Re: [Leaf-user] ssh firewall
Why don't U use FreeSwan Ipsec...I just woke up hehe Upnet Joe - Original Message - From: Greg Morgan [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Henning, Brian [EMAIL PROTECTED] Sent: Saturday, March 30, 2002 1:57 AM Subject: Re: [Leaf-user] ssh firewall Henning, Brian [EMAIL PROTECTED] wrote: hello- I am using echowall on dachstein LRP. I have a windows 2k pro machine that i can ssh into from the outside. i am also running an http server on my w2k machine. I am port forwarding ssh through my router/firewall. My problem is I am not sure how to tunnel the http to the *outside world*. I am not sure if it is possible. Any thoughts or suggestions? thanks brian Charles gave you the answer to this before, but if you are coming from a windows world it may not make sense. I attached his original post at the end of this message. Here's what I'll presume about you. You are on a windows client at work or somewhere else connecting to your LEAF box. As you described you have a Windows 2000 box with a web page you want to see. There are allot of things to keep straight in ones mind when you start playing with port forwarding and SSH. In short, you are not trying to tunnel the http to the *outside world* but you tell your clients how to tunnel to the service. First off think of your LEAF box as just a patch cord. You have taken a cord and plugged it into a receptacle named 22 available to the rest of the world. The other end of the cord has been plugged into 22 on your W2K box. That's all port forwarding does in LEAF. LEAF is completely out of the picture now. All that is is is a pipe for data to flow over. You have successfully done that as you describe above. Now let's talk about the magic of SSH. SSH is one protocol. It allows a person to setup an encrypted link between two computers. Typically, a telnet like feature is used within the SSH suite to talk to another server and run commands on it. A but there are a few more tricks up SSH's sleeve. SSH allows you to build other pipes within the port 22 pipe. This is normally referred to as tunneling. Within the port 22 pipe you can create multiple tunnels. For example I have both regular SSH and web tunneled to a windows machine. I created these tunnels to try and explain what you'll need to do. If I wanted to ftp through SSH, then you could add this too. Name a protocol and try it. You are really just redirecting a port that the protocol normally uses on your localhost to the desired port on your server. There are several SSH packages for Windows. I'll describe putty. You will need version 0.52. My prior version, 0.51, did not have the features to perform the tasks you're asking for. (And yes I upgraded today to try it out. :) ) A.8.8 How do I pronounce PuTTY? Exactly like the normal word putty. Just like the stuff you put on window frames. (One of the reasons it's called PuTTY is because it makes Windows usable. :-) http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html Download the executables from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. You will want plink.exe especially. plink is short for putty link. You will want to setup your private key on the windows client computer that attaches to LEAF. plink.exe takes the SSH part and simplifies building tunnels within the port 22 pipe on a Windows PC. I have a Samba Server on a Linux box that acts like your W2K box. I used a windows PC with putty and plink to connect to it. Here's the command I used where myLEAFipAddress is the address to LEAF performing port forwarding. myuser is the userid on the W2K box. myW2kboxIPorName is the ip or name of your W2k box. You would need to add the name in c:\windows\host file for a server name to work. plink -L 80:myLEAFipAddress:80 myuser@myW2kboxIPorName This establishes the tunnel. I do not have a web server on my windows PC. However, when I use http://localhost/ in the web browser, I see my what my Apache server is providing me. Remember port 80 is the default port used by browsers i.e. http://localhost/ is the same as http://localhost:80/. SSH through plink is creating a tunnel to my local machine or a secure patch cord. plink forwards whatever connects on my local windows box at port 80 to the other server on port 80. You have to just believe this until it makes sense. Also note the localhost is the name for ip address 127.0.0.1. Every networking host has this available to it. Perhaps the -L 80:myLEAFipAddress:80 is confusing because the command is using the same port numbers on both ends of the pipe or tunnel. Let's try this since I am putting off filling out my 1040 tax forms :} plink -L 1040:myLEAFipAddress:80 myuser@myW2kboxIPorName Now use http://localhost:1040/ in the web browser. Once again I see the pages Apache is serving up to me. If
