I am trying to allow ssh from port xxxx from two hosts on "net" to $FW on port 22. SSH/ACCEPT net:host,host $FW works for ssh -> ssh, but how can I rewrite this to receive on another port and translate it to the default 22:tcp? I thought it would be: ACCEPT net:host,host $FW:22 tcp xxxx but that doesn''t work? Thanks! jlc ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Joseph L. Casale wrote:> I am trying to allow ssh from port xxxx from two hosts on "net" to $FW on port 22. > SSH/ACCEPT net:host,host $FW works for ssh -> ssh, but how can I rewrite this to receive on another > port and translate it to the default 22:tcp? > > I thought it would be: > ACCEPT net:host,host $FW:22 tcp xxxx but that doesn''t work?REDIRECT net:host,host 22 tcp xxxx -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Format is ACTION SRC DEST PROTO DESTPORT SRCPORT ACCEPT net:host,host $FW tcp 22 XXXX --On July 3, 2008 3:06:26 PM -0600 "Joseph L. Casale" <JCasale@activenetwerx.com> wrote:> I am trying to allow ssh from port xxxx from two hosts on "net" to $FW on > port 22. SSH/ACCEPT net:host,host $FW works for ssh -> ssh, but > how can I rewrite this to receive on another port and translate it to the > default 22:tcp? > > I thought it would be: > ACCEPT net:host,host $FW:22 tcp xxxx but that doesn''t > work? > > Thanks! > jlc > > ------------------------------------------------------------------------- > Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! > Studies have shown that voting for your favorite open source project, > along with a healthy diet, reduces your potential for chronic lameness > and boredom. Vote Now at http://www.sourceforge.net/community/cca08 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users-- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Michael Loftis wrote:> Format is > > ACTION SRC DEST PROTO DESTPORT SRCPORT > > ACCEPT net:host,host $FW tcp 22 XXXXI think he wanted destination port translation, rather than restricting the client to binding to a particular port (xxxx). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
--On July 3, 2008 2:30:28 PM -0700 Tom Eastep <teastep@shorewall.net> wrote:> Michael Loftis wrote: >> Format is >> >> ACTION SRC DEST PROTO DESTPORT SRCPORT >> >> ACCEPT net:host,host $FW tcp 22 XXXX > > I think he wanted destination port translation, rather than restricting > the client to binding to a particular port (xxxx).Ah, you''re quite probably right. Hard to tell from his wording. Either way, he should now have the right answer. :)> > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > ------------------------------------------------------------------------- > Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! > Studies have shown that voting for your favorite open source project, > along with a healthy diet, reduces your potential for chronic lameness > and boredom. Vote Now at http://www.sourceforge.net/community/cca08 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users-- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Tom Eastep wrote:> Joseph L. Casale wrote: >> I am trying to allow ssh from port xxxx from two hosts on "net" to $FW on port 22. >> SSH/ACCEPT net:host,host $FW works for ssh -> ssh, but how can I rewrite this to receive on another >> port and translate it to the default 22:tcp? >> >> I thought it would be: >> ACCEPT net:host,host $FW:22 tcp xxxx but that doesn''t work? > > REDIRECT net:host,host 22 tcp xxxxNote, however, that with the above rule it will still be possible to connect directly to port 22 as well as port xxxx. To prevent that, please see the suggestion in Shorewall FAQ 1E. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
>> I think he wanted destination port translation, rather than restricting >> the client to binding to a particular port (xxxx).Yup!>Ah, you''re quite probably right. Hard to tell from his wording. Either >way, he should now have the right answer. :)Sorry about the lack of clarity. I needed to ssh into the actual firewall from the net and restrict this access to two hosts, I also wanted to connect to port xxxx but have it translated to the actual ssh port that sshd runs on. For the sake of interest, what exactly does the method Michael proposed do? I am a little confused:) Thanks guys for the quick help! jlc ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
>Note, however, that with the above rule it will still be possible to >connect directly to port 22 as well as port xxxx. To prevent that, >please see the suggestion in Shorewall FAQ 1E. > >-TomUgh, That was my first attempt (faq 1e), but I neglected to change the "loc" to a "fw". Apologize for skipping the FAQ, sorry guys! Thanks for being patient:) jlc ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Joseph L. Casale wrote:>>> I think he wanted destination port translation, rather than restricting >>> the client to binding to a particular port (xxxx).> > For the sake of interest, what exactly does the method Michael proposed do? > I am a little confused:) >It would require the ssh client to bind its connecting socket to port xxxx. I don''t think ssh even has an option to specify the local port number used for its connecting socket. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Joseph L. Casale wrote:> I am trying to allow ssh from port xxxx from two hosts on "net" to $FW on port 22. > SSH/ACCEPT net:host,host $FW works for ssh -> ssh, but how can I rewrite this to receive on another > port and translate it to the default 22:tcp? > > I thought it would be: > ACCEPT net:host,host $FW:22 tcp xxxx but that doesn''t work?Gee, whenever I setup a new system, the first thing I do when I log into it is to edit sshd.conf and change the port number then restart the service..... ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
>Gee, whenever I setup a new system, the first thing I do when I log into >it is to edit sshd.conf and change the port number then restart the >service.....Well, here begins a huge battle of flames then:P I am adamantly against Security by Obscurity. I believe it falsely gives you only a sense of security. The only threats you avoid with that are silly script kiddies or ankle bitters. If the lame scan-brute-force attack penetrates you, shame on you. It''s the guy who isn''t fooled by your simple port change that you need to worry about. You had better done lots more then that to avoid him... Notice my open ssh port is only available to two hosts on the net. If I am not at either of those to gain access, I will usually bounce and the likely hood of that getting figured out is well, uhm, not easy. But everyone does their own things their own way... jlc ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
On Thu, Jul 03, 2008 at 06:48:43PM -0600, Joseph L. Casale wrote:> >Gee, whenever I setup a new system, the first thing I do when I log into > >it is to edit sshd.conf and change the port number then restart the > >service..... > > Well, here begins a huge battle of flames then:P > I am adamantly against Security by Obscurity. I believe it falsely gives > you only a sense of security. The only threats you avoid with that are silly > script kiddies or ankle bitters. If the lame scan-brute-force attack penetrates > you, shame on you. It''s the guy who isn''t fooled by your simple port change that > you need to worry about. You had better done lots more then that to avoid him... >If that is the only thing being done to secure sshd, then you have a point. However, don''t forget about "defense in depth." He said it is the first thing that he does, not the only thing.> Notice my open ssh port is only available to two hosts on the net. If I am not > at either of those to gain access, I will usually bounce and the likely hood of > that getting figured out is well, uhm, not easy. > > But everyone does their own things their own way... >Yes. Personally, I leave port 22 open to every single address, but I prefer to restrict access to only keys and kerberos tickets and rate limit connections (1/min with a burst of 2) to hosts outside of my own network. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Joseph L. Casale wrote:>> Gee, whenever I setup a new system, the first thing I do when I log into >> it is to edit sshd.conf and change the port number then restart the >> service..... >> > > Well, here begins a huge battle of flames then:P > I am adamantly against Security by Obscurity.I work in Security. My day job is a researcher of security protocols for ICSAlabs.> I believe it falsely gives you only a sense of security. The only threats you avoid with that are silly > script kiddies or ankle bitters.There is just sooooo much traffic to port 22. Once those scripts find out that it is open, they just pound away. So I move it. It may get discovered and then get a low-level attack, but they have not killed my bandwidth as the port 22 attacks were doing. Actually the port move is only to address to potential DOS impact of script kiddies. I have other defenses in place. I have been a vocal belts&suspenders advocate since the mid-90s. So with these words, I will drop this thread. ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Robert Moskowitz wrote:> There is just sooooo much traffic to port 22. Once those scripts find > out that it is open, they just pound away. So I move it. It may get > discovered and then get a low-level attack, but they have not killed my > bandwidth as the port 22 attacks were doing. >The Shorewall ''Limit'' action is very effective at stopping the bandwidth killing. See http://www.shorewall.net/PortKnocking.html#Limit (don''t be mislead by the page name -- this is not a Port Knocking approach). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08