Discussion:
ssh console?
gaelic
2004-06-30 18:57:54 UTC
Permalink
is there a possibiility to connect to freebsd via ssh, telnet,...?

want to make some changes deep inside the system, do some testing.
Bosse Timothy
2004-06-30 19:09:12 UTC
Permalink
With m0n0wall, you can dig a little deeper using
"http(s)://<mono-ip>/exec.php". This is a basic page that will allow
you to perform "raw" UNIX (read "FreeBSD specific") commands with
m0n0wall.

FreeBSD does have packages and ports that would allow you to obtain
remote terminal access. However, m0n0wall is designed with the thoughts
"less is more" and "security beats all," thus basic
configuration/information is available via web interface and initial
setup on the serial console.
-----Original Message-----
Sent: Wednesday, June 30, 2004 2:58 PM
Subject: [m0n0wall] ssh console?
is there a possibiility to connect to freebsd via ssh, telnet,...?
want to make some changes deep inside the system, do some testing.
The information contained in this e-mail may be confidential and is intended solely for the use of the named addressee.
Access, copying or re-use of the e-mail or any information contained therein by any other person is not authorized.
If you are not the intended recipient please notify us immediately by returning the e-mail to the originator.(B)
Chet Harvey
2004-06-30 19:10:37 UTC
Permalink
SSH and telnet are basic pieces of FreeBSD, however, m0n0wall does not have
these since it is a security device. If you want to make changes use the
exec.php pages to add new files etc.....

if you want to make permanent changes, you have to open the image, make the
change and reflash the CF card...
Post by gaelic
is there a possibiility to connect to freebsd via ssh, telnet,...?
want to make some changes deep inside the system, do some testing.
---------------------------------------------------------------------
--
Chet Harvey
Pitbull Technologies <http://www.pittech.com/>
Protecting your Digital Assets
703.407.7311
taharka
2004-06-30 19:16:26 UTC
Permalink
Howdy,
Post by gaelic
is there a possibiility to connect to freebsd via ssh, telnet,...?
want to make some changes deep inside the system, do some testing.
If you're referring to a standard version of FreeBSD, yes. If referring to
m0n0wall, no, as m0n0wall has no ssh/telnet servers.

taharka

Lexington, Kentucky U.S.A.
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.713 / Virus Database: 469 - Release Date: 6/30/2004
Michael A. Alderete
2004-06-30 19:51:52 UTC
Permalink
Post by taharka
Post by gaelic
is there a possibiility to connect to freebsd via ssh, telnet,...?
want to make some changes deep inside the system, do some testing.
If you're referring to a standard version of FreeBSD, yes. If referring to
m0n0wall, no, as m0n0wall has no ssh/telnet servers.
It should be noted that this is a specific design decision made by Manuel,
and that it's pretty firm.

I once made a cash donation to the project, and then followed up by asking
for ssh. Manuel asked me what I thought I would do with ssh access, since
there was no shell, no text editor, etc. My only answer was "uh...dick
around, like on my FreeBSD system". After a couple more e-mails, I conceded
that having ssh access in m0n0wall did not make sense, and withdrew the
request.
----

If you're really interested in ssh, perhaps m0n0BSD is more suited to your
needs. Or full-on FreeBSD, naturally.

Michael
--
_____________________________________________________________
Michael A. Alderete <mailto:lists-***@alderete.com>
<http://www.alderete.com>
Gorm J. Siiger
2004-07-01 07:34:08 UTC
Permalink
Post by Michael A. Alderete
I once made a cash donation to the project, and then followed up by asking
for ssh. Manuel asked me what I thought I would do with ssh access, since
there was no shell, no text editor, etc. My only answer was "uh...dick
around, like on my FreeBSD system". After a couple more e-mails, I conceded
that having ssh access in m0n0wall did not make sense, and withdrew the
request.
----
I'm working daily with enterprise firewall's (not the small kind) - and if I
didn't have shell access to the boxes support would take 3-10 times longer
and be alot more complex.

tcpdump is your most important tool in debugging and problem solving, sure
you can put up three or four local sniffers, do port mirroring and other
stuff but it takes time and cost money.

So I see two ways of solving this problem:

1. Make shell access via SSH and give access to tcpdump, ping, tracroute,
arp etc.

2. I know there is a client/server tcpdump util, and with the client you can
dump remotely on the box from you pc.

I'm using m0n0wall for some things, and it's a great piece of software. But
with shell access - it would definately be better.
--
Gorm J. Siiger - SonnIT
e***@commonpointservices.com
2004-07-01 14:41:48 UTC
Permalink
Shell access via ssh would also make development of new features a lot easier
for those of us that don't have a seokris and another bsd box to be the image
server.
Post by Michael A. Alderete
Post by Michael A. Alderete
I once made a cash donation to the project, and then followed up by asking
for ssh. Manuel asked me what I thought I would do with ssh access, since
there was no shell, no text editor, etc. My only answer was "uh...dick
around, like on my FreeBSD system". After a couple more e-mails, I
conceded
Post by Michael A. Alderete
that having ssh access in m0n0wall did not make sense, and withdrew the
request.
----
I'm working daily with enterprise firewall's (not the small kind) - and if I
didn't have shell access to the boxes support would take 3-10 times longer
and be alot more complex.
tcpdump is your most important tool in debugging and problem solving, sure
you can put up three or four local sniffers, do port mirroring and other
stuff but it takes time and cost money.
1. Make shell access via SSH and give access to tcpdump, ping, tracroute,
arp etc.
2. I know there is a client/server tcpdump util, and with the client you can
dump remotely on the box from you pc.
I'm using m0n0wall for some things, and it's a great piece of software. But
with shell access - it would definately be better.
--
Gorm J. Siiger - SonnIT
---------------------------------------------------------------------
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
zealot
2004-07-01 15:08:45 UTC
Permalink
Post by e***@commonpointservices.com
Shell access via ssh would also make development of new features a lot easier
for those of us that don't have a seokris and another bsd box to be the image
server.
Post by Michael A. Alderete
Post by Michael A. Alderete
I once made a cash donation to the project, and then followed up by asking
for ssh. Manuel asked me what I thought I would do with ssh access, since
there was no shell, no text editor, etc. My only answer was "uh...dick
around, like on my FreeBSD system". After a couple more e-mails, I
conceded
Post by Michael A. Alderete
that having ssh access in m0n0wall did not make sense, and withdrew the
request.
----
I'm working daily with enterprise firewall's (not the small kind) - and if I
didn't have shell access to the boxes support would take 3-10 times longer
and be alot more complex.
tcpdump is your most important tool in debugging and problem solving, sure
you can put up three or four local sniffers, do port mirroring and other
stuff but it takes time and cost money.
1. Make shell access via SSH and give access to tcpdump, ping, tracroute,
arp etc.
2. I know there is a client/server tcpdump util, and with the client you can
dump remotely on the box from you pc.
I'm using m0n0wall for some things, and it's a great piece of software. But
with shell access - it would definately be better.
--
Gorm J. Siiger - SonnIT
I'm curious, do you guys run m0n0wall on compact flash or hard drive? If
compact flash, how large is the CF card?

z
Dennis Karlsson
2004-07-01 15:19:52 UTC
Permalink
CF 64
Post by zealot
Post by e***@commonpointservices.com
Shell access via ssh would also make development of new features a lot easier
for those of us that don't have a seokris and another bsd box to be the image
server.
Post by Michael A. Alderete
Post by Michael A. Alderete
I once made a cash donation to the project, and then followed up by asking
for ssh. Manuel asked me what I thought I would do with ssh access, since
there was no shell, no text editor, etc. My only answer was "uh...dick
around, like on my FreeBSD system". After a couple more e-mails, I
conceded
Post by Michael A. Alderete
that having ssh access in m0n0wall did not make sense, and withdrew the
request.
----
I'm working daily with enterprise firewall's (not the small kind) - and if I
didn't have shell access to the boxes support would take 3-10 times longer
and be alot more complex.
tcpdump is your most important tool in debugging and problem
solving, sure
you can put up three or four local sniffers, do port mirroring and other
stuff but it takes time and cost money.
1. Make shell access via SSH and give access to tcpdump, ping, tracroute,
arp etc.
2. I know there is a client/server tcpdump util, and with the client you can
dump remotely on the box from you pc.
I'm using m0n0wall for some things, and it's a great piece of software. But
with shell access - it would definately be better.
--
Gorm J. Siiger - SonnIT
I'm curious, do you guys run m0n0wall on compact flash or hard drive?
If compact flash, how large is the CF card?
z
---------------------------------------------------------------------
Fred Wright
2004-07-03 23:52:12 UTC
Permalink
Post by Michael A. Alderete
It should be noted that this is a specific design decision made by Manuel,
and that it's pretty firm.
I once made a cash donation to the project, and then followed up by asking
for ssh. Manuel asked me what I thought I would do with ssh access, since
there was no shell, no text editor, etc. My only answer was "uh...dick
around, like on my FreeBSD system". After a couple more e-mails, I conceded
that having ssh access in m0n0wall did not make sense, and withdrew the
request.
Well, I can think of a few things: :-)

1) Do things that you might do with exec.php but can't because they may
generate too much output or hang up for too long.

2) Use diagnostic functions that are more useful interactively.

3) Execute (with string authentication) commands via SSH's "remote
command" mechanism without "logging in" to the m0n0wall at all.

4) Move files back and forth via scp instead of clumsy upload/download.

5) Tunnel a connection to the WebGUI to make access orders of magnitude
more secure than you get with lame HTTP authentication, SSL
notwithstanding.

6) Tunnel WAN connections to other machines on the LAN, without requiring
another machine to be up just to act as an SSH server.


With regard to "no shell, no editor, etc.":

1) There *is* a shell there. Maybe not as featureful as bash, but
nevertheless a shell. And guess what? It's used by exec.php.

2) You can get along without an editor by just using scp to move files
elsewhere for editing. That has the added benefit of leaving the editor
backup files on the other machine.

3) Not sure what's critical in the "etc." category, though "mv" would be
handy.
Post by Michael A. Alderete
tcpdump is your most important tool in debugging and problem solving, sure
you can put up three or four local sniffers, do port mirroring and other
stuff but it takes time and cost money.
And since most things use switches these days, packet capture via another
machine typically doesn't work with "default hardware".
Post by Michael A. Alderete
1. Make shell access via SSH and give access to tcpdump, ping, tracroute,
arp etc.
Indeed.

A limited ping is available, but the command-line version is
more useful.

Arp could be done through the GUI; that's just an oversight.

Traceroute would be kinda sorta usable through the GUI, though the
real-time version is better.

You could manage to do tcpdump capturing to a file in a really kludgy way,
but running it interactively is more useful. Unfortunately,
tcpdump+libpcap is almost 1.5MB, so shell access isn't the only issue, at
least for those of us running on Soekris hardware.
Post by Michael A. Alderete
2. I know there is a client/server tcpdump util, and with the client you can
dump remotely on the box from you pc.
One that really works? I did some looking around for such a beast, and
found two things:

1) An experimental SNMP-based packet capture mechanism (called RMON
IIRC) that has so many problems that even the guy who wrote it (as an
experiment) doesn't really recommend the approach.

2) A package called "rpcap", that seems to be a work-in-progress.
Post by Michael A. Alderete
I'm curious, do you guys run m0n0wall on compact flash or hard drive? If
compact flash, how large is the CF card?
I happen to be using 128MB cards, but m0n0wall currently only uses
5MB. It could expand considerably and still fit in 16MB cards recycled
from digital cameras. :-)

Fred Wright
Derek Quenneville
2004-07-04 02:26:05 UTC
Permalink
Post by Fred Wright
Post by Michael A. Alderete
It should be noted that this is a specific design decision made by Manuel,
and that it's pretty firm.
<snip!>
Post by Fred Wright
Well, I can think of a few things: :-)
1) Do things that you might do with exec.php but can't because they may
generate too much output or hang up for too long.
<snip!>

Personally, I like the philosophy behind m0n0wall's design.

However, if you really need SSH and extra stuff on there, you could
always switch to IPCop ( http://www.ipcop.org/ )
--
# Derek Quenneville
# ***@gmail.com
# http://www.gameslifeandstuff.com
Eric Shorkey
2004-07-04 05:12:56 UTC
Permalink
I would recommend that adding SSH access be controlled via a check box in
the advanced menu. Default it to "off", and let the users decide if they
really need ssh access. If the setting is set to "off", then don't even
start the ssh server daemon. If there's an obvious use for a feature (like
SSH access), and an obvious demand for such a feature, and adding such a
feature is as easy as adding ssh support would be, then why should a
philosophy get in the way of doing something that is such a good match? If
the design decision for not having ssh access is because of security, just
remember that it's still a hell of a lot more secure than exec.php being
protected by http's weak authentication scheme. It it was a size issue, then
I could understand it, but ssh isn't really that big if you compile it from
source with intelligent switches.

