RE Architecture advice for a newbie

SEARCH

NEWS

2010.10.06:11:36:28
Spotkania Netcamp wracają już 14 października
Fundacja Netcamp zaprasza na pierwsze po wakacjach spotkanie branży internetowej, które odbędzie się w czwartek 14 października 2010 r. o godzinie 18:00 w Klubie 13 Muz w Szczecinie. Gościem specjalnym będzie startup Zubibu - laureat nagrody publiczności konkursu Start with e-nnovation, który opowie o mobilnych sklepach internetowych.

messageID:	520060007472
author:	FranxE7ois Barel
title:	RE Architecture advice for a newbie
Hi. Google for portknocking ! It is a solution for opening ports "at run time" by accessing some, already closed ports, and sending a specific packet type. You can add/delete iptables rules at runtime enabling access to some ports or adding destination NAT to some machine behind firewall ( in LAN ). The only thing is - no one here knows what auth method are you planning to use, but from my experience - netfilter has enough documentation and API to help you achieve your goal. Try being more specific ( if possible ). Regards, E:S -----Original Message----- From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [ rel="nofollow" mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx ] On Behalf Of Hal Moroff Sent: Montag, 13. November 2006 07:12 To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Architecture advice for a newbie Im fairly experienced with Linux and find myself on a project in an area that is new to me. We have a Debian based firewall. When a client (of our own design/implementation) contacts the firewall I wish to connect it to a device behind the firewall. The hole through the firewall should be closed until the client is explicitly authenticated, and should only remain open for a specific amount of time or until the client disconnects. When the hole is opened WAN traffic between the client and the firewall should be encrypted. Im thinking that the client should VPN IPSec to the target, and netfilter can manage the hole. There are 2 small wrinkles to add to this: 1 - we have our own authentication scheme we wish to use, above and beyond any preshared keys 2 - the target devices are generally dumb and arent capable of VPN/encryption (I should add that the internal LAN is trusted, so traffic inside the LAN can be unencrypted) Ive just started reading up on VPNs and netfilter docs. It isnt (yet) clear to me how to manipulate netfilter at runtime like this (to open and close the hole). Regarding the "dumb target" in wrinkle #2, Im thinking that traffic can be routed to another process on the firewall. That process would serve as the "go between" between the LAN dumb target and the rest of the world. Can anyone advise where to start investigating this?

Index

home | register | login

115529504933_559060007587 133423904318_595260007020 107523554700_555560007906 156124534165_591860007091 152228064239_529160007656 176426154250_565360007145 175426714653_576560007114 194129374890_593160007829 121928404817_503960007885 189824404091_520360007785 906 sprawdz strone niezarejestrowana strona brak hosta no host