X Through a firewall

X Through a firewall

Post by Noe » Wed, 01 Jan 2003 10:42:02



Hi,

I am working with an 3.1 OpenBSD three-legged firewall that has an
interface to the internet,  an interface to the DMZ and an interface
to a private network.

One of the users needs to be able to start an X-session between his
home computer on one of the computers behind the firewall. He would
prefer to have a session with one of the private network workstations
but would settle for a computer on the DMZ if that is the
recommendation.

I have not run across an example of how to set this up and was
wondering if someone could provide me with a how-to or a link?

Also I understand X sends passwords in the clear. Can I use ssh to
protect the passwords as they fly across the network.

Also, are their any reasons why I should NOT let him start an
X-session with a workstation on the private network?

Thanks for the input,

Noel

 
 
 

X Through a firewall

Post by erik » Wed, 01 Jan 2003 11:44:05



> Hi,

> I am working with an 3.1 OpenBSD three-legged firewall that has an
> interface to the internet,  an interface to the DMZ and an interface
> to a private network.

> One of the users needs to be able to start an X-session between his
> home computer on one of the computers behind the firewall. He would
> prefer to have a session with one of the private network workstations
> but would settle for a computer on the DMZ if that is the
> recommendation.

> I have not run across an example of how to set this up and was
> wondering if someone could provide me with a how-to or a link?

> Also I understand X sends passwords in the clear. Can I use ssh to
> protect the passwords as they fly across the network.

For both questions, use ssh, in /etc/ssh/sshd_config you can select that
ssh will forward X. Basically, that is all you would have to do.

Quote:> Also, are their any reasons why I should NOT let him start an
> X-session with a workstation on the private network?

Absolutely. Think about the situation where the home computer is not safe,
or what is worse, is not under users control anymore. Then the attacker
would have the perfect way to bypass your company firewall. Don't do this,
unless you are really sure that the home machine cannot be compromised.

EJ
--
Remove the obvious part (including the dot) for my email address