Re: [Leaf-user] ssh firewall revisited
Henning, Brian [EMAIL PROTECTED] wrote: Hello- I continue to have problems connecting to the webserver on my LAN. Here is my configurations using putty. Can anyone see what i am doing wrong? I thought i was following the directions. Thanks, brian putty at work: Source port:3005 Destination: LEAF ip:80 Local web browser at work: http://localhost:3005/ setup at home: Leaf/echowall - port forward ssh | | | w2k/apache - port 80 --__--__-- I think you are doing a great job and heading in the right direction. It appears that you have all the mechanics setup correctly. You have putty on your work computer. If you are using plink, then it appears that you are using a command similar to plink -L 3005:myLEAFipAddress:80 myuser@myW2kboxIPorName Now let's address the LEAF or W2K problems. 1.) If you have configured LEAF to port forward port 22 to the W2K box, then the W2K box needs to have a SSH server on it. In this configuration LEAF is not using SSH at all. LEAF just redirects the traffic to another server. I know the putty site does not have a SSH daemon, nor intends to create one. If this is your configuration, you need a SSH daemon on the W2K box to receive the port 22 forwards from your LEAF firewall. Perhaps someone else knows of a SSH daemon for Windows. 2.) If you are running SSH on your LEAF firewall, then the conection stops at the firewall i.e. -L 3005:myLEAFipAddress:80 is trying to talk to weblet. In this case it appears like you are mixing port forwarding and server processes. I do not know if you there is a way to have the SSH daemon send the decyrpted traffic to the W2K box from the firewall. If solutions cannot be found to either of these configurations, then ipsec sounds like an alternative. I cannot address that solution at this time. Can anyone else add comments to Brians' configuration issues? Greg Morgan ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] ssh firewall revisited
putty at work: Source port:3005 Destination: ip of w2k machine on the local network:80 Local web browser at work: http://localhost:3005/ setup at home: Leaf/echowall - port forward ssh | | | w2k/apache - port 80 Greg i got it fixed thanks for you time i had to use the ip of w2k machine on the local network.. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ssh firewall
I gotcha. My problem is I'm always wanting to do updates remotely and wouldn't want users to have to flip a switch or God forbid reboot. But a compact flash can be pulled after booting to ramdisk without harm. That's pretty write protected. Problem is to get access to it again you'll have to power down. I would be more interested in a heavily software protected mount, dd, etc. If these commands were 400 and could only be accessed via a very secure sudo like thingy. I mean even root could not get to then without getiing past security. Maybe that's impossible ??? Oh yeah, if you want to solder, break into your IDE cable and run the write enable thru a switch (don't ask me). If you're clever you might even not bring the drive down. That would be cool. Matt Schalit [EMAIL PROTECTED] on 04/01/2002 03:14:30 PM To: Phillip Watts/austin/Nlynx@Nlynx cc: [EMAIL PROTECTED] Subject: Re: [Leaf-user] ssh firewall [EMAIL PROTECTED] wrote: Matt Schalit [EMAIL PROTECTED] on 03/30/2002 10:22:44 PM To: [EMAIL PROTECTED] cc:(bcc: Phillip Watts/austin/Nlynx) Subject: Re: [Leaf-user] ssh firewall 4) hardware protectable IDE Flash disk module Explain this one , please . A mass storage device for a firewall preferrably would have a way to write protect it. A floppy diskette for instance has the little tab that you slide into position. This can not be circumvented by software tricks, ie can't be circumvented by a potential hacker. Currently, only a floppies and tapes have hardware write protect, iirc. A lot of developers have been keen to gain mass storage capacity at low cost, but are hampered by a lack of hardware write protect on hard drives and flash storage. Mike Noyes picked up an ADM, a flash storage IDE Disk Module, which was under $20 for 8 MB. It plugs into your ide plug. If it only had a micro switch on it for write protect, we would have glory. Four of us got together in San Francisco a couple of weeks ago at the Linux Embedded Systems Conference to track down vendors and look for a solution. For all the details, read the leaf-devel archives thread called ADM write protect and perhaps the earlier one, CF (write protect) + IDE adapter both posted at the beginning of February. The current problem is that the ADM is so small that soldering in a switch to those micro sized surface mount contact points is looking very tough. Regards, Matthew ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ssh firewall
