ACS <[EMAIL PROTECTED]> writes:
> I am trying to find the best way to let the traffic
> out but retain some control. A bastion host that the
> users have to telnet to and then ssh out is one idea.
> Our default outbound route does not go through the
> firewall (goes through transparent packet filters) no
> outside name resolution for the inside. Anybody have
> any suggestions? A super SSH proxy out there?
Some years ago I had the same problem within IBM. I had my
firewall, I had an internal DNS which did not resolve the
external names and the default gateway was pointing to any
direction but not to the Internet.
At that time SOCKS was the (at least for me) ultimate solution.
On your client you specify the IP-address of the SOCKS server
and which packets have to go to the SOCKS server and which not.
You can also specify a special SOCKS nameserver, which can
resolve the Internet names.
Details you will find at http://www.socks.nec.com.
BTW SSH (at least the source code version) does support SOCKS.
have fun ...
--
===============================================================
Peter Bruderer mailto:[EMAIL PROTECTED]
Bruderer Research GmbH Tel ++41 52 620 26 53
IT Security Services Fax ++41 52 620 26 54
CH-8200 Schaffhausen http://www.bruderer-research.com
===============================================================
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
