Re: Port forwarding OpenSSH: firewalled box open to non-ssh exploits?

To: Robert Guthrie <rguthrie@pobox.com>, Debian firewall list <debian-firewall@lists.debian.org>
Subject: Re: Port forwarding OpenSSH: firewalled box open to non-ssh exploits?
From: Arjen Krap <arjen@krap.demon.nl>
Date: Fri, 16 Feb 2001 20:18:26 +0100
Message-id: <[🔎] 20010216201826.B2302@krap.demon.nl>
In-reply-to: <[🔎] 01021612194901.01415@rguthr4>; from rguthrie@pobox.com on Fri, Feb 16, 2001 at 12:19:49PM -0600
References: <[🔎] 01021612194901.01415@rguthr4>

On Fri, Feb 16, 2001 at 12:19:49PM -0600, Robert Guthrie wrote:
> I'm reading up on everything I can lay my eyes on with regards to setting up 
> a masquerading firewall.  I have a 486 that I use solely for doing 
> masq+firewall, and plan to lock down all ports below 1024 except for a few 
> like ftp (from inside to the world, not the other way), and OpenSSH.

> For ssh, I'm concerned that the 486 can't handle the encryption/decription of 
> ssh in a timely manner and still let my wife play Everquest through the 
> firewall.  So I'm thinking that I'll just have it forward any connections 
> comming in for ssh to my "everything" server box (dual celeron), which will 
> be running the sshd.

Forwarding packets between interfaces requires very little CPU resources. Sshd consumes less then top. A 386-40 on a 64k line runs for about 80% idle. A 486 even more. The real bottle neck is bandwith usage. I don't know Everquest, but most games require about 28.8kbps. If Everquest fills your entire bandwith, it doesn't matter how fast your host is. 

> My question is simple: will forwarding that one port...
> 1. Work at all?  sshd should respond to the incomming connection on a port 
> above 1023, right?

sshd can be configured to use other ports, including > 1023. It also supports using more ports at a time. With port forwarding you should be able to make all redirecting you desire.

> 2. Open up my server to exploits of other services running on it (samba, nfs, 
> apache, etc...)?  Since the packets are going to be allowed on to my private 
> network, will that expose me attacks that somehow ride in over the forwarded 
> sshd port?

port forwarding works like:
 forward incoming connections from tcp/udp port a on interface b to port c on host d.
If you configure your forwarding rules correctly, you should only need to wory about bugs in sshd and in the firewall.

> Thanks in advance.  While the concept of firewalls isn't new to me, I've 
> never know how to really lock my system down that that it could be on 24/7 
> and not be left wide open to script kiddies.  Hopefully the howtos, man 
> pages, and responses on this list will help me keep the hordes at bay.

Take time to plan the configuration.

What should be allowed? What should not?
What is required to achieve?
Write your own howto, plan or whatever.
Let someone check it for errors and completenes.
Build your firewall.
Evaluate.

> FYI: The firewall is a 486 running potato, with latest security patches 
> fetched once a day.  Server is a dual celeron running testing, with everyting 
> but X and the kitchen sink installed; if it's neat and I plan on playing with 
> it, it's installed.

Reply to:

References:
- Port forwarding OpenSSH: firewalled box open to non-ssh exploits?
  - From: Robert Guthrie <rguthrie@pobox.com>

Prev by Date: Re: Port forwarding OpenSSH: firewalled box open to non-ssh exploits?
Next by Date: NFS mounts: security hole on firewall?
Previous by thread: Re: Port forwarding OpenSSH: firewalled box open to non-ssh exploits?
Next by thread: NFS mounts: security hole on firewall?
Index(es):
- Date
- Thread