On Tue, Sep 09, 2008 at 10:42:31PM +0300, Andrei Popescu wrote: > On Tue,09.Sep.08, 13:50:05, François Cerbelle wrote: > > [...] > > > Now, you have to protect the admin box from an attack initiated from the > > NATted box (mother's). Because this box is unsure. So, you set iptables > > rules on the admin box to filter every byte which comes from the NATted > > box. > > Yes, this is my problem > > > Then, you can still go on internet with you normal connexion, but you can > > not use it to connect directly to the NATted box, as it is natted and it > > does not have a public IP. But you can connect to it using the VPN because > > you are both on the same private network. And you box is protected from > > malware installed on the NATted box. > > What is protecting me from the malware, because I still have to open the > firewall for the VPN? Or do you mean I can firewall the traffic going > through the VPN?
the open connection to the internet to allow the vpn traffic through
only allow specific traffic through and you have to authenticate with a
x509 certificate, make a 4096 bit key if you want, only a person with
the certificate can create the vpn connect.
Then you put your firewall in place, just make it a outbound only, so
only connections from your machine out are allow.
You can do tricky things with your firewall to stop (!?) DDOS on the
openvpn server end as well
>
> This is interesting, but it adds additional complexity to the setup.
> I've set up a reverse ssh tunnel using a (very) restricted key. Hope
> it's enough.
very much the same setup, again if the tunnel is up and the other person
has malware then they will have access to your machine unless you
firewall. I am not sure where where ssh tunnel packet get injected into
iptables ?
>
> Regards,
> Andrei
> --
> If you can't explain it simply, you don't understand it well enough.
> (Albert Einstein)
--
"As a matter of fact, I know relations between our governments is good."
- George W. Bush
11/08/2005
Washington, DC
On U.S.-South Korean relations
signature.asc
Description: Digital signature
