Re: Re[4]: Firewall in an internet-caffe

To: "IronHand" <ironhand@go2.pl>, "Debian-Firewall" <debian-firewall@lists.debian.org>
Subject: Re: Re[4]: Firewall in an internet-caffe
From: "Robert Davies" <RaggedRob@Lineone.Net>
Date: Mon, 28 May 2001 02:32:32 +0100
Message-id: <[🔎] 007701c0e716$11837ae0$897601d5@oak>
Reply-to: "Robert Davies" <RobDavies@Webtribe.Net>
References: <2.2.32.20010527004927.00c96aa8@[192.168.1.23]> <[🔎] 004501c0e6ab$2159c020$340569d5@oak> <[🔎] 1332921183.20010527224142@go2.pl>

> > So my preference would be to use the 32 IP's addresses for the DMZ, I'd
run
> > a squid proxy,
>
> Quite impossible. Squid needs fast hard disc, unreachabe (yet!). Maybe
> some day, but not now.

Actually if you don't have much browsing going on, it will not need fast
disk, and you can get away with IDE and use a cheap disk.  Not ideal but it
will still be faster than the net connection.

What it is buy you is the benefit of NAT, keeping all the 'doze boxes off
the Internet.  Masquerading  sometimes needs a module, to handle things like
ftp, Quake which don't simply connect to one port, or have server to client
connetions being opened.

> > It's not really clear to me what you are protecting,
>
> Mostly windows (DoS attacks) and Linux from the previous administrator.
> He enjoys cracking in and destroing data from hdd. :(

Hmm, here we'd report this to the police ;)

> > then you are only left with the problem of the shell accounts.  This
should
> > really be on a seperate machine, a play pen box, which is not trusted,
> > depending on what you're offering it might be best to segregate that one
> > completely by splitting the DMZ.
>
> I thought about modified bash with double logging, sending log backup
> every 30min to trusted server, extension to bash that allows accepting
> and denying some commands. That's my friends idea. It will be easy one.
> I want to cheat a little, so I'm going to copy almost every file from /
> to /fake and start every shell account from there. It will take users
> some time to find out whats going on...
> I know it'll consume some space, but I think it's worth of it.

There used to be a System V shell called rsh, for restricted shell, with
that you were in a very limited environment, and could only run a subset of
commands.
There must be something out there already which does this.

The chown is a good idea, but if you do that make sure there's no C
compiler.  You could also set the inode of .. to itself in /fake's
directory, to avoid break outs.

Rob

Reply to:

Follow-Ups:
- restricted shell [was: Firewall in an internet-caffe]
  - From: "Arne P. Boettger" <apb@wohnheim.fh-wedel.de>

References:
- Re: Re[2]: Firewall in an internet-caffe
  - From: Ray Olszewski <ray@comarre.com>
- Re: Re[2]: Firewall in an internet-caffe
  - From: "Robert Davies" <Rob_Davies@NTLWorld.Com>
- Re[4]: Firewall in an internet-caffe
  - From: IronHand <ironhand@go2.pl>

Prev by Date: Re: ReiserFS on a Firewall [was: Building Debian firewall]
Next by Date: Re: ReiserFS on a Firewall [was: Building Debian firewall]
Previous by thread: Re[4]: Firewall in an internet-caffe
Next by thread: restricted shell [was: Firewall in an internet-caffe]
Index(es):
- Date
- Thread