Hi all,
I configured a few backup clients in our DMZ firewall environement with
the FSC FWX module.
The whole thing works fine without any problems, but I got a few things,
I'd like to optimize.
As you know, to build up the tunnel through the firewall, a port has to
be opened.
In the documentation you can read that some stuff like that:
---
Network Data Security
As mentioned already above, the tunnel established between the
FWX-server
and FWX-proxy is not an open tunnel; it is controlled by the
NetWorker
processes on the server. Processes will dynamically enable TCP ports
as they bind services and disable the ports again when a service
ceases
to exist. All connections to ports that are not explicitly enabled
are blocked.
---
In the default configuration thats not true, if the tunnel is finally
opened through the opened port from server-to-proxy you can use
everything through that tunnel. For example, I tested some ssh sessions
and smb mounts. Perhaps you can imagine that our security guys are not
really amused with that configuration.
The only thing I found in the documentation is to configure the paket
filter not to allow ICMP traffic.
Does anyone have experiences with the nsr-fwx module?
I think there must be a way to configure the underlying paket filer of
the fwx Daemon.
We are running FSC Networker 7.2 on Linux.
Thanks in advance,
Andreas
To sign off this list, send email to listserv AT listserv.temple DOT edu and
type "signoff networker" in the body of the email. Please write to
networker-request AT listserv.temple DOT edu if you have any problems with this
list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
|