Date: Sun, 28 Apr 1996 17:10:12 +0300 (EET DST) From: "Andrew V. Stesin" <stesin@elvisti.kiev.ua> To: firewalls@greatcircle.com, security@freebsd.org Subject: Q on using "netpipes" for firewall maintanance tasks Message-ID: <199604281410.RAA21377@office.elvisti.kiev.ua>
next in thread | raw e-mail | index | archive | help
Hello people, I'm now in a search for safer but convenient rsh(1) replacement for some tasks of firewall day-to-day operation, i.e. gathering some stats, etc. to an inside machine. Firewall is composed of FreeBeasts (I like that spelling of FreeBSD! :) no fancy black Cisco boxen for filtering routers. As inside machine won't trust any part of firewall, the server part of a connection should reside on the firewall hosts. Yes, I know -- spoofing _is_ the issue, but might be eliminated by filtering inside addressee on external router/filter, which has virtually no access from outside. I want to get rid of all ways to aquire a shell on firewall hosts as a whole (thus physically remove rshd, telnetd, any-other-extra-d, leaving only publically available services and on the bastion host _only_). I don't want to have Perl5 executable hanging around, though I'm not sure that WWW server on bastion host (or it's admin, better to say) can live without it. The alternatives for rsh(1) I'm aware of are as following: 1. ssh-1.2.whatever. By far the superior thingie; but seems to be an overkill for using on a single-room-coax, needs some kind of public-key-crypto-awareness. 2. netpipes-3.0 package by Robert Forsman (comp.sources.unix, vol.29) A very simple pair of tools, allowing using socket connections from the shell scripts. 3. Hand-written daemon. Yes, that's probably Ok, but I need to have a stable list of needed tasks for it, so some scripted simple-rapid-and-dirty prototypes are needed, anyway. When the list of needed things to do will be well established, I'd probably replace prototypes with real compiled tools. So, I'm seriously considering netpipes as a transport -- only a server part is on the firewall machine(s), bound to a preselected set of ports, with /bin/sh script attached to it. Where am I wrong? -- With best regards -- Andrew Stesin. +380 (44) 2760188 +380 (44) 2713457 +380 (44) 2713560 "You may delegate authority, but not responsibility." Frank's Management Rule #1.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199604281410.RAA21377>