On Wed, 2003-07-30 at 16:03, Robert G. Brown wrote: > On 30 Jul 2003, Aleksander Demko wrote: > Wow! That's paranoid! I can understand controlling the sockets it > offers, as buffer overwrite attacks on daemons (sometimes even including > httpd and sshd:-) are a standard cracker point of egress, but what > exactly is the motivation for preventing outgoing connections under the [...] Paranoid? I guess, but we didn't see a need to make outbound connections so we blocked them off. If the machine is haxxored this way, it can't be used as a jump point to other machines (either to DoS or just to mislead). In case it's not obvious, the machine itself does not do the blocking, but the router in front of it. Also, I don't control the networking here, just the Linux boxes, and that's the way the law was laid down :) You should see the iptables I have on my home box. And the chroot jails... I can't wait until linux-uml makes it back into RH kernels. > Given a system myhost from which rsync to the repository you wish to > mirror works (according to the test Seth mentioned earlier) rsynchost, > connect to the insanely paranoid server myserver that regulates > outgoing port connections (which could only be made, deliberately, by > its systems staff): > > ssh -l root 873:rsynchost:873 myserver Yeah, I figured I could do a hardwired -R trick. But it becomes tedious now as it's host by host. Good to know though. I've used hardwired tricks to access (internal) flexlm based licenses servers from a (DMZed) cluster. I didn't like it, and it's not very scalable. Some programs get confused with the changing of IPs too. > This works, as I tried it. The one negative thing is that rsync > >>requires<< a privileged port to work in anonymous mode (at least, so I > grok from experiments and the man page -- you can specify a host:port in > just about any modes BUT anonymous mode) you have to run the ssh > connection to the server as root on myserver. Alternatively, it has to > be bone simple to hack rsync source to connect to e.g. port 33333 or > some other unprivileged value for anonymous mode so you could replace > the ssh above with just plain Hack the source? Run as root? These sound like options of desperation :) I think the most general solution is to have an internal FTP proxy, and -R over to that, using passive wget/-mirror. Until then, I'll just use my little python script :) > > ssh 33333:rsynchost:873 myserver > > and use > > rsync localhost:: > > thereafter. > > I personally think that it makes more sense to just open outgoing > connections to 873 in iptables or ipfilters that are currently blocking > it, but if this is impossible and you have a user account on myhost > outside the firewall and root privileges on myserver inside the > firewall, you should be good to go... Yeah, but I don't control the firewall and would have a tough time selling any plan that requires punching holes in the firewall. -- // Aleksander.Demko@xxxxxxxxxxxxxx ademko@xxxxxx scopira.org //
