Hi, maybe you should try portforwarding a port from the gateway to your machine 192.168.0.2. I recently made a small script for a similar purpose. I just extended my comments so you should know what to do with it. Put it in /etc/rc.d/ and chmod +x it and read the comments (at least). Good luck, Alexander. PS: Any comments appreciated. Quoting Dimitris Kontogiannopoulos <jim@infodomi.gr>:

i don't think that is a good idea to give someone access to your firewall box if you have configure your firewall and routing table correct you don't have to give a user account to your firewall its so simple don't make this to yourself

Kontogiannopoulos Dimitris jim@infodomi.gr Junior Net Admin

----- Original Message ----- From: "phil" <phil@osbtown.com> To: <suse-security@suse.com> Sent: Wednesday, July 11, 2001 12:12 AM Subject: [suse-security] ssh shells and ircd on a small lan

...

Greetings all, I been trying to give my friend a shell account (ssh) And I have ran into some confusion.

The firewall box has ssh already on it, but it also has portforwarding. So I am confused as to where I should give my friend a shell at.

I also talk irc with my friend on a ircd which is located on 192.168.0.2 , but I wondering if this is safe to let ircd be port forwarded through firewall box

|---------------------------------- | modem (dialup)-- firewall box | | | redhat eth0 |---------------------------------- | |------------ |---------------- | hub | -- | (eth0) 192.168.0.1 (just a client mandrake) |------------ \ |---------------- | (eth0) 192.168.0.2 (irc, shell accounts suse 7.2)

at the moment the only way I know to get through the external network is to ssh to the firewall box as root, then ssh again into 192.168.0.2 box.

I don't want my friend to know the root password on the firewall. I trust the guy, but he isn't very adept at linux and he might screw something up by accident. I want to avoid the accident. I also want to limit him to say 10MB and 10 process's (the cpu goes to 100% now with no limits on the account)

If I shut ssh off the firewall how can I turn on ssh through it to the shell accounts. Or is this the wrong way to do this? I am thinking the shell might be better off located on the firewall.

Should ircd be relocated to the firewall instead of where it is now (192.168.0.2)

and finally... a bloob, I accidentally deleted my ircd startup from the inetd.conf I tried YaST and manually editing it but the only way to start irc is manually now. Can someone show the line or lines in the inetd.conf that have the irc/ircd start up from inetd.conf There is not anything in the manual about this.

it used to start when I boot, but no more...;o(

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

======================================================================== # _ __ _ __ http://home.htwm.de/akuehn/ \n icq://69646724 # # / |/ /__ ____ _(_) /_ ____ _ nagilum@chillout.org \n +01776461165 # # / / _ `/ _ `/ / / // / ' \ Amiga (68k/PPC): AOS/NetBSD/Linux # # /_/|_/\_,_/\_, /_/_/\_,_/_/_/_/ Mac (PPC): MacOS9 / Linux / MacOS-X # # /___/ x86: Linux/FreeBSD/OpenBSD/QNX/Win98SE # ======================================================================== #!/bin/bash # simple portforwarding script by Alexander Kuehn, # BSD licence - use it, screw it, blame me # requires SuSE firewall installed, configured and working # the syntax is PORTFORWARD="[definition][ definition] ..." # where definition is "external_port:LAN_machine:LAN_machine_port" # for example put something like this in your /etc/rc.config # PORTFORWARD="5080:mymachine:80 5022:mymachine:80" # this would forward external port 5080 to mymachine port 80 # and external port 5022 to mymachine port 22 # be aware that you can not test this from your LAN, you have to check # this from a host outside of your LAN, e.g. ssh to some other host and # try a lynx http://<insertyourgateway>:5080/ or ssh -p 5022 <insertyourgateway> # once you know it's working add a "/etc/rc.d/forward restart" to # your /etc/ppp/ip-up.local (presuming you're using a dialup link), good luck! . /etc/rc.config . /etc/rc.config.d/firewall.rc.config # get ip of world interface LOCALIP=`ifconfig $FW_DEV_WORLD|grep "inet addr:"|cut -d ":" -f 2|cut -d " " -f 1` while [ -z $LOCALIP ] do # if the script is called too early the inerface might not # have an ip, therefore we will loop until it has one # this sleep will help to keep the machine breathing just in the case.. sleep 5 LOCALIP=`ifconfig $FW_DEV_WORLD|grep "inet addr:"|cut -d ":" -f 2|cut -d " " -f 1` done # The echo return value for success (defined in /etc/rc.config). return=$rc_done case "$1" in start) echo -n "Starting port fowarding:" for i in ${PORTFORWARD}; do LCPORT=`echo $i|cut -d: -f1` TOMACH=`echo $i|cut -d: -f2` TOPORT=`echo $i|cut -d: -f3` ipmasqadm portfw -a -P tcp -L $LOCALIP $LCPORT -R $TOMACH $TOPORT || return=$rc_failed done echo -e "$return" ;; stop) echo -n "Stopping port forwarding:" ipmasqadm portfw -f || return=$rc_failed ;; status) echo "Listing forwarded ports: " ipmasqadm portfw -l && echo OK || echo No process ;; reload) $0 stop && $0 start || return=$rc_failed ;; restart) $0 stop && $0 start || return=$rc_failed ;; *) echo "Usage: $0 {start|stop|status|restart|reload}" exit 1 ;; esac # Inform the caller not only verbosely and set an exit status. test "$return" = "$rc_done" || exit 1 exit 0