From owner-freebsd-security Fri Sep 24 1:49:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.polytechnic.edu.na (mail.polytechnic.edu.na [196.31.225.2]) by hub.freebsd.org (Postfix) with ESMTP id AB8F314D13 for ; Fri, 24 Sep 1999 01:49:41 -0700 (PDT) (envelope-from tim@iafrica.com.na) Received: from [196.31.225.199] (helo=310.priebe.alt.na) by mail.polytechnic.edu.na with smtp (Exim 3.02 #2) id 11USwV-0003YV-00; Fri, 24 Sep 1999 08:51:07 -0200 From: Tim Priebe Reply-To: tim@iafrica.com.na To: The Mad Scientist , freebsd-security@freebsd.org Subject: Re: Secure gateway to intranet Date: Fri, 24 Sep 1999 13:28:37 +0200 X-Mailer: KMail [version 1.0.17] Content-Type: text/plain References: <4.1.19990923205643.0095ce70@mail.thegrid.net> MIME-Version: 1.0 Message-Id: <99092413411000.21169@310.priebe.alt.na> Content-Transfer-Encoding: 8bit X-KMail-Mark: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 24 Sep 1999, The Mad Scientist wrote: > All, > I am looking for a secure way to log into a machine on an intranet. > Here's what I have in mind. > A user ssh-es to a machine on the boarder network. Her shell is a > script/program that asks for a name of an internal machine, then ssh-es to > that machine after an authentication. This way, I could only open the > border and internal routers up to that machine and a proxy server and I > could have a log of who goes where. I'd also like to be able to set up > some kind of acl in the proggie/script that dictates which users can go to > which machines. For authentication, a username/pass will do for now, but > later I'd like to expand it to some kind of one time card. Some kind of > transparent secure file transfer would also be great. > Now, here's what I am interested in knowing. What would be a simple and > secure way to implement this. (I was thinking of perl) What sort of > things should I be wary of when setting this up? Is this even advisable? ^_^ > Thanks in advance, > -Dean My solution to a similar problem is to use ipfw rules, together with ssh. I have a small number of fixed ip addresses on the outside, that are allowed to connect to a small number of fixed addresses on the inside. Logging can be done with the tcp setup packets. Tim. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message