|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Configuring remote access and a pf question
From: viq (vicviq
gmail.com)
Date: Fri Sep 01 2006 - 10:08:15 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 9/1/06, mop <moparach.net.au> wrote:
> Hi
>
> I have a home network set up with an OpenBSD gateway which is bridged to an
> ADSL router, two Windows XP machines and assortment of old boxes I play
> around with, and a few IP's available to me. What I want is remote access
> back to my windows boxes probably using VNC, and to be able to ssh to my
> gateway and into my network. At least one of the sites I wish to connect
> from uses a web proxy and I would have to tunnel through it.
>
> What software/techniques can people suggest, and how much of a risk am I
> exposing myself to by doing this? I have survived this far without it, but
> it would be nice to have. Can I do it without it showing up in a port scan?
>
> Now to the pf question. My policy for everything blocked from entering the
> network is that it is dropped with no reply. I have several ports forwarded
> to my Windows box, mainly for file sharing over IRC so they are only open
> when I wish to do a DCC send. I would like to drop error messages coming
> from my windows box when those ports are closed so no one got curious as to
> why those ports replied and nothing else did.
>
> As I allow everying exiting the network to keep state, how would I block
> these packets? I know it probably doesn't get me much in the way of
> security, but it is an interesting problem. Any suggestions?
>
> Any suggestions would be greatly appreciated. Regards,
How about using authpf for the port forwarding? You want the ports
forwarded, you ssh to the box, and they are open. You're finished, you
finish ssh session, they are closed.
Also, for VNC, you want to use that over an encrypted channel, either
ssh tunnel, or otherwise (OpenVPN or IPSec comes to mind).
As for ssh not showing on a port scan... Not likely that a ful port
scan is not going to pick it up, though you could play with passive OS
detection, and block nmap, that could provide a bit more of
obscurity...
As for going through a proxy, it depends how it is set up. ssh does
have an option to use proxy, but that depends on the proxy
configuration obviously... And you may have some success moving port
ssh listens on to 80 or 443 (I personally prefer the latter, as it's
rather less likely for anyone to look closer at the traffic passing
there). But that again depends on the proxy in question.
> Kim
>
>
--
viq
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]