnet.
> > > It's more secure, isn'it ? :=)
> >
> > HEee heee. Yes. :)
> >
> > But I was under the impression that the system was intended to only be
> > administered through the web interface. Given the internals of the
> > configuration system, someone trying to configure through file edits AND
> > through the web interface would quite possibly find their changes not
> > taking effect, or at least interfering with each other.
> >
> > The other reason it would be helpful is that if someone will only be
> > administering the system via the web interface, we can lock down the rest
> > even more tightly...
> >
> > > > If you are, why? Just to look around or do you prefer to admin the
> > > > box via shell-access?
> > >
> > > Sorry i dont't understand the question ?
> > > To look around what ?, it's not a game, or a trip.
> > > Are you connecting to your cisco or 3COM gateway just to look around ?
> >
> > No, that's my whole point. I'm not connecting to my Cisco or 3COM gateway
> > at all. I've turned the telnet option off on my Cisco. I administer the
> > Cisco router through a dedicated serial interface, or at least through a
> > dedicated interface...
> >
> > > Of course, we are using remote connection, if your web session was
> > > closed, or if you want to
> > > do some admin tasks not included in the web tool, you can do it with a
> > > remote connection.
> >
> > Yes, this is the part I worry about. Why not remove the ssh capability,
> > or restrict it to one interface? We can try to encourage people to use
> > the web interface, right?
> >
> > - Jay
--
Jay Beale
Security Team Director Lead Developer
Mandrakesoft Bastille Linux
http://www.mandrakesoft.com http://www.bastille-linux.org