If it were my project, ssh access would be in like flynn, but it's not, so
we'll see what Manuel does with this newfound surge of ssh support requests.
:)



----- Original Message -----
From: "Derek Quenneville" <***@gmail.com>
To: <***@lists.m0n0.ch>
Sent: Saturday, July 03, 2004 10:26 PM
Subject: Re: [m0n0wall] ssh console?
Post by Derek Quenneville
Post by Fred Wright
Post by Michael A. Alderete
It should be noted that this is a specific design decision made by Manuel,
and that it's pretty firm.
<snip!>
Post by Fred Wright
Well, I can think of a few things: :-)
1) Do things that you might do with exec.php but can't because they may
generate too much output or hang up for too long.
<snip!>
Personally, I like the philosophy behind m0n0wall's design.
However, if you really need SSH and extra stuff on there, you could
always switch to IPCop ( http://www.ipcop.org/ )
--
# Derek Quenneville
# http://www.gameslifeandstuff.com
---------------------------------------------------------------------
Peter Curran
2004-07-04 10:50:38 UTC
Permalink
Post by Fred Wright
Post by zealot
I'm curious, do you guys run m0n0wall on compact flash or hard drive? If
compact flash, how large is the CF card?
I happen to be using 128MB cards, but m0n0wall currently only uses
5MB. It could expand considerably and still fit in 16MB cards recycled
from digital cameras. :-)
Surely it is not the size of the CF that is at issue (I use 32MB ones, but
they are increasingly hard to find so having started using 64MB ones).

The big issue is the size of mfsroot when it has been gunzipped into memory.
I really don't want to sacrifice more than 16MB of memory to the m0n0 runtime
on my 64MB 4501. I actually have a 32MB 4511 and this is going to struggle
to swallow a much bigger firmware image than the current.

Peter
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Michael A. Alderete
2004-07-04 15:45:47 UTC
Permalink
Post by e***@commonpointservices.com
Shell access via ssh would also make development of new features a lot easier
for those of us that don't have a seokris and another bsd box to be the image
server.
By that argument, leaving gcc on there would be a good idea, too. ;-)

Seriously, the fact that it would make development easier is one of the big
reasons why it's *not* included. m0n0wall wasn't created to be a firewall
development environment; it was created to be a secure and simple (to use)
firewall appliance: set up via web interface, and forget.

It would not be hard to argue that it would be nice to have a specialized
version of m0n0wall (m0n0dev) that was a good firewall development
environment, ideal for hacking on tweaks for m0n0wall.

But to put those things into m0n0wall itself, just to make m0n0 hacking
easier, would be a significant change from Manuel's philosophy for the
project.
--
_____________________________________________________________
Michael A. Alderete <mailto:lists-***@alderete.com>
<http://www.alderete.com>
Adam Hirsch
2004-07-05 23:12:35 UTC
Permalink
Perhaps I'm missing something -- if people are psyched for ssh access,
why not run m0n0bsd?
Seems like it'd be easy to add ipf(ilter) or the like, and end up with
a text-configurable firewall you can ssh to...

http://www.m0n0.ch/bsd/
--
the future's so hot / I've gotta use tongs
adam hirsch <***@gmail.com>
Gorm J. Siiger
2004-07-06 07:07:15 UTC
Permalink
Post by Adam Hirsch
Perhaps I'm missing something -- if people are psyched for ssh access,
why not run m0n0bsd?
Seems like it'd be easy to add ipf(ilter) or the like, and end up with
a text-configurable firewall you can ssh to...
And we could run Linux..... But we don't !

We like m0n0wall, why should we change to another platform if we like the
m0n0wall package. ?
--
Gorm J. Siiger - SonnIT
gaelic
2004-06-30 21:18:41 UTC
Permalink
thanks for the quick answers.

exec.php is a nice feature and i guess i don't need more than that.
i only want to connect to the internet via pptp; but i need some special
configuration (dhcp before pptp,...); damn provider specific stuff. and
the pptp wan settings can't solve that :(
Post by gaelic
is there a possibiility to connect to freebsd via ssh, telnet,...?
want to make some changes deep inside the system, do some testing.
---------------------------------------------------------------------
Dan O'Brien
2004-07-06 16:41:35 UTC
Permalink
I'm not sure who wrote it, but in a previous message in this thread someone
suggested making it an option with a 'check box' to enable and disable it...
perhaps they were right. I still stand on the fence in regards to this, I
can see both the advantages as well as the disadvantages to having a ssh
console to aceess monowall. I've grown used to having console access to
routers, Cisco, Watchguard and Raptors all have it and it does give you
quite a bit of control and adds to the functionality... so long as the ssh
port is blocked from the WAN interface there should be no real security
issue, but as with all network security "