Fedora directory users - Jan 2007 - FDS behind NATed firewall

I have a master directory server behind a firewall that uses NAT.  I
want to place a read only server behind a different firewall.  The new
server does have a public IP address.  Here is my setup:

Master <--> Firewall (NAT) <--> Internet <--> Firewall
<--> Read-Only

My initial thought was to write a script (All done and works) that SSHs
to the RO server and creates local and remote SSH tunnels.  That would
allow me to point the servers to localhost on specific ports so that
they would get redirect appropriately and securely.  Right now I am
having problems getting them work the way I want them to.  I had it
partially working yesterday, but they were synchronizing like a normal
system (out of SSH, over port 389).

Does anybody have any ideas how this should be done securely?  It is
going over the Internet, so security is a must.

--
Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA

On Wed, 10 Jan 2007, Nathaniel Hall wrote:
> I have a master directory server behind a firewall that uses NAT.  I
> want to place a read only server behind a different firewall.  The new
> server does have a public IP address.  Here is my setup:
> 
> Master <--> Firewall (NAT) <--> Internet <--> Firewall
<--> Read-Only
> 
> My initial thought was to write a script (All done and works) that SSHs
> to the RO server and creates local and remote SSH tunnels.  That would
> allow me to point the servers to localhost on specific ports so that
> they would get redirect appropriately and securely.  Right now I am
> having problems getting them work the way I want them to.  I had it
> partially working yesterday, but they were synchronizing like a normal
> system (out of SSH, over port 389).
> 
> Does anybody have any ideas how this should be done securely?  It is
> going over the Internet, so security is a must.
I''ve had decent luck using stunnel for this sort of thing. 
I''ve found
it to work a lot more reliably than SSH tunnels.

I have never gotten this suggestion to work but I did not try it much. You
can use Point to Point IP Sec tunneling. This will remove the SSH layer. it
will be more natural in terms of IP resolution and more standard then making
tunnels.

Edward


On 1/10/07, Patrick Morris <patrick.morris@hp.com>
wrote:
>
> On Wed, 10 Jan 2007, Nathaniel Hall wrote:
>
> > I have a master directory server behind a firewall that uses NAT.  I
> > want to place a read only server behind a different firewall.  The new
> > server does have a public IP address.  Here is my setup:
> >
> > Master <--> Firewall (NAT) <--> Internet <-->
Firewall <--> Read-Only
> >
> > My initial thought was to write a script (All done and works) that
SSHs
> > to the RO server and creates local and remote SSH tunnels.  That would
> > allow me to point the servers to localhost on specific ports so that
> > they would get redirect appropriately and securely.  Right now I am
> > having problems getting them work the way I want them to.  I had it
> > partially working yesterday, but they were synchronizing like a normal
> > system (out of SSH, over port 389).
> >
> > Does anybody have any ideas how this should be done securely?  It is
> > going over the Internet, so security is a must.
>
> I''ve had decent luck using stunnel for this sort of thing. 
I''ve found
> it to work a lot more reliably than SSH tunnels.
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

I have been trying to do this for a couple of days.  It worked at one
point, but it was replicating in plaintext.  Alternatively, what I am
trying is to point the read only system to the master through SSH
tunnels and setup replication through the standard SSL port.  I had a
very similar setup yesterday, but mixed in with my changes I lost it. 
It just wasn''t using SSL.

Eddie C wrote:
> I have never gotten this suggestion to work but I did not try it much.
> You can use Point to Point IP Sec tunneling. This will remove the SSH
> layer. it will be more natural in terms of IP resolution and more
> standard then making tunnels.
>  
> Edward
>
>  
> On 1/10/07, *Patrick Morris* <patrick.morris@hp.com
> <mailto:patrick.morris@hp.com>> wrote:
>
>     On Wed, 10 Jan 2007, Nathaniel Hall wrote:
>
>     > I have a master directory server behind a firewall that uses
>     NAT.  I
>     > want to place a read only server behind a different
>     firewall.  The new
>     > server does have a public IP address.  Here is my setup:
>     >
>     > Master <--> Firewall (NAT) <--> Internet <-->
Firewall <-->
>     Read-Only
>     >
>     > My initial thought was to write a script (All done and works)
>     that SSHs
>     > to the RO server and creates local and remote SSH tunnels.  That
>     would
>     > allow me to point the servers to localhost on specific ports so
>     that
>     > they would get redirect appropriately and securely.  Right now I
am
>     > having problems getting them work the way I want them to.  I had
it
>     > partially working yesterday, but they were synchronizing like a
>     normal
>     > system (out of SSH, over port 389).
>     >
>     > Does anybody have any ideas how this should be done securely?  It
is
>     > going over the Internet, so security is a must.
>
>     I''ve had decent luck using stunnel for this sort of thing. 
I''ve
>     found
>     it to work a lot more reliably than SSH tunnels.
>

One thing to watch when using software tunnels is that there was (is 
still?) a
bug in the ldap protocol library underneath the server where if packets are
fragmented in strange and unnatural ways, the server just won''t work 
properly
(it fails to decode the LDAP PDU header properly). This happens for example
if the tunnel software ends up sending only a few bytes of the beginning 
of a
PDU as a TCP segment. Basically you can send perfectly correct LDAP but
fragmented in just the wrong way the server will not decode it correctly.
I''m not sure if this is a real issue any longer but thought it worth 
mentioning.