Firewall question

Patrick O'Callaghan pocallaghan at gmail.com
Thu May 15 15:08:15 UTC 2008 

On Thu, 2008-05-15 at 15:44 +0100, Anne Wilson wrote:
> On Thursday 15 May 2008 15:24, Patrick O'Callaghan wrote:
> >
> > Incoming to the mail server. Outgoing from your laptop. We're talking
> > about configuring your laptop at Wifi hotspots aren't we? Or have I
> > totally lost the plot?
> >
> I was thinking about configuring the server to accept my connections from 
> hotspots, but not unknown ones.

Hotspots will almost invariably use NAT, so the IP address of the laptop
as seen from *outside* the hotspot is going to be known beforehand. What
you won't know is the port number since it's assigned dynamically by the
hotspot's router, so you can't use a firewall to distinguish between
different machines within the hotspot's coverage. It's pretty much all
or nothing. I don't think a firewall filter is what you need here.

> > (Nota Bene: "incoming" and "outgoing" has nothing to do with the
> > direction the mail is flowing. The machine behind the firewall that
> > sends the initial TCP request is the "outgoing" machine from the point
> > of view of the firewall, whether it's sending mail or reading it).
> >
> I *think* I'm still with you :-)  But still, the first decision is whether to 
> accept the connection, isn't it?
> 
> > Maybe I'm misunderstanding what you're trying to do.
> >
> Worry not - I confuse myself at times :-)  What I'm really trying to do is get 
> my head around the issues regarding working away from home.  I  have imap 
> mail set up, and was wondering whether to go further to allow access to my 
> files while away from home, but I need some basic background understanding 
> before I try to get specifics.  Otherwise I don't know what is relevant 
> reading and what isn't :-)  I'm assuming that I'd have to do something like a 
> vnc connection - but since I don't have the basics, I could be way off beam.

If it's just IMAP mail, then use SSL encryption.

If you really want to make sure the connection is coming from your
laptop (and not from you using e.g. a cybercafe machine) then you can
set up an SSH tunnel using tokens instead of passwords. You have to
physically copy the SSH token to your laptop (e.g. via a USB key) but
this is a once-only operation. Or in fact keep the token on the key and
thus allow connection only when the key is plugged in :-)

If you just want to browse your desktop remotely, then VNC or NX is what
you need. These can also work over SSH using either tokens or passwords.
This will also cover the email case. Note that copying a mail attachment
locally to the laptop's hard drive gets a little more complicated in
this scenario.

If you want general access to your files from any local app on the
laptop, you're looking at a VPN of some kind. This can also be done via
SSH, or if you're more ambitious then look at IPSEC systems such as
FreeSWAN.

(My knowledge of these things is mostly theoretical so I can give you a
rough idea how they are *supposed* to work but if you need a cheat-sheet
then Google is your friend).

poc

More information about the fedora-list mailing list