[146371] in North American Network Operators' Group
Re: Encrypted RPC and firewalling
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Thu Nov 10 07:52:39 2011
To: Lasse Birnbaum Jensen <lasse@sdu.dk>
In-Reply-To: Your message of "Thu, 10 Nov 2011 09:56:51 +0100."
<2E350517-A6A8-4097-AE60-BAF2FA090877@sdu.dk>
From: <Valdis.Kletnieks@vt.edu>
Date: Thu, 10 Nov 2011 07:50:39 -0500
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1320929439_2704P
Content-Type: text/plain; charset=us-ascii
On Thu, 10 Nov 2011 09:56:51 +0100, Lasse Birnbaum Jensen said:
> I would like to know how you guys handle encypted rpc across firewalls.
You can always just set the firewall to ban RPC in general, whether or not it's
encrypted (while you're there, close off ports 137-139 and other chucklehead
stuff like that), and just make the user who's outside the firewall VPN in. That's
a nice, simple, well-understood configuration that almost all software and even
most users can handle.
(We don't actually do a big monolithic firewall box - but pretty much
everything has an iptables ruleset loaded that says "if your source IP isn't
inside our 2 /16s, your packets go bye bye". And there's a nice PPTP-based VPN
solution in place that even a humanities professor emeritus can use ;)
--==_Exmh_1320929439_2704P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFOu8ifcC3lWbTT17ARAu80AKDyf7yodDpAaCN5YYIaJcdTPvGwswCffyL5
mkBlxLeGcazUiK/wnDRXnCg=
=JtPa
-----END PGP SIGNATURE-----
--==_Exmh_1320929439_2704P--
