Do you have a question? Post it now! No Registration Necessary. Now with pictures!
October 29, 2004, 10:40 pm
rate this thread
The real life scenario is as follows:
1) Server Machine has 100 different processes bound to the loop back address
where each process is listening on atleast 1 TCP port.
2) Winsshd has three templates namely A, B and C.
I wish to have the following restrictions in place:
1) Users ( irrespective of the template) should NOT be allowed to tunnel
'their' local port via Winsshd to 'another machine' (namely www.google.com)
. Basically they should NOT be allowed to use winsshd as a proxy.
2) Users using template A should be allowed to (C2S) tunnel to any TCP port
on 127.0.0.1 ( loop back address) ( This does not need anything to be done
on my part i believe).
3) Users using template B should be allowed to (C2S) tunnel to ONLY
127.0.0.1:80, ( the key point to note here is the word 'ONLY')
4) User using template C should be allowed to (C2S) tunnel to only 127.0.0.1
port 80,25,110 ( the key point to note here is the word 'ONLY')
5) Users using template A should be allowed to (S2C) listen on 127.0.0.1:any
port only i.e they should NOT be allowed to open a listening socket on the
interface that has a public IP. ( the key point to note here is the word
'ONLY on 127.0.0.1' )
6) Users of template B and C cannot create C2S connections to any 'other'
processes other than those mentioned in 3) and 4)
7) Users using template A should be allowed to (S2C) open listen ports on
the interface using the public ip too.
I did figure that wcfg utility allows you to acheive the above, the
documentation(user guide) mentions "Socket rules" however no example exists
on how to setup these rules.
Would appreciate if someone can shed some light on this very important
- » protocol question - issue with exit-status inside unfinished data stream?
- — Newest thread in » Secure Shell Forum