12:46 p.m.
I have a master directory server behind a firewall that uses NAT. I
want to place a read only server behind a different firewall. The new
server does have a public IP address. Here is my setup:
Master <--> Firewall (NAT) <--> Internet <--> Firewall <-->
Read-Only
My initial thought was to write a script (All done and works) that SSHs
to the RO server and creates local and remote SSH tunnels. That would
allow me to point the servers to localhost on specific ports so that
they would get redirect appropriately and securely. Right now I am
having problems getting them work the way I want them to. I had it
partially working yesterday, but they were synchronizing like a normal
system (out of SSH, over port 389).
Does anybody have any ideas how this should be done securely? It is
going over the Internet, so security is a must.
--
Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA
2:36 p.m.
On Wed, 10 Jan 2007, Nathaniel Hall wrote:
I have a master directory server behind a firewall that uses NAT. I
want to place a read only server behind a different firewall. The new
server does have a public IP address. Here is my setup:
Master <--> Firewall (NAT) <--> Internet <--> Firewall <-->
Read-Only
My initial thought was to write a script (All done and works) that SSHs
to the RO server and creates local and remote SSH tunnels. That would
allow me to point the servers to localhost on specific ports so that
they would get redirect appropriately and securely. Right now I am
having problems getting them work the way I want them to. I had it
partially working yesterday, but they were synchronizing like a normal
system (out of SSH, over port 389).
Does anybody have any ideas how this should be done securely? It is
going over the Internet, so security is a must.
I've had decent luck using stunnel for this sort of thing. I've found
it to work a lot more reliably than SSH tunnels.
3:29 p.m.
I have never gotten this suggestion to work but I did not try it much. You
can use Point to Point IP Sec tunneling. This will remove the SSH layer. it
will be more natural in terms of IP resolution and more standard then making
tunnels.
Edward
On 1/10/07, Patrick Morris <patrick.morris(a)hp.com> wrote:
On Wed, 10 Jan 2007, Nathaniel Hall wrote:
> I have a master directory server behind a firewall that uses NAT. I
> want to place a read only server behind a different firewall. The new
> server does have a public IP address. Here is my setup:
>
> Master <--> Firewall (NAT) <--> Internet <--> Firewall <-->
Read-Only
>
> My initial thought was to write a script (All done and works) that SSHs
> to the RO server and creates local and remote SSH tunnels. That would
> allow me to point the servers to localhost on specific ports so that
> they would get redirect appropriately and securely. Right now I am
> having problems getting them work the way I want them to. I had it
> partially working yesterday, but they were synchronizing like a normal
> system (out of SSH, over port 389).
>
> Does anybody have any ideas how this should be done securely? It is
> going over the Internet, so security is a must.
I've had decent luck using stunnel for this sort of thing. I've found
it to work a lot more reliably than SSH tunnels.
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
3:40 p.m.
I have been trying to do this for a couple of days. It worked at one
point, but it was replicating in plaintext. Alternatively, what I am
trying is to point the read only system to the master through SSH
tunnels and setup replication through the standard SSL port. I had a
very similar setup yesterday, but mixed in with my changes I lost it.
It just wasn't using SSL.
Eddie C wrote:
I have never gotten this suggestion to work but I did not try it
much.
You can use Point to Point IP Sec tunneling. This will remove the SSH
layer. it will be more natural in terms of IP resolution and more
standard then making tunnels.
Edward
On 1/10/07, *Patrick Morris* <patrick.morris(a)hp.com
<mailto:patrick.morris@hp.com>> wrote:
On Wed, 10 Jan 2007, Nathaniel Hall wrote:
> I have a master directory server behind a firewall that uses
NAT. I
> want to place a read only server behind a different
firewall. The new
> server does have a public IP address. Here is my setup:
>
> Master <--> Firewall (NAT) <--> Internet <--> Firewall
<-->
Read-Only
>
> My initial thought was to write a script (All done and works)
that SSHs
> to the RO server and creates local and remote SSH tunnels. That
would
> allow me to point the servers to localhost on specific ports so
that
> they would get redirect appropriately and securely. Right now I am
> having problems getting them work the way I want them to. I had it
> partially working yesterday, but they were synchronizing like a
normal
> system (out of SSH, over port 389).
>
> Does anybody have any ideas how this should be done securely? It is
> going over the Internet, so security is a must.
I've had decent luck using stunnel for this sort of thing. I've
found
it to work a lot more reliably than SSH tunnels.
8:20 p.m.
One thing to watch when using software tunnels is that there was (is
still?) a
bug in the ldap protocol library underneath the server where if packets are
fragmented in strange and unnatural ways, the server just won't work
properly
(it fails to decode the LDAP PDU header properly). This happens for example
if the tunnel software ends up sending only a few bytes of the beginning
of a
PDU as a TCP segment. Basically you can send perfectly correct LDAP but
fragmented in just the wrong way the server will not decode it correctly.
I'm not sure if this is a real issue any longer but thought it worth
mentioning.
6307
days inactive
6308
days old
389-users@lists.fedoraproject.org
4 comments
4 participants
participants (4)
-
David Boreham -
Edward Capriolo -
Morris, Patrick -
Nathaniel Hall