Firewall security: Problems with simple Samba file share 3584

Peter T. Breuer

So because ssh allows access from ANYWHERE, I can't restrict it to specific ip's? Why is that, Peter? Because you say so? :-)

Does ssh lose any functionality when I restrict it so? Does it not still offer me the advantages of encrypted communication and file transfer?

How is that not appreciating the design? That's a favorite tactic of yours, btw: pretending the other person doesn't understand something.

By the way, is the goal here to use ssh as you want me to use it or help restrict access to machines as I desire? I think the latter.. ssh is only part of the picture, you know.

Sigh.. because if a user isn't supposed to have access from anywhere but their desk, then I presume to prevent any such access. In some unusual situations, we even provide specific ip's to specific Mac addresses, enforce that the ip is only connected to a certain switch port, and put further restrictions on the user presumed to be using that IP.

Not everyone is allowed to work from home. Simple as that.

If someone has physical access to a remote machine and has the pbuttphrase or the pbuttphrase is blank or easily guessed, of course the firewall does nothing.

But that's a strawman and you know it. The firewall does help protect against someone stealing the keys and using them at another location. It also protects against an unknown ssh exploit from unauthorized locations.

Of course.

You are just proving my point. The more layers you have to fight through, the harder it is. Again, why don't I just leave my car unlocked with the keys in it and the alarm off? We both know you CAN steal my car if you have enough patience and skill.

And a firewall you have no access to might make that more difficult for you.

Strawman. I never said ssh was deficient or that I'm closing a hole.

I merely state that addition of firewalls can add extra layers of security and can help prevent against newly discovered exploits - *help* prevent, please note, no guarantees of that of course.

On the other hand, you apparently hold the ridiculous position that a firewall can offer no additional protection against undesired use.

Typical Peter argument: setting up something that was never said and beating the hell out of it. Toss that straw around, Peter.

Really? I know people who carry their keys on a cd or a usb stick. Wrong again, Peter. A firewall limiting them to known ip addresses prevents them or anyone else from making use of those keys at unexpected locations.

Keys can also be on backup tapes and are often transmitted by email.. logging into that IP is certainly not the only way to get keys.

Wrong. The pam will also lockout after unsuccessful su attempts. You are also forgetting that we may have a network here - the initial breach may have been elsewhere. The pam lockout isn't directly related, correct, but it does add more security.

Sigh.. again, that's plainly not the case. You could have stolen a backup tape. You could have stolen a usb stick. The public key might have been transmitted by email or other insecure methods and you might have obtained a copy of it. The external site may have carelessly left an nfs or smb share that you can get at without credentials. And so on.

You are just plain wrong, Peter, and too stubborn to admit it. Having had experience with you more than once in the past, I can pretty well guess what comes next: more attempts at obfuscation, more strawmen and red herrings, and ultimately insults and silence. You are so predictable.. :-)

-- Tony Lawrence