Re: [Leaf-user] dhclient and dnscache
I didn't follow all of that, probably because I'm using Eiger and there are differences. But here is what it came down to: I gave up attempting to follow all the possibilities and realized that exit-hooks was the final word. So I put a script in the BOUND section to do exactly what I wanted. In my case it was a python script to parse the leases file and build dhcpd.conf the way I wanted. Could easily have been bash or ash and I could easily have built it with some custom overrides, but the point is I now have control of the process and it only took an hour or so. Free software ain't cheap, but it's free. Will Clements [EMAIL PROTECTED] on 03/29/2002 09:21:48 PM To: Matt Schalit [EMAIL PROTECTED] cc: [EMAIL PROTECTED] (bcc: Phillip Watts/austin/Nlynx) Subject: Re: [Leaf-user] dhclient and dnscache -- -- I recently setup a Dachstein floppy firewall/gateway for -- -- -- 1] The machine being used is a Compaq P133, (and old -- -- Don't know. Maybe. -- -- -- -- 2] I want to automatically update the external servers -- -- People have described some sort of exit script that -- you can cusomize that gets run just before dhclient -- finishes and exits. It's part of the dhclient package. -- Check it's files and search the archives for dhclient, -- exit, and/or exit hooks. I don't run it but thought -- I'd throw it out there until someone else replies. -- Yea I thought about that but in my situation, I believe the following occurs: A) /etc/init.d/dhclient calls /usr/sbin/dhclient which reads the dhclient.conf file and also parses the ISP lease info. B) Because I'm using the supersede domain-name-servers directive in the dhclient.conf file, the variable that should hold the nameserver(s) from the ISP lease info, instead contain the nameserver(s) from the dhclient.conf file BEFORE control is passed to /etc/dhclient-script. C) Thus the nameserver variable passed to /etc/dhclient-script, (I believe its actually called domain-name-servers) has the wrong nameserver(s) assigned to it. D) Only /etc/dhclient-script calls/sources dhclient-exit-hooks, (I think), thus the dhclient-exit-hooks script does not have access to the right nameserver info for me to update dnscache at this point. E) I seem my options as: I could recompile /usr/sbin/dhclient to create another pass through variable that maintains the original lease DNS server info when the supersede domain-name-servers is used. I doubt I'll do this since I don't have a box/ virtual box to compile this on. Or I could try to get it from the dhclient lease file. But I'm looking for an easy way out with minimum effort on my part. Any thoughts on my line of reasoning? Will ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ssh firewall
Greg/Charles, that was a really good HOWTO you just wrote. I wish you had done it a few days ago :-) I spent the last few months puzzling out how to do exactly what you just described. Just yesterday I attained my 'holy grail' of networking which was to click'n'drag files from my Windoze workstation at work to my Linux workstation behind EigerStein2B4 at home. I use Secure iXplorer (www.i-tree.org) on the Windoze machine, which works well with the Putty programs. It's a GUI front end for the Putty Secure Shell Copy (PSCP) program. If anyone needs to see details of the setup, drop me a line. I guess I need a new holy grail now. (I already got VNC working, too, but my upload speed at home is only 90KB which makes for realy slow screen updates.) Any suggestions for a new grail? -John --- Greg Morgan [EMAIL PROTECTED] wrote: Henning, Brian [EMAIL PROTECTED] wrote: hello- I am using echowall on dachstein LRP. I have a windows 2k pro machine that i can ssh into from the outside. i am also running an http server on my w2k machine. I am port forwarding ssh through my router/firewall. My problem is I am not sure how to tunnel the http to the *outside world*. I am not sure if it is possible. Any thoughts or suggestions? thanks brian Charles gave you the answer to this before, but if you are coming from a windows world it may not make sense. I attached his original post at the end of this message. Here's what I'll presume about you. You are on a windows client at work or somewhere else connecting to your LEAF box. As you described you have a Windows 2000 box with a web page