If you're using the plug-gw to get from the _inside_ to the DMZ you should
be able to use transparency, shouldn't you? This will allow connections from
the inside to any external host on port 22. I don't know if fwtk differs
from the last five or six releases of Gauntlet in this respect, but I'd be
surprised...
Once you're using OpenBSD you actually have two choices. You can simply pass
SSH traffic as a port number (as in statically filter it) or you could
create a chrooted user account on the firewall that runs a shell with only
SSH available - this will give you the same behaviour as the non-transparent
telnet-gw. You ssh to the firewall, authenticate and then get presented with
a prompt from which you type "open host.in.my.dmz" and then re-authenticate
on the destination server.
The latter is more secure, but is a two-step process.
I assume you know that ipf is a stateful packet filter and fwtk is an
application gateway, right? That means that there's no real reason why you
have to have plugs or the like at all...
Cheers,
--
Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
> -----Original Message-----
> From: Drew Smith [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, 19 August 2000 2:07 AM
> To: [EMAIL PROTECTED]
> Subject: SSH question...
>
>
>
> Hey, folks,
>
> Quick one - what's the best way to get from our
> internal network into
> our DMZ with SSH? I'm currently using (actually, currently about to
> replace) fwtk with telnet-gw as the telnet proxy, but if I wish to use
> plug-gw as the ssh proxy, it seems I'll need to setup a
> seperate port on
> the firewall for each system in the DMZ... just need to be
> able to ssh
> directly through.
>
> What's the best way to go about this? New firewall is
> being built,
> OpenBSD 2.7 w/ipf, same question applies...
>
> Cheers,
> - Drew.
>
> --
> Drew Smith, UNIX Network Administrator
> Pacific Corporate Trust Company, Vancouver
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
