From owner-freebsd-ipfw Thu Sep 6 10:50:55 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id 97C3537B405 for ; Thu, 6 Sep 2001 10:50:52 -0700 (PDT) Received: (qmail 5499 invoked from network); 6 Sep 2001 17:50:16 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 6 Sep 2001 17:50:16 -0000 Message-ID: <005501c136fc$73e8f530$0d00a8c0@alexus> From: "alexus" To: Subject: ipfw w/ port routing form telnet port to ssh Date: Thu, 6 Sep 2001 13:50:44 -0400 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG hi i'm trying to secure my box as much as i can, but i've been told that it's not a very good idea to leave telnet open, i understand this is transmit text it clear text, but one of my user can't use port 22 due to his behind firewall, my question is: is it possible to make ipfw to transfer all data between ports on same ip? but i want that rule to be applyed for one ip only basically what i want to accomplished with this is whenever he'll telnet to my box he'll route to port 22, even though he'll still be connected to port 23, i'll just tell him to use ssh client instead thanks in advance To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Sep 6 10:55:32 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 0760437B401 for ; Thu, 6 Sep 2001 10:55:24 -0700 (PDT) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f86Ht3G73163; Thu, 6 Sep 2001 20:55:03 +0300 (EEST) (envelope-from ru) Date: Thu, 6 Sep 2001 20:55:02 +0300 From: Ruslan Ermilov To: alexus Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw w/ port routing form telnet port to ssh Message-ID: <20010906205502.B72023@sunbay.com> Reply-To: ipfw@FreeBSD.ORG References: <005501c136fc$73e8f530$0d00a8c0@alexus> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <005501c136fc$73e8f530$0d00a8c0@alexus>; from ml@db.nexgen.com on Thu, Sep 06, 2001 at 01:50:44PM -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Sep 06, 2001 at 01:50:44PM -0400, alexus wrote: > hi > > i'm trying to secure my box as much as i can, but i've been told that it's > not a very good idea to leave telnet open, i understand this is transmit > text it clear text, but one of my user can't use port 22 due to his behind > firewall, my question is: > > is it possible to make ipfw to transfer all data between ports on same ip? > but i want that rule to be applyed for one ip only > > basically what i want to accomplished with this is whenever he'll telnet to > my box he'll route to port 22, even though he'll still be connected to port > 23, i'll just tell him to use ssh client instead > This could be done in a number of different ways. With ipfw(8)'s `fwd' option, or with natd(8). Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Sep 6 11: 1:26 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id B6FD237B407 for ; Thu, 6 Sep 2001 11:01:22 -0700 (PDT) Received: (qmail 5670 invoked from network); 6 Sep 2001 18:00:45 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 6 Sep 2001 18:00:45 -0000 Message-ID: <007a01c136fd$eab7e2b0$0d00a8c0@alexus> From: "alexus" To: References: <005501c136fc$73e8f530$0d00a8c0@alexus> <20010906205502.B72023@sunbay.com> Subject: Re: ipfw w/ port routing form telnet port to ssh Date: Thu, 6 Sep 2001 14:01:13 -0400 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG would you care to share?:) please? thank you in advance ----- Original Message ----- From: "Ruslan Ermilov" To: "alexus" Cc: Sent: Thursday, September 06, 2001 1:55 PM Subject: Re: ipfw w/ port routing form telnet port to ssh > On Thu, Sep 06, 2001 at 01:50:44PM -0400, alexus wrote: > > hi > > > > i'm trying to secure my box as much as i can, but i've been told that it's > > not a very good idea to leave telnet open, i understand this is transmit > > text it clear text, but one of my user can't use port 22 due to his behind > > firewall, my question is: > > > > is it possible to make ipfw to transfer all data between ports on same ip? > > but i want that rule to be applyed for one ip only > > > > basically what i want to accomplished with this is whenever he'll telnet to > > my box he'll route to port 22, even though he'll still be connected to port > > 23, i'll just tell him to use ssh client instead > > > This could be done in a number of different ways. > With ipfw(8)'s `fwd' option, or with natd(8). > > > Cheers, > -- > Ruslan Ermilov Oracle Developer/DBA, > ru@sunbay.com Sunbay Software AG, > ru@FreeBSD.org FreeBSD committer, > +380.652.512.251 Simferopol, Ukraine > > http://www.FreeBSD.org The Power To Serve > http://www.oracle.com Enabling The Information Age > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Sep 6 14: 5:30 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from planw-65-33-233-186.pompano.net (planw-65-33-233-186.pompano.net [65.33.233.186]) by hub.freebsd.org (Postfix) with ESMTP id 584E537B403 for ; Thu, 6 Sep 2001 14:05:25 -0700 (PDT) Received: (from