I'm now in a search for safer but convenient rsh(1) replacement for some
tasks of firewall day-to-day operation, i.e. gathering some stats, etc.
to an inside machine. Firewall is composed of FreeBeasts (I like
that spelling of FreeBSD! :) no fancy black Cisco boxen for filtering
As inside machine won't trust any part of firewall, the server part of a
connection should reside on the firewall hosts. Yes, I know --
spoofing _is_ the issue, but might be eliminated by filtering
inside addressee on external router/filter, which has virtually
no access from outside. I want to get rid of all ways
to aquire a shell on firewall hosts as a whole (thus physically remove
rshd, telnetd, any-other-extra-d, leaving only publically available
services and on the bastion host _only_). I don't want to have Perl5
executable hanging around, though I'm not sure that WWW server on bastion
host (or it's admin, better to say) can live without it.
The alternatives for rsh(1) I'm aware of are as following:
1. ssh-1.2.whatever. By far the superior thingie; but seems to be an
overkill for using on a single-room-coax,
needs some kind of public-key-crypto-awareness.
2. netpipes-3.0 package by Robert Forsman (comp.sources.unix, vol.29)
A very simple pair of tools, allowing using
socket connections from the shell scripts.
3. Hand-written daemon. Yes, that's probably Ok, but I need to have a
stable list of needed tasks for it, so some
scripted simple-rapid-and-dirty prototypes are
needed, anyway. When the list of needed things to
do will be well established, I'd probably replace
prototypes with real compiled tools.
So, I'm seriously considering netpipes as a transport -- only a server
part is on the firewall machine(s), bound to a preselected set
of ports, with /bin/sh script attached to it.
Where am I wrong?
With best regards -- Andrew Stesin.
+380 (44) 2760188 +380 (44) 2713457 +380 (44) 2713560
"You may delegate authority, but not responsibility."
Frank's Management Rule #1.