[ previous ] [ next ] [ threads ]
 
 From:  "Kevin Tollison" <kevin at kwtassoc dot com>
 To:  "'Danny Puckett'" <dpuckett at comresource dot com>, "'Chet Harvey'" <chet at pittech dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Rsync over SSH to Internal Server
 Date:  Tue, 18 Apr 2006 22:17:18 -0400
My NAT and rules are setup exactly as described. Still I cannot even SSH to
the machine manually.  I have it setup exactly as you described.  Setup a
generic account generated keys, etc...  It worked flawlessly with the 2
machines connected to the LAN.  I had this setup working a while back with
the Linux boxes acting as the gateway.  It is the SME Server distro (7.0RC1)
I am running BTW.  The logs are not telling me anything.  Could it have
anything to do with NAT-T ? 



-----Original Message-----
From: Danny Puckett [mailto:dpuckett at comresource dot com] 
Sent: Tuesday, April 18, 2006 2:53 PM
To: Chet Harvey; Kevin Tollison
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] Rsync over SSH to Internal Server

I do something similar to this. I created a generic account on the TARGET
server and generated pub/priv keys.  Copy the pub key to the appropriate
place on your SOURCE server behind the other m0n0wall and cron a job that
will do an rsync 'push' over ssh to the TARGET server.
My cron job runs as root to have access to all the files on the SOURCE
server but the ssh connection is made with the generic user account for
better security (or at least the perception of) and the files are dumped
into the writeable directory of your choice.  The only thing you should need
is a NAT and RULE entry on the TARGET m0n0wall.



> -----Original Message-----
> From: Chet Harvey [mailto:chet at pittech dot com]
> Sent: Tuesday, April 18, 2006 1:56 PM
> To: Kevin Tollison
> Cc: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] Rsync over SSH to Internal Server
> 
> hmmm...
> 
> Did you use "inbound nat" or one of the other tabs such as Sever:NAT 
> or 1:1?
> 
> My m0n0 is set to the tab that says "Inbound" and the rule looks like 
> this:
> 
>  WAN  	 TCP  	 22 (SSH)  	 192.168.x.x  	 22 
> (SSH)  	 Proxy 
> 
> I did auto add a firewall rule then went and changed the rule to read:
> 
>  TCP  	 x.x.x.x  	 *  	 192.168.x.x  	 22 
> (SSH)  	 NAT Proxy
> 
> And with this I can access my NAT'd SSH only from the address I 
> specified. In this case it is work.
> 
> My questions for is if you are running SSH over rsync why would you 
> need port
> 873 open on the firewall? I bet if you check your logs there will be a 
> lot of drops.
> 
> IMHO you have two ways to do this "securely". The first is to simple 
> set up a static IPSec tunnel between the m0n0's. That way you don't 
> need to change anything and your data is encrypted.
> 
> The second way is to use stunnel on each server and redirect rsync in 
> an encrypted tunnel between points. This options takes a little load 
> off your m0n0.
> 
> Chet
> 
> Quoting Kevin Tollison <kevin at kwtassoc dot com>:
> 
> > I am having a problem getting to servers behind m0n0wall boxes.
> > 
> > Here is the setup
> > 
> > Server1 -->  m0n0wall -->  Internet --> m0n0wall --> Server2
> > 
> > We are trying to run a rsync job from server1 pulling data from
> > server2
> > 
> > I configured both servers locally and ran the initial
> backup locally,
> > then moved the server2 to its new location.
> > 
> > Initially I have tried to just SSH to the server2 from
> server1 with no
> > success.  The connection just times out.
> > 
> > My rules are as follows.   NAT for port 22 and 873 to 
> server on both sides.
> > Firewall rules to allow all traffic from WAN IP on both sides.
> > Initially I just set it up to allow just the ports and protocols I 
> > needed, with no luck. So then I opened it up completely
> with only an
> > IP address restriction,  still nothing.
> > 
> > Hopefully I am missing something simple.  Let me know if
> you need any
> > more information or clarification.
> > 
> > 
> > --
> > Kevin Tollison
> > 
> > 
> > 
> > 
> > 
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > 
> > 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch