Firewall question

[Anne Wilson]

On Thursday 15 May 2008 16:08, Patrick O'Callaghan wrote:
> On Thu, 2008-05-15 at 15:44 +0100, Anne Wilson wrote:
> > On Thursday 15 May 2008 15:24, Patrick O'Callaghan wrote:
> > > Incoming to the mail server. Outgoing from your laptop. We're talking
> > > about configuring your laptop at Wifi hotspots aren't we? Or have I
> > > totally lost the plot?
> >
> > I was thinking about configuring the server to accept my connections from
> > hotspots, but not unknown ones.
>
> Hotspots will almost invariably use NAT, so the IP address of the laptop
> as seen from *outside* the hotspot is going to be known beforehand. What
> you won't know is the port number since it's assigned dynamically by the
> hotspot's router, so you can't use a firewall to distinguish between
> different machines within the hotspot's coverage. It's pretty much all
> or nothing. I don't think a firewall filter is what you need here.
>
> > > (Nota Bene: "incoming" and "outgoing" has nothing to do with the
> > > direction the mail is flowing. The machine behind the firewall that
> > > sends the initial TCP request is the "outgoing" machine from the point
> > > of view of the firewall, whether it's sending mail or reading it).
> >
> > I *think* I'm still with you :-)  But still, the first decision is
> > whether to accept the connection, isn't it?
> >
> > > Maybe I'm misunderstanding what you're trying to do.
> >
> > Worry not - I confuse myself at times :-)  What I'm really trying to do
> > is get my head around the issues regarding working away from home.  I 
> > have imap mail set up, and was wondering whether to go further to allow
> > access to my files while away from home, but I need some basic background
> > understanding before I try to get specifics.  Otherwise I don't know what
> > is relevant reading and what isn't :-)  I'm assuming that I'd have to do
> > something like a vnc connection - but since I don't have the basics, I
> > could be way off beam.
>
> If it's just IMAP mail, then use SSL encryption.
>
> If you really want to make sure the connection is coming from your
> laptop (and not from you using e.g. a cybercafe machine) then you can
> set up an SSH tunnel using tokens instead of passwords. You have to
> physically copy the SSH token to your laptop (e.g. via a USB key) but
> this is a once-only operation. Or in fact keep the token on the key and
> thus allow connection only when the key is plugged in :-)
>
> If you just want to browse your desktop remotely, then VNC or NX is what
> you need. These can also work over SSH using either tokens or passwords.
> This will also cover the email case. Note that copying a mail attachment
> locally to the laptop's hard drive gets a little more complicated in
> this scenario.
>
> If you want general access to your files from any local app on the
> laptop, you're looking at a VPN of some kind. This can also be done via
> SSH, or if you're more ambitious then look at IPSEC systems such as
> FreeSWAN.
>
> (My knowledge of these things is mostly theoretical so I can give you a
> rough idea how they are *supposed* to work but if you need a cheat-sheet
> then Google is your friend).
>
OK, lots to think about then.  Thanks, Patrick.

Anne