[kwlug-disc] reverse tunnel? vpn over ssh?

Raul Suarez rarsa at yahoo.com
Tue Aug 18 10:40:31 EDT 2009


You couldn't wait until December, eh?, you want me to give my presentation early. tsk tsk tsk.

Let's start from the beginning:
What port is used for the update? Yum and apt-get would use either FTP or HTTP (depending on the mirror) are you using something different?

Can you SSH from the DMZ computer to the external desktop? 
or only from the external desktop to the DMZ computer?

Here is a page that explains the exact opposite from what you want to do, this is, from the other side of the firewall but for what I see it is equivalent. 

http://souptonuts.sourceforge.net/sshtips.htm

 
This is, if you can ssh from the DMZ to the desktop. If not, let me know as it will be a little bit different.

e.g. you will have to ssh into the DMZ opening an ssh tunnel back to the desktop. then use that tunnel to ssh from the DMZ to your desktop using the appropriate routing.

Let me know if the first option works for you. If not, I will elaborate on the second option.

Raul Suarez


Technology consultant
Software, Hardware and Practices
_________________
http://rarsa.blogspot.com/ 
An eclectic collection of random thoughts



----- Original Message ----
From: Richard Weait <richard at weait.com>
To: KWLUG discussion <kwlug-disc at kwlug.org>
Sent: Monday, August 17, 2009 10:47:39 PM
Subject: [kwlug-disc] reverse tunnel? vpn over ssh?

I have a box I can reach on my DMZ.  I allow incoming web requests
through the firewall to the DMZ box.  It can then reply to the
request. But if you do crack this box, it can't connect out.  The
firewall won't allow it.  Great.  Defense in depth and all.

I can reach this box from my internal network and start/stop services.
Configure stuff.  Great.  But I can't get it to update from the web.
It can't dial out.  I'd like to apply updates without unplugging eth
cables.

Lots of examples cover connecting boxes that can't see each other but
can each connect to another box.  When the configuration looks like

A --> public box <-- B

SSH reverse tunneling looks to be the right tool for the job.  That's
the gotomypc-type solution.

My configuration is essentially:

internet  <-- desktop --> DMZ

I'd like to, from my desktop, say "Hi DMZ box, I'm logging in. Here is
a temporary connection to the internet that will disappear when I log
out."

Help me lazyweb?

_______________________________________________
kwlug-disc_kwlug.org mailing list
kwlug-disc_kwlug.org at kwlug.org
http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org



      __________________________________________________________________
Yahoo! Canada Toolbar: Search from anywhere on the web, and bookmark your favourite sites. Download it now
http://ca.toolbar.yahoo.com.




More information about the kwlug-disc mailing list