[EMAIL PROTECTED] wrote: Matt Schalit [EMAIL PROTECTED] on 03/30/2002 10:22:44 PM To: [EMAIL PROTECTED] cc:(bcc: Phillip Watts/austin/Nlynx) Subject: Re: [Leaf-user] ssh firewall 4) hardware protectable IDE Flash disk module Explain this one , please . A mass storage device for a firewall preferrably would have a way to write protect it. A floppy diskette for instance has the little tab that you slide into position. This can not be circumvented by software tricks, ie can't be circumvented by a potential hacker. Currently, only a floppies and tapes have hardware write protect, iirc. A lot of developers have been keen to gain mass storage capacity at low cost, but are hampered by a lack of hardware write protect on hard drives and flash storage. Mike Noyes picked up an ADM, a flash storage IDE Disk Module, which was under $20 for 8 MB. It plugs into your ide plug. If it only had a micro switch on it for write protect, we would have glory. Four of us got together in San Francisco a couple of weeks ago at the Linux Embedded Systems Conference to track down vendors and look for a solution. For all the details, read the leaf-devel archives thread called ADM write protect and perhaps the earlier one, CF (write protect) + IDE adapter both posted at the beginning of February. The current problem is that the ADM is so small that soldering in a switch to those micro sized surface mount contact points is looking very tough. Regards, Matthew ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ssh firewall
Why don't U use FreeSwan Ipsec...I just woke up hehe Upnet Joe - Original Message - From: Greg Morgan [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Henning, Brian [EMAIL PROTECTED] Sent: Saturday, March 30, 2002 1:57 AM Subject: Re: [Leaf-user] ssh firewall Henning, Brian [EMAIL PROTECTED] wrote: hello- I am using echowall on dachstein LRP. I have a windows 2k pro machine that i can ssh into from the outside. i am also running an http server on my w2k machine. I am port forwarding ssh through my router/firewall. My problem is I am not sure how to tunnel the http to the *outside world*. I am not sure if it is possible. Any thoughts or suggestions? thanks brian Charles gave you the answer to this before, but if you are coming from a windows world it may not make sense. I attached his original post at the end of this message. Here's what I'll presume about you. You are on a windows client at work or somewhere else connecting to your LEAF box. As you described you have a Windows 2000 box with a web page you want to see. There are allot of things to keep straight in ones mind when you start playing with port forwarding and SSH. In short, you are not trying to tunnel the http to the *outside world* but you tell your clients how to tunnel to the service. First off think of your LEAF box as just a patch cord. You have taken a cord and plugged it into a receptacle named 22 available to the rest of the world. The other end of the cord has been plugged into 22 on your W2K box. That's all port forwarding does in LEAF. LEAF is completely out of the picture now. All that is is is a pipe for data to flow over. You have successfully done that as you describe above. Now let's talk about the magic of SSH. SSH is one protocol. It allows a person to setup an encrypted link between two computers. Typically, a telnet like feature is used within the SSH suite to talk to another server and run commands on it. A but there are a few more tricks up SSH's sleeve. SSH allows you to build other pipes within the port 22 pipe. This is normally referred to as tunneling. Within the port 22 pipe you can create multiple tunnels. For example I have both regular SSH and web tunneled to a windows machine. I created these tunnels to try and explain what you'll need to do. If I wanted to ftp through SSH, then you could add this too. Name a protocol and try it. You are really just redirecting a port that the protocol normally uses on your localhost to the desired port on your server. There are several SSH packages for Windows. I'll describe putty. You will need version 0.52. My prior version, 0.51, did not have the features to perform the tasks you're asking for. (And yes I upgraded today to try it out. :) ) A.8.8 How do I pronounce