From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Adam T. Bowen" <adam.bowen@connectinternetsolutions.com>
Subject: Re: automount thru winscp
Date: Fri, 09 Sep 2005 13:01:32 +0100
Message-ID: <4321799C.2080900@connectinternetsolutions.com>
References: <4320775D.20602@infinito.it> <43215D69.7030604@agitate.org.uk> <43216428.2040804@infinito.it>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Return-path: <linux-admin-owner@vger.kernel.org>
In-Reply-To: <43216428.2040804@infinito.it>
Sender: linux-admin-owner@vger.kernel.org
List-Id: <linux-admin.vger.kernel.org>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
To: linux-admin@vger.kernel.org

Hi,

Luca Ferrari wrote:
> Adam T. Bowen's cat, on 09/09/2005 12.01, walking on the keyboard wrote:
> 
>>
>> Allowing external sFTP connections for normal users to your firewall box
[snip]
>> smbmount commands in there.
> 
> Dear Adam,
> I'll appreciate any suggestion about this problem. How do you think it 
> can be possible to allow access from the external network to the share 
> on machine behind the firewall? I'd like a solution simper than setting 
> up a vnc network.
> Thanks,
> Luca

Port forwarding?  Don't port forward the samba/netbios stuff through the 
firewall though as that would be asking for trouble.  It would be safer 
to port forward the SFTP connections through it instead.  So, you could 
run the SFTP server on a machine behind your firewall and have the 
firewall forward the connections to it.

Alternatively, if you have got a bunch of public IP addresses, you could 
just use Network Address Translation (NAT) and then open up the ssh 
ports through to the SFTP server.

Note that if you allow SFTP connections through your firewall (either 
port forwarded or via NAT) then you are also allowing SSH connections. 
This is because both SFTP and SSH use port 22.  If this could be a 
problem then you could try something like rssh to restrict users to only 
certain services.  You can find info about rssh here:

       http://www.pizzashack.org/rssh/index.shtml

We have been using it for a while now, and it works fine.

A really good safe way to allow access to users from the internet to 
your intranet is to use a Virtual Private Network (VPN).  Doing so is 
beyond the scope of this current thread though.  Plenty of good howtos 
on the web.

Cheers

Adam