FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 10-14-2011, 11:33 AM
Reindl Harald
 
Default Remote access

and his boss is "perfectly legitimate" to fire him form one day to the next
it does even not matter if there si any firewall to pierce, it is enough
taht a policy/admin says "it is not allowed" to fire you if you are doing it

peopole like you are a real nightmare because you are enforcing
other ones to break policies which you and we do not understand
from outside and there is only one person who really must undertsnad
them - the admin

the same for recommend to setup openvpn
you can do that at your home but NOT in a company
why? because you are not understanding the security-implications

the company may have well tested rollozts and security checks on all
machines in their network and than comes some stupid boy missing
any knowledge and brings a hidden machine in the network


Am 14.10.2011 13:26, schrieb Marko Vojinovic:

On Friday 14 October 2011 05:32:23 Scott Rouse wrote:

However, every serious firewall admin should know that the firewall is a one-way barrier,
protecting local users from the outside attack, and having in principle no way to protect
the outside world from the local user.

So, if the OP asks his admin to allow him the access, and is refused, I think it is perfectly
legitimate to DIY and pierce a connection through. Best, :-) Marko

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-14-2011, 11:34 AM
Tom Horsley
 
Default Remote access

On Friday 14 October 2011 05:13:53 KC8LDO wrote:
> Is there a way to use ssh to get through a firewall for remote access to a
> system?

I have a little shell script I run on my desktop at work that has
it's own copy of ssh-agent holding my home system public key info.
It runs an ssh command from my desktop at work to my home system,
forwarding my work system's port 22 to home, and my home system's
port 22 to work. The ssh command runs in a loop, so if the
connection drops (because I reboot my home system for instance),
it will come back up as soon as both systems are talking again.

This gives me local ssh access at home to my work system and
at work to my home system, through the company firewall which
blocks all incoming connections to all but company servers.
Since I have ssh access, I can always run new ssh commands to
forward other ports (like mail servers).

The ssh connection is (in some directions) about 6 times
faster than using the company VPN, and normally what I use the
ssh connection for is running an NX session at home to get
my desktop at work to appear on my home system screen so I
can commute to work without leaving home :-).

P.S. I also have my home system as secured as possible with
firewall rules that only allow ssh connections that look as if
they are coming from my work system (i.e. the company firewall)
and ssh config rules requiring public keys as the only way
to connect from the outside world.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-14-2011, 11:42 AM
Ed Greshko
 
Default Remote access

On 10/14/2011 07:26 PM, Marko Vojinovic wrote:
> <quote>
> A firewall cannot protect a network against its own internal users, and should
> not even try to.
> </quote>
>
> So, if the OP asks his admin to allow him the access, and is refused, I think
> it is perfectly legitimate to DIY and pierce a connection through.

I've know a few *former* employees that thought doing so was legitimate.

--
Even if you do learn to speak correct English, whom are you going to
speak it to? -- Clarence Darrow
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-14-2011, 11:58 AM
 
Default Remote access

-----Original Message-----
From: users-bounces@lists.fedoraproject.org [mailto:users-bounces@lists.fedoraproject.org] On Behalf Of Marko Vojinovic
Sent: vrijdag 14 oktober 2011 13:26
To: Community support for Fedora users
Subject: Re: Remote access

On Friday 14 October 2011 05:32:23 Scott Rouse wrote:
> On Oct 14, 2011 12:13 AM, "KC8LDO" <kc8ldo@arrl.net> wrote:
> > Is there a way to use ssh to get through a firewall for remote
> > access to a system? The situation I'm looking at is a Fedora system
> > sitting behind a company firewall, which I have no control over,
> > that I wish to gain access to by logging into it over the Internet from a remote computer.
> > In other words the connection is initiated from outside of the
> > firewalled company network.
>
> There are many companies that would frown upon doing what you are
> proposing. I would suggest that you talk to your network/firewall
> admin and see if they will make an allowance for you.

True, and that is usually the best option. The drawback being that you are putting yourself at mercy of the firewall admin, who might be lazy, incompetent, or ignorant (which is sometimes the case), or have a boss that is one of those things (which is the case quite often).

However, every serious firewall admin should know that the firewall is a one-way barrier, protecting local users from the outside attack, and having in principle no way to protect the outside world from the local user. Or in the words of the firewall-piercing HOWTO ( http://tldp.org/HOWTO/Firewall-Piercing ):

<quote>
A firewall cannot protect a network against its own internal users, and should not even try to.
</quote>

So, if the OP asks his admin to allow him the access, and is refused, I think it is perfectly legitimate to DIY and pierce a connection through.

Best, :-)
Marko


Hi some remarks to make...

Firstly, if you have a good defined and well maitained firewall, it's hard to get _IN_.
One way of dealing with the problem, is installing at work (if you can) an openvpn connection towards home.
Even if the company firewall very strict, they will stil allow port 80/443 going out.
On those ports, you can do an openvpn-proxy. Examples on the openvpn site.

OTOH. If you ask and were declined, or don't ask and they find out later, this is for most companies enough reason fon instantly been throwed out.
And perhaps get a law suit against you.

So i would _strongly_ suggest asking your sysadmin / networkadmin / securityadmin to open-up a port for allowing incoming VPN's.
If it is for doing work from home location, they probably don't object.

