Hi All, I''ve been quietly watching the list as my Shorewall humms away content. But now I''ve got a problem. I have a friend (say client) who is outside my firewall and accesses my webserver via FTP to update his website (virtual server). Before the flames go flying...I offer him FTP as I can''t get him to use SSH/SCP (let''s just not go there). Everything was peachy while he had a static IP as I just allowed his ip/TCP port 21. Now his provider has suddenly decided to go dynamic. I would change the filter to his MAC, but Tom has said in the past that Shorewall (or maybe it was IPTables) doesn''t support MAC filtering. So, my question is - What can I do that would be painless for the unknowledgable/unwilling "client" and keep my sanity? Wayne /insert witty quote here/ ---------------------------------------------
> -----Original Message----- > From: shorewall-users-admin@shorewall.net > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of > admin@kiteflyer.com > Sent: Thursday, February 21, 2002 4:16 PM > To: shorewall-users@shorewall.net > Subject: [Shorewall-users] If not MAC, then what? > > I have a friend (say client) who is > outside my firewall and > accesses my webserver via FTP to update his website (virtual > server). Before > the flames go flying...I offer him FTP as I can''t get him to > use SSH/SCP (let''s > just not go there). Everything was peachy while he had a > static IP as I just > allowed his ip/TCP port 21. Now his provider has suddenly > decided to go > dynamic. I would change the filter to his MAC, but Tom has > said in the past > that Shorewall (or maybe it was IPTables) doesn''t support MAC > filtering.iptables supports MAC filtering -- Shorewall doesn''t. Unless your friend is on the same LAN segment as your firewall (which I''m willing to bet isn''t the case), MAC filtering wouldn''t do you any good.> So, my question is - What can I do that would be painless for the > unknowledgable/unwilling "client" and keep my sanity? >VPN? -Tom -- Tom Eastep \ Shorewall -- iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> > -----Original Message----- > > > > I have a friend (say client) who is > > outside my firewall and > > accesses my webserver via FTP to update his website (virtual > > server). Before > > the flames go flying...I offer him FTP as I can''t get him to > > use SSH/SCP (let''s > > just not go there). Everything was peachy while he had a > > static IP as I just > > allowed his ip/TCP port 21. Now his provider has suddenly > > decided to go > > dynamic. I would change the filter to his MAC, but Tom has > > said in the past > > that Shorewall (or maybe it was IPTables) doesn''t support MAC > > filtering. > > iptables supports MAC filtering -- Shorewall doesn''t. Unless your friend > is on the same LAN segment as your firewall (which I''m willing to bet > isn''t the case), MAC filtering wouldn''t do you any good. > > > So, my question is - What can I do that would be painless for the > > unknowledgable/unwilling "client" and keep my sanity? > > > > VPN? > > -Tom > -- > Tom Eastep \ Shorewall -- iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.netDOH! You''re right. Where was my brain? (MAC/Segments) We just went there with the switched network topic.... I don''t know from experience, but I would think vpn would be harder for him to set up (and possibly me=learning curve) than convincing to use SSH/SCP (even though TCP22 open, at least I could use keypair to dump unwanted traffic). Any recommendations on possible VPN solutions? (Client = Win98 or did he follow the wagon of XP?) This is a one person solution... Thanks for the feedback/sounding board. Wayne /insert witty quote here/ ---------------------------------------------
Well, I could think of 2 methods for the not-too-experienced ones: The 1st one would be to put the ftp-server to some high port, let''s say 33333 for example. For this to work you would have to compile the ftp-conntrack as a module and pass some variables at boot time (lilo etc.). This would not guard you against a "real" attack, but still might save you from an ordinary port scan. And it would be the easiest thing to accomplish. The other thing would be to give your "friend" a dns-entry from some of those dyndns-companies out there; no-ip.com or dyndns.org (for free, of course). Everytime he wants to log in he has to tell those guys his ip (via login with pw); disadvantage would be he could not log in immediately since the dns-system needs some time to get updated. Additionaly I''m not really sure whether shorewall would accept those rules... ^_^ ...and whether your client has enough experience to manage that. In fact he could use one of those freeware-programs who would do that automatically once he goes online. If that works I''d be glad to hear from it! VPN would also be a solution, but for the average windows user this is not the simplest task to set up himself. Hope I could help. Regards, Markus At 00:16 22.02.2002 +0000, admin@kiteflyer.com wrote:>Hi All, > >I''ve been quietly watching the list as my Shorewall humms away content. >But now >I''ve got a problem. I have a friend (say client) who is outside my >firewall and >accesses my webserver via FTP to update his website (virtual server). Before >the flames go flying...I offer him FTP as I can''t get him to use SSH/SCP >(let''s >just not go there). Everything was peachy while he had a static IP as I just >allowed his ip/TCP port 21. Now his provider has suddenly decided to go >dynamic. I would change the filter to his MAC, but Tom has said in the past >that Shorewall (or maybe it was IPTables) doesn''t support MAC filtering. >So, my question is - What can I do that would be painless for the >unknowledgable/unwilling "client" and keep my sanity? > >Wayne > >/insert witty quote here/ > > >--------------------------------------------- > > > >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@shorewall.net >http://www.shorewall.net/mailman/listinfo/shorewall-users
Wayne,> -----Original Message----- > From: shorewall-users-admin@shorewall.net > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of > admin@kiteflyer.com > Sent: Thursday, February 21, 2002 5:03 PM > To: shorewall-users@shorewall.net > Subject: [Shorewall-users] RE: If not MAC, then what? > > I don''t know from experience, but I would think vpn would be > harder for him to > set up (and possibly me=learning curve) than convincing to > use SSH/SCP (even > though TCP22 open, at least I could use keypair to dump > unwanted traffic). > Any recommendations on possible VPN solutions? (Client = > Win98 or did he follow > the wagon of XP?) This is a one person solution... > > Thanks for the feedback/sounding board.I''d look at running PoPToP on your firewall. Your client could then use the Dial Up Networking VPN client in Windows. You can set up Shorewall to have a separate zone for the VPN client and that way, you can control what this fellow can do very easily. For instructions, go to http://www.shorewall.net/PPTP.htm -Tom -- Tom Eastep \ Shorewall -- iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net