From owner-freebsd-security Thu Oct 7 18:33:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from server.baldwin.cx (jobaldwi.campus.vt.edu [198.82.67.146]) by hub.freebsd.org (Postfix) with ESMTP id D3B0C151E2 for ; Thu, 7 Oct 1999 18:33:41 -0700 (PDT) (envelope-from jobaldwi@vt.edu) Received: from john.baldwin.cx (john [10.0.0.2]) by server.baldwin.cx (8.9.3/8.9.3) with ESMTP id VAA68421; Thu, 7 Oct 1999 21:33:01 -0400 (EDT) (envelope-from jobaldwi@vt.edu) Message-Id: <199910080133.VAA68421@server.baldwin.cx> X-Mailer: XFMail 1.3.1 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Thu, 07 Oct 1999 21:33:00 -0400 (EDT) From: John Baldwin To: David Simsik Subject: RE: Programming Contest Cc: "security@freebsd.org" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 07-Oct-99 David Simsik wrote: > Hello all > > to my knowledge they > are > using an older version of FreeBSD running on Gateway P5-200s. The > Network > will be set up within the lab and the structure of the Ethernet > cannot be > changed. Also I do not have access to their gateway or their > servers. They are running 3.2-stable about two weeks prior to 3.3-release. > My original plan was to set up one of the servers (P75) as a > gateway/site > server. This server would authenticate the users on the client > machines and > then would control the packets going outbound. The problem is that > while > using this gateway by defining it in the Client machines and a > firewall on > the gateway I can control what machines the clients can send packets > to but > cannot control the inbound packets. Can you change the default configuration of the workstations or not? If you can, then I would install a base client that included ipfw setup to block inbound connections and only allow outbound connections to your gateway host. I would then tunnel your connections through ssh so that you can authenticate the receiving machine and encrypt the traffic. > With this said I have two questions. : > 1. If the Gateway on the client machines is my machine is there any > way for > the clients to get around the gateway and if there is then is there a > way I > can stop that? (send packets in a way so they don't go through the > gateway > server) If the users are trying to hop from machine to machine within the lab (which is all in the same subnet) then those connections would not go through your gateway. You would need something akin to ipfw to stop this I believe. > 2. what daemons would you recommend I shut off so that the > contestants > cannot get in contact with each other. (telnetd, ftpd,...) inetd, sendmail, etc. I would only run ssh to tunnel the connections to your gateway and nothing else. > Any recommendations for solutions are welcome. Be really nice to the lab manager. :) > Thank you > David Simsik > Regional Systems Team Leader > tech@midatl.cs.vt.edu --- John Baldwin -- http://www.cslab.vt.edu/~jobaldwi/ PGP Key: http://www.cslab.vt.edu/~jobaldwi/pgpkey.asc "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ Virginia Tech CS Undergraduate Lab Student Administrator To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message