Better safe then sorry (and fired)

Hans

__________________________________________________ ____________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-14-2011, 12:02 PM
Marko Vojinovic
 
Default Remote access

On Friday 14 October 2011 12:42:03 Ed Greshko wrote:
> On 10/14/2011 07:26 PM, Marko Vojinovic wrote:
> > <quote>
> > A firewall cannot protect a network against its own internal users, and
> > should not even try to.
> > </quote>
> >
> > So, if the OP asks his admin to allow him the access, and is refused, I
> > think it is perfectly legitimate to DIY and pierce a connection through.
>
> I've know a few *former* employees that thought doing so was legitimate.

Legitimate != legal.

A serious admin should take the time do explain the security implications to
the user, and persuade him not to do what he wants to do, while providing the
user with a legal alternative. Failing that, the admin has no operational
control over the user piercing the firewall. The admin is actually at the mercy
of user's understanding of security and compliance with the "company rules"
that the admin cannot actually enforce in practice. Both the admin and the
user (and their bosses) should be aware of that. The firewall is *not* a
security measure against insiders, but only against outsiders.

Legal actions against users that disobey company policies is an entirely
different topic, and should be handled on a case-by-case basis. Sometimes they
have merit, sometimes they don't. It is up to the OP to judge the legal
consequences of his own actions.

Have you ever crossed the street when the red light was on for pedestrians, in
a situation when there were no vehicles in the street? Was that legitimate?
Was it legal? Was the rule enforceable? Was breaking the rule possible? One
should make sharp distinction between each of those questions.

Best, :-)
Marko

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-14-2011, 12:09 PM
Ian Malone
 
Default Remote access

On 14 October 2011 12:26, Marko Vojinovic <vvmarko@gmail.com> wrote:

> However, every serious firewall admin should know that the firewall is a one-way
> barrier, protecting local users from the outside attack, and having in
> principle no way to protect the outside world from the local user. Or in the
> words of the firewall-piercing HOWTO
> ( http://tldp.org/HOWTO/Firewall-Piercing ):
>
> <quote>
> A firewall cannot protect a network against its own internal users, and should
> not even try to.
> </quote>
>

Actually, there's a difference between this (protecting the network
internally) and protecting the outside world, for example I can't
connect to SMTP outside our firewall right now.

> So, if the OP asks his admin to allow him the access, and is refused, I think
> it is perfectly legitimate to DIY and pierce a connection through.
>

!

Possibly read your IT policy and your employment contract carefully first.

--
imalone
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-14-2011, 12:12 PM
Tom Horsley
 
Default Remote access

On Fri, 14 Oct 2011 13:02:43 +0100
Marko Vojinovic wrote:

> Have you ever crossed the street when the red light was on for pedestrians, in
> a situation when there were no vehicles in the street? Was that legitimate?
> Was it legal? Was the rule enforceable? Was breaking the rule possible? One
> should make sharp distinction between each of those questions.

Actually, crossing at an intersection with the light is nuts. There are
cars coming at you from too many different directions. What you always
want to do to survive as a pedestrian is to jaywalk in the middle of the
block where cars are only trying to kill you in one direction at a time.
The heck with legality, survival is the rule here!

Now if I could only figure out how to make this analogy extend to
firewalls :-).
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-14-2011, 12:16 PM
Marko Vojinovic
 
Default Remote access

On Friday 14 October 2011 12:33:25 Reindl Harald wrote:
> peopole like you are a real nightmare because you are enforcing
> other ones

I am not enforcing anyone to do anything, just offering advice.

> to break policies which you and we do not understand
> from outside and there is only one person who really must undertsnad
> them - the admin

I disagree. If there is no way to enforce a security rule, every user must be
*trained* to understand it and know *why* he should uphold it.

If you have ever been a parent, you certainly know that just saying "that is
forbidden to touch" doesn't work. Rather, a real explanation *why* a child
should not touch something is the only way to have the child comply with the
rules.

If you just restrict people by rules, it *is* legitimate for them to break the
rules. If instead you teach people why they should uphold the rules, it *is*
*not* legitimate for them to break those rules. Legitimacy comes from
understanding, legality comes from obedience.

The OP is the only one who can judge what is legal and what is legitimate in
his own case.

Best, :-)
Marko



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-14-2011, 01:02 PM
Ian Malone
 
Default Remote access

On 14 October 2011 13:16, Marko Vojinovic <vvmarko@gmail.com> wrote:
> On Friday 14 October 2011 12:33:25 Reindl Harald wrote:
>> peopole like you are a real nightmare because you are enforcing
>> other ones
>
> I am not enforcing anyone to do anything, just offering advice.
>

I think the word is encouraging.

>
> If you just restrict people by rules, it *is* legitimate for them to break the
> rules. If instead you teach people why they should uphold the rules, it *is*
> *not* legitimate for them to break those rules. Legitimacy comes from
> understanding, legality comes from obedience.
>

Not sure what definition of "legitimate" you are using here.

> The OP is the only one who can judge what is legal and what is legitimate in his own case.

And what might get him fired (irrespective of legality). Of course you
might be completely right, the administrator might say, "I'm not going
to set up a VPN but if you can come up with a solution then go ahead."

--
imalone
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-14-2011, 02:33 PM
Tim
 
Default Remote access

On Fri, 2011-10-14 at 13:58 +0200, J.Witvliet@mindef.nl wrote:
> So, if the OP asks his admin to allow him the access, and is refused,
> I think it is perfectly legitimate to DIY and pierce a connection
> through.
>
> Best, :-)
> Marko

Quite how you come to that conclusion, I don't know. If you're refused
permission, then that's the *opposite* from being legitimate to try to
do so. Not only did you originally discover that it was blocked, you're
being outright told that it's not allowed.

In some places, flouting such rules is grounds for dismissal, perhaps on
the first and only instance you get caught.

--
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 11:32 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org