you want to see. There are allot of things to keep straight in ones mind when you start playing with port forwarding and SSH. In short, you are not trying to tunnel the http to the *outside world* but you tell your clients how to tunnel to the service. First off think of your LEAF box as just a patch cord. You have taken a cord and plugged it into a receptacle named 22 available to the rest of the world. The other end of the cord has been plugged into 22 on your W2K box. That's all port forwarding does in LEAF. LEAF is completely out of the picture now. All that is is is a pipe for data to flow over. You have successfully done that as you describe above. Now let's talk about the magic of SSH. SSH is one protocol. It allows a person to setup an encrypted link between two computers. Typically, a telnet like feature is used within the SSH suite to talk to another server and run commands on it. A but there are a few more tricks up SSH's sleeve. SSH allows you to build other pipes within the port 22 pipe. This is normally referred to as tunneling. Within the port 22 pipe you can create multiple tunnels. For example I have both regular SSH and web tunneled to a windows machine. I created these tunnels to try and explain what you'll need to do. If I wanted to ftp through SSH, then you could add this too. Name a protocol and try it. You are really just redirecting a port that the protocol normally uses on your localhost to the desired port on your server. There are several SSH packages for Windows. I'll describe putty. You will need version 0.52. My prior version, 0.51, did not have the features to perform the tasks you're asking for. (And yes I upgraded today to try it out. :) ) A.8.8 How do I pronounce PuTTY? Exactly like the normal word putty. Just like the stuff you put on window frames. (One of the reasons it's called PuTTY is because it makes Windows usable. :-) http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html Download the executables from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. You will want plink.exe especially. plink is short for putty link. You will want to setup your private key on the windows client computer that attaches to LEAF. plink.exe takes the SSH part and simplifies building tunnels within the port 22 pipe on a Windows PC. I have a Samba Server on a Linux box that acts like your W2K box. I used a windows PC with putty and plink to connect to it. Here's the command I used where myLEAFipAddress is the address to LEAF performing port forwarding. myuser is the userid on the W2K box. myW2kboxIPorName is the ip or name of your W2k box. You would need to add the name in c:\windows\host file for a server name to work. plink -L 80:myLEAFipAddress:80 myuser@myW2kboxIPorName This establishes the tunnel. I do not have a web server on my windows PC. However, when I use http://localhost/ in the web browser, I see my what my Apache server is providing me. Remember port 80 is the default port used by browsers i.e. http://localhost/ is the same as http://localhost:80/. SSH through plink is creating a tunnel to my local machine or a secure patch cord. plink forwards whatever
Re: [Leaf-user] ssh firewall
John Desmond wrote: I guess I need a new holy grail now. (I already got VNC working, too, but my upload speed at home is only 90KB which makes for realy slow screen updates.) Any suggestions for a new grail? -John 1) QoS (discussed recently, though) 2) multiple ISP load balancing 3) debug.lrp that works on all LEAF distros 4) hardware protectable IDE Flash disk module Good Luck :) Matthew ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ssh firewall
--- Matt Schalit [EMAIL PROTECTED] wrote: John Desmond wrote: Any suggestions for a new grail? -John 1) QoS (discussed recently, though) The Q stands for 'Quality'. Since my ISP is Verizon, I probably wouldn't notice any differences. 2) multiple ISP load balancing Two Verizons... three Verizons... O, the horror! 3) debug.lrp that works on all LEAF distros It's Linux... no need to debug! 4) hardware protectable IDE Flash disk module I took some flash pictures of the IDE disk and it didn't hurt it, so I guess it's protected. Good Luck :) Matthewinfo/leaf-user Happy April Fool's! And if you want to get some good ideas for a 'wired house' go see Panic Room this weekend. I can't see why, though, they didn't have a 'net connection and a little LEAF in the corner! :-) -John __ Do You Yahoo!? Yahoo! Greetings - send holiday greetings for Easter, Passover http://greetings.yahoo.com/ ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
