[cobalt-users] Re: Re tn3270 for Qube2

[Mike Vanecek <nospam99@xxxxxxxxxxxx>]

On Fri, 03 Nov 2000 03:18:44 -0800, "James Hoaggs" <james_hoaggs@xxxxxxxxxx>
wrote:

:>> Due to ip firewall issues I need to be able to telnet into my Qube2
:>> and then
:>> use the Qube2 telnet capability to telnet into a ibm 3270 server. 
:>> 
:>> When I do it (using SecureCRT on my PC), the 3270 server is smart enough
:>> to
:>>Hence, I either need to know how to emulate
:>> the
:>> 3270 keys on the telnet session or find a mips tn3270 rpm for the Qube2.

:>Hey, thanks for the previous info; I'll ask Dr. Mikey about port forwarding.

Happy I was able to help.

:> About mip tn3270, I found this: www.mirror.ac.uk/sites/ftp.ntnu.no/pub/unix/network/telnet/tn3270.mips-4.1.1.tar.Z
:>Mabye that would work?

I had found one, but this one looks better. Thanks. I am not sure how well it
work emulating a tn3270 using a telnet session. I am going to take a look at
it.

:>Anyway, did you ever get the ssh going? We went with f-secure's 2.x server
:>and it works with secureFTP subsystem, though we haven't tried port forwarding
:>yet on it. 

Well, yes and no. I have the new version of openssh up and running OK. I can
do a ssh1 port forward using SecureCRT client and do telnet, browser, and ftp
(PASV) sessions. As I understand it, the ftp session (even with PASV) is
password encrypted, but not data encrypted.

I can do a ssh2 SecureCRT telnet session. However, if I try ftp or browser,
SecureCRT tells me:

Could not start port forwarding service from local service 8081 to
xxx.xxx.xxx.xxx:81. The action requested is administratively prohibited.

I use exactly the same setup using ssh1 and it works. I have looked everywhere
in user, local, group policies in Win2KPro trying to find a policy setting
that would prohibit ssh2, but not ssh1 port forwarding without success.

Can you give me a bit more info on how you setup the secure's 2.x server and
the secureFTP subsystem. Where did you get it, what was required on the Qube2,
and what was required on the windows client? I would really like to be able to
do secure ftp's.

:>Do you think it worth the effort to hide an NT server with the port forwarding;
:>NT servers security is the joke of hkers and am worried it will go down
:>in days.

Port forwarding, at least the way we have discussed, will be hiding your NT
server from the external world. Once you have everything port forwarding, then
add the ip deny filters to shut out everything below 1024 that you do not
need. For example, I see portmaps on port 111 all the time (get a bunch from
North Korea). Just deny that port and you stop any packets from going forward.
Seems to me that with port forwarding and ipfwadm filters, the NT server will
be about as secure as one can hope for from the internet.

:>  Lastly, is maskurading just hiding the machine with internal
:>IP's, like 192, and forwarding is just like ssh port forwarding?
:>TIA,

Masquerading allows the qube2 to act as a single static internet ip to the
outside world from several intranet workstations on a local LAN. Hence, if you
had a hub or a switch connected to the secondary ethernet card, all of the
workstations on the LAN could use the qube2 for internet connectivity. It is a
means of only having to have a single external ip address while allowing
several internal ip addresses to share that external connection. 

Port forwarding allows the qube2 to watch an incoming internet port and send
any packets that arrive on that port to a specific internal ip and port on a
machine on the LAN. Hence, you can send html requests that arrive on, say,
port 777 to port 80 on machine 192.168.1.xxx on the internal machine. The
internal machine then reacts as though it were a web server connected directly
to the outside world. In this situation, the qube2 is acting as a router. 

I am sure that if I have incorrectly stated something or missed something,
someone will jump in to assist. I will be curious to know how it all hooks
together once everything is up and running.

Mike.