pchampon@localhost) by planw-65-33-233-186.pompano.net (8.10.2/8.9.3) id f86L8L603817; Thu, 6 Sep 2001 17:08:21 -0400 (EDT) (envelope-from pchampon) Date: Thu, 6 Sep 2001 17:08:21 -0400 From: Phil C To: freebsd-ipfw@FreeBSD.ORG, alexus Subject: Re: ipfw w/ port routing form telnet port to ssh Message-ID: <20010906170821.A3777@planw-65-33-233-186.pompano.net> References: <005501c136fc$73e8f530$0d00a8c0@alexus> <20010906205502.B72023@sunbay.com> <007a01c136fd$eab7e2b0$0d00a8c0@alexus> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <007a01c136fd$eab7e2b0$0d00a8c0@alexus>; from ml@db.nexgen.com on Thu, Sep 06, 2001 at 02:01:13PM -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I do not know if anyone bothered to tell you, but telnet'ing to 23 only to be forwarded to 22 will not work. The connection is encrypted on 22, so a plain text telnet protocol will probably only turn up whacky errors for the people trying to telnet in. You would probably be better off, either telling people directly not to use telnet or using tcpd/tcpwrappers to do something like: telnet: ALL: twist /bin/echo "You are not welcome to use %d, use ssh instead" If you want to be nice to people.... -- Phil Thus spake alexus, on the year of our L*rd Thu, Sep 06, 2001 at 02:01:13PM -0400: > would you care to share?:) > > please? > > thank you in advance > > ----- Original Message ----- > From: "Ruslan Ermilov" > To: "alexus" > Cc: > Sent: Thursday, September 06, 2001 1:55 PM > Subject: Re: ipfw w/ port routing form telnet port to ssh > > > > On Thu, Sep 06, 2001 at 01:50:44PM -0400, alexus wrote: > > > hi > > > > > > i'm trying to secure my box as much as i can, but i've been told that > it's > > > not a very good idea to leave telnet open, i understand this is transmit > > > text it clear text, but one of my user can't use port 22 due to his > behind > > > firewall, my question is: > > > > > > is it possible to make ipfw to transfer all data between ports on same > ip? > > > but i want that rule to be applyed for one ip only > > > > > > basically what i want to accomplished with this is whenever he'll telnet > to > > > my box he'll route to port 22, even though he'll still be connected to > port > > > 23, i'll just tell him to use ssh client instead > > > > > This could be done in a number of different ways. > > With ipfw(8)'s `fwd' option, or with natd(8). > > > > > > Cheers, > > -- > > Ruslan Ermilov Oracle Developer/DBA, > > ru@sunbay.com Sunbay Software AG, > > ru@FreeBSD.org FreeBSD committer, > > +380.652.512.251 Simferopol, Ukraine > > > > http://www.FreeBSD.org The Power To Serve > > http://www.oracle.com Enabling The Information Age > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Sep 6 15:38:14 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from purgatory.unfix.org (purgatory.xs4all.nl [194.109.237.229]) by hub.freebsd.org (Postfix) with ESMTP id 2DC7037B407 for ; Thu, 6 Sep 2001 15:38:09 -0700 (PDT) Received: from HELL (hell.unfix.org [::ffff:10.100.13.66]) by purgatory.unfix.org (Postfix) with ESMTP id ECC9A3231; Fri, 7 Sep 2001 00:38:02 +0200 (CEST) From: "Jeroen Massar" To: , "'alexus'" Subject: RE: ipfw w/ port routing form telnet port to ssh Date: Fri, 7 Sep 2001 00:35:35 +0200 Organization: Unfix Message-ID: <005e01c13724$3f1f70e0$420d640a@HELL> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-Reply-To: <20010906170821.A3777@planw-65-33-233-186.pompano.net> X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Or the easiest way: Edit /etc/ssh/sshd_config and add an extra "Listen 23", disable telnetd from inetd.conf (which one should always do IMHO) and restart inetd & sshd.... That's the nice way of doing things... :) Greets, Jeroen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Sep 6 15:41:50 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id 9DB8537B401 for ; Thu, 6 Sep 2001 15:41:46 -0700 (PDT) Received: (qmail 9754 invoked from network); 6 Sep 2001 22:41:11 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 6 Sep 2001 22:41:11 -0000 Message-ID: <002501c13725$171cb700$0d00a8c0@alexus> From: "alexus" To: "Jeroen Massar" , References: <005e01c13724$3f1f70e0$420d640a@HELL> Subject: Re: ipfw w/ port routing form telnet port to ssh Date: Thu, 6 Sep 2001 18:41:38 -0400 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG eh.. not good.. i need to leave telnet alone for internal ip use and forward all trafic from one and only one ip to port 22 ----- Original Message ----- From: "Jeroen Massar" To: ; "'alexus'" Sent: Thursday, September 06, 2001 6:35 PM Subject: RE: ipfw w/ port routing form telnet port to ssh > > Or the easiest way: > > Edit /etc/ssh/sshd_config and add an extra "Listen 23", disable telnetd > from inetd.conf (which one should always do IMHO) and restart inetd & > sshd.... > That's the nice way of doing things... :) > > Greets, > Jeroen > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message