PuTTY? Exactly like the normal word putty. Just like the stuff you put on window frames. (One of the reasons it's called PuTTY is because it makes Windows usable. :-) http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html Download the executables from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. You will want plink.exe especially. plink is short for putty link. You will want to setup your private key on the windows client computer that attaches to LEAF. plink.exe takes the SSH part and simplifies building tunnels within the port 22 pipe on a Windows PC. I have a Samba Server on a Linux box that acts like your W2K box. I used a windows PC with putty and plink to connect to it. Here's the command I used where myLEAFipAddress is the address to LEAF performing port forwarding. myuser is the userid on the W2K box. myW2kboxIPorName is the ip or name of your W2k box. You would need to add the name in c:\windows\host file for a server name to work. plink -L 80:myLEAFipAddress:80 myuser@myW2kboxIPorName This establishes the tunnel. I do not have a web server on my windows PC. However, when I use http://localhost/ in the web browser, I see my what my Apache server is providing me. Remember port 80 is the default port used by browsers i.e. http://localhost/ is the same as http://localhost:80/. SSH through plink is creating a tunnel to my local machine or a secure patch cord. plink forwards whatever connects on my local windows box at port 80 to the other server on port 80. You have to just believe this until it makes sense. Also note the localhost is the name for ip address 127.0.0.1. Every networking host has this available to it. Perhaps the -L 80:myLEAFipAddress:80 is confusing because the command is using the same port numbers on both ends of the pipe or tunnel. Let's try this since I am putting off filling out my 1040 tax forms :} plink -L 1040:myLEAFipAddress:80 myuser@myW2kboxIPorName Now use http://localhost:1040/ in the web browser. Once again I see the pages Apache is serving up to me
Re: [Leaf-user] ssh firewall
Greg/Charles, that was a really good HOWTO you just wrote. I wish you had done it a few days ago :-) I spent the last few months puzzling out how to do exactly what you just described. Just yesterday I attained my 'holy grail' of networking which was to click'n'drag files from my Windoze workstation at work to my Linux workstation behind EigerStein2B4 at home. I use Secure iXplorer (www.i-tree.org) on the Windoze machine, which works well with the Putty programs. It's a GUI front end for the Putty Secure Shell Copy (PSCP) program. If anyone needs to see details of the setup, drop me a line. I guess I need a new holy grail now. (I already got VNC working, too, but my upload speed at home is only 90KB which makes for realy slow screen updates.) Any suggestions for a new grail? -John --- Greg Morgan [EMAIL PROTECTED] wrote: Henning, Brian [EMAIL PROTECTED] wrote: hello- I am using echowall on dachstein LRP. I have a windows 2k pro machine that i can ssh into from the outside. i am also running an http server on my w2k machine. I am port forwarding ssh through my router/firewall. My problem is I am not sure how to tunnel the http to the *outside world*. I am not sure if it is possible. Any thoughts or suggestions? thanks brian Charles gave you the answer to this before, but if you are coming from a windows world it may not make sense. I attached his original post at the end of this message. Here's what I'll presume about you. You are on a windows client at work or somewhere else connecting to your LEAF box. As you described you have a Windows 2000 box with a web page you want to see. There are allot of things to keep straight in ones mind when you start playing with port forwarding and SSH. In short, you are not trying to tunnel the http to the *outside world* but you tell your clients how to tunnel to the service. First off think of your LEAF box as just a patch cord. You have taken a cord and plugged it into a receptacle named 22 available to the rest of the world. The other end of the cord has been plugged into 22 on your W2K box. That's all port forwarding does in LEAF. LEAF is completely out of the picture now. All that is is is a pipe for data to flow over. You have successfully done that as you describe above. Now let's talk about the magic of SSH. SSH is one protocol. It allows a person to setup an encrypted link between two computers. Typically, a telnet like feature is used within the SSH suite to talk to another server and run commands on it. A but there are a few more tricks up SSH's sleeve. SSH allows you to build other pipes within the port 22 pipe. This is normally referred to as tunneling. Within the port 22 pipe you can create multiple tunnels. For example I have both regular SSH and web tunneled to a windows machine. I created these tunnels to try and explain what you'll need to do. If I wanted to ftp through SSH, then you could add this too. Name a protocol and try it. You are really just redirecting a port that the protocol normally uses on your localhost to the desired port on your server. There are several SSH packages for Windows. I'll describe putty. You will need version 0.52. My prior version, 0.51, did not have the features to perform the tasks you're asking for. (And yes I upgraded today to try it out. :) ) A.8.8 How do I pronounce PuTTY? Exactly like the normal word putty. Just like the stuff you put on window frames. (One of the reasons it's called PuTTY is because it makes Windows usable. :-) http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html Download the executables from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. You will want plink.exe especially. plink is short for putty link. You will want to setup your private key on the windows client computer that attaches to LEAF. plink.exe takes the SSH part and simplifies building tunnels within the port 22 pipe on a Windows PC. I have a Samba Server on a Linux box that acts like your W2K box. I used a windows PC with putty and plink to connect to it. Here's the command I used where myLEAFipAddress is the address to LEAF performing port forwarding. myuser is the userid on the W2K box. myW2kboxIPorName is the ip or name of your W2k box. You would need to add the name in c:\windows\host file for a server name to work. plink -L 80:myLEAFipAddress:80 myuser@myW2kboxIPorName This establishes the tunnel. I do not have a web server on my windows PC. However, when I use http://localhost/ in the web browser, I see my what my Apache server is providing me. Remember port 80 is the default port used by browsers i.e. http://localhost/ is the same as http://localhost:80/. SSH through plink is creating a tunnel to my local machine or a secure patch cord. plink forwards whatever
Re: [Leaf-user] ssh firewall
John Desmond wrote: I guess I need a new holy grail now. (I already got VNC working, too, but my upload speed at home is only 90KB which makes for realy slow screen updates.) Any suggestions for a new grail? -John 1) QoS (discussed recently, though) 2) multiple ISP load balancing 3) debug.lrp that works on all LEAF distros 4) hardware protectable IDE Flash disk module Good Luck :) Matthew ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ssh firewall
--- Matt Schalit [EMAIL PROTECTED] wrote: John Desmond wrote: Any suggestions for a new grail? -John 1) QoS (discussed recently, though) The Q stands for 'Quality'. Since my ISP is Verizon, I probably wouldn't notice any differences. 2) multiple ISP load balancing Two Verizons... three Verizons... O, the horror! 3) debug.lrp that works on all LEAF distros It's Linux... no need to debug! 4) hardware protectable IDE Flash disk module I took some flash pictures of the IDE disk and it didn't hurt it, so I guess it's protected. Good Luck :) Matthewinfo/leaf-user Happy April Fool's! And if you want to get some good ideas for a 'wired house' go see Panic Room this weekend. I can't see why, though, they didn't have a 'net connection and a little LEAF in the corner! :-) -John __ Do You Yahoo!? Yahoo! Greetings - send holiday greetings for Easter, Passover http://greetings.yahoo.com/ ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ssh firewall
Henning, Brian [EMAIL PROTECTED] wrote: hello- I am using echowall on dachstein LRP. I have a windows 2k pro machine that i can ssh into from the outside. i am also running an http server on my w2k machine. I am port forwarding ssh through my router/firewall. My problem is I am not sure how to tunnel the http to the *outside world*. I am not sure if it is possible. Any thoughts or suggestions? thanks brian Charles gave you the answer to this before, but if you are coming from a windows world it may not make sense. I attached his original post at the end of this message. Here's what I'll presume about you. You are on a windows client at work or somewhere else connecting to your LEAF box. As you described you have a Windows 2000 box with a web page you want to see. There are allot of things to keep straight in ones mind when you start playing with port forwarding and SSH. In short, you are not trying to tunnel the http to the *outside world* but you tell your clients how to tunnel to the service. First off think of your LEAF box as just a patch cord. You have taken a cord and plugged it into a receptacle named 22 available to the rest of the world. The other end of the cord has been plugged into 22 on your W2K box. That's all port forwarding does in LEAF. LEAF is completely out of the picture now. All that is is is a pipe for data to flow over. You have successfully done that as you describe above. Now let's talk about the magic of SSH. SSH is one protocol. It allows a person to setup an encrypted link between two computers. Typically, a telnet like feature is used within the SSH suite to talk to another server and run commands on it. A but there are a few more tricks up SSH's sleeve. SSH allows you to build other pipes within the port 22 pipe. This is normally referred to as tunneling. Within the port 22 pipe you can create multiple tunnels. For example I have both regular SSH and web tunneled to a windows machine. I created these tunnels to try and explain what you'll need to do. If I wanted to ftp through SSH, then you could add this too. Name a protocol and try it. You are really just redirecting a port that the protocol normally uses on your localhost to the desired port on your server. There are several SSH packages for Windows. I'll describe putty. You will need version 0.52. My prior version, 0.51, did not have the features to perform the tasks you're asking for. (And yes I upgraded today to try it out. :) ) A.8.8 How do I pronounce PuTTY? Exactly like the normal word putty. Just like the stuff you put on window frames. (One of the reasons it's called PuTTY is because it makes Windows usable. :-) http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html Download the executables from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. You will want plink.exe especially. plink is short for putty link. You will want to setup your private key on the windows client computer that attaches to LEAF. plink.exe takes the SSH part and simplifies building tunnels within the port 22 pipe on a Windows PC. I have a Samba Server on a Linux box that acts like your W2K box. I used a windows PC with putty and plink to connect to it. Here's the command I used where myLEAFipAddress is the address to LEAF performing port forwarding. myuser is the userid on the W2K box. myW2kboxIPorName is the ip or name of your W2k box. You would need to add the name in c:\windows\host file for a server name to work. plink -L 80:myLEAFipAddress:80 myuser@myW2kboxIPorName This establishes the tunnel. I do not have a web server on my windows PC. However, when I use http://localhost/ in the web browser, I see my what my Apache server is providing me. Remember port 80 is the default port used by browsers i.e. http://localhost/ is the same as http://localhost:80/. SSH through plink is creating a tunnel to my local machine or a secure patch cord. plink forwards whatever connects on my local windows box at port 80 to the other server on port 80. You have to just believe this until it makes sense. Also note the localhost is the name for ip address 127.0.0.1. Every networking host has this available to it. Perhaps the -L 80:myLEAFipAddress:80 is confusing because the command is using the same port numbers on both ends of the pipe or tunnel. Let's try this since I am putting off filling out my 1040 tax forms :} plink -L 1040:myLEAFipAddress:80 myuser@myW2kboxIPorName Now use http://localhost:1040/ in the web browser. Once again I see the pages Apache is serving up to me. If you will, plink makes a web server available on your client windows PC. Without plink forwarding the web server over SSH to the windows client, you would receive the typical 404 http error message. Note that SSH is a server process in this configuration. If you need two way communication that is where both ends of the tunnel need to
[Leaf-user] ssh firewall
hello- I am using echowall on dachstein LRP. I have a windows 2k pro machine that i can ssh into from the outside. i am also running an http server on my w2k machine. I am port forwarding ssh through my router/firewall. My problem is I am not sure how to tunnel the http to the *outside world*. I am not sure if it is possible. Any thoughts or suggestions? thanks brian ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user