> Quite simply, what is the simplest, secure way to forward to two (2) > hosts? There are probably better ways to accomplish the end goal; but, > we have an application whereby we may need to push very large files from > the internet to two (or, more) locations behind a Dachstein firewall.
Simplest is to simply create multiple INTERN_SERVERS entries. You'll need to port-forward from different ports (or have more than one external IP address). Security of a port-forwarded service is only as secure as the service itself. If you really need tight security, you might consider an application level proxy. For instance, if you're port-forwarding to a MS IIS web-server, you might want to run all requests through a *nix based proxy that filters out (and logs) any *default.ida web-requests. If you can afford the overhead (and potential cost...there are many good application level proxies that are for sale commercial products), this can be a good way to shield yourself from various attacks, both known and (at least some) unknown...stuff like buffer overflow attacks, broken protocol attacks, and the like. If you want to use a proxy, just port-forward the service to the proxy instead of your 'real' server, and configure the proxy to talk to your real server(s)... If you're looking at pushing/syncing a large number of files to various remote sites, you might also want to look into rsync and/or ssh. If the files aren't terribly sensitive (ie can traverse the internet unencrypted), you can setup an rsync server at the 'master' site and sync all the clients periodically. This is more of a 'pull' architecture, but it can be made into a 'push' system by having the master run the rsync download command on the clients via ssh. If you need to encrypt the transfers, you can tunnel the entire session through ssh. You can keep security as tight as you want with proper ssh configuration...for something like this I usually disable general logins, setup ssh authentication by RSA/DSA keys only, and have the ssh session automatically invoke the proper behavior on the client end (ie fire off an rsync session in your case). This way, even if the master server is compromised, you won't autmoatically get user-level access to the clients...all you'll be able to do is force them to rsync to the master server whenever you want... You can also get rsync/ssh for windows (see cygwin http://www.redhat.com/download/cygwin.html ) if your network is of the M$ persuasion... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
