Labor Day TCP ACLs
There is something intensely satisfying about platform-independent file formats. By this I mean that I'm set to enjoy a Monday holiday for the first time in many years. What does this have to do with anything? Well, there's a Labor Day party at Justin's, and I'm not going into work before Tuesday. This is highly unusual for me, since I try to work as many holidays as I can. Anyone who knows me knows why: holidays are days when other people don't come into work, and days when other people don't come into work are like a vacation. Then, I can take off another day as an exchange, and that's two days I don't have to deal with people!
But I'm taking Labor Day proper off, against my normal form. Still, what do platform-independent file formats have to do with this? Network access, of course. I'm going to want to have it, and I can't plan ahead of time. So there's some random IP address out in the wild that I'm going to want to let into the depths of my most sensitive hosts. But I won't know what it is until I've lost the capacity to approve it at the console. What is a boy to do?
Fortunately for me, I've removed explicit SSH access control from my OpenBSD bridge. Buh? Yeah. Remember, the strength of the bridge is that it cannot be touched over the network, even by me. So if I ever wind up needing to save the world by SSHing into my XP machine from a workstation at the Pentagon, I'd be boned. Clearly, such an occasion has presented itself. sed 's/Pentagon/Justin's place/g'
So I do my TCP connection access control at the host itself, not from the bridge. Time for tcpserver. tcpserver is a UNIX-based program that can accept or deny a connection based on a hashed database of IP addresses. You can create the following ruleset:
127.0.0.1:allow 192.168.1.:allow 6.5.4.3:allow :deny
That's going to allow connections from the localhost, everything from the 192.168.1.0/24 subnet, and anyone claiming to be the host 6.5.4.3. Now we have a Catch-22. We can't connect to my system at home until we've updated the database, but we can't update the database until we've connected to the machine. What's the fix? We can make the database on any system. Sit me down at a FreeBSD system, or a Windows machine that has Cygwin installed, and I can recreate the database. Hell, I could even use my iBook if I so desired. I desired, so I copied the old ruleset to my USB flash drive, and tucked it onto my iBook. Then I added the new IP once I got online at Justin's, and made a new database. From that point, the database was a single file that would work on any system running tcpserver. I could scp it anywhere, and scp it again to my home PC, provided that machine was already allowed by the old ruleset.
Basically, I could use an intermediary host to inject a new ruleset with an extra entry in it. I wouldn't be able to do this with Microsoft software, since it would assuredly require a restart, either of the system or of the service. Only tcpserver reads its database from disk for each connection. Overwrite the database file, and it will immediately use the new information. Atomic writes are essential, since you never want the database to be in an inconsistent state.
Now I said I was at a Labor Day party, so if you'll excuse me, I have a game of Formula Dé to play.
No comments:
Post a Comment