[Gllug] Shiny new Firewall
tet at accucard.com
tet at accucard.com
Mon Jul 15 20:10:23 UTC 2002
>Even so, I have never needed to ssh in to the firewall directly so
>I may as well leave it closed. I have port forwarded port 9997 (for
>no other reason than that it is out of the way) to my internal Linux
>desktop box (which has openssh 3.4) and I always log in to that first
>from outside and then ssh back to the firewall internally.
I've always taken the attitude that port forwarding past the firewall
is genrally a higher security risk than going directly onto the firewall
and then onto the fianl destination. In this case, it turned out not to
be, but I think it probably still holds true as a general rule. Hence,
I allow external ssh access to my firewalls.
>Shall I post the 'pf.conf' rules for people to have a look at or is
>that a bad idea? Is anyone interested in what is on the original box
>or shall I just wipe it and start over?
It's probably not a bad idea (if for no other reason than it gives the
rest of us a chance to see how others are doing things :-). If you're
paranoid, you might want to doctor it to change your IP ranges to
something other than their real values, just in case there's a glaring
hole, and a suitably malicious reader on the list (or browsing the
archives).
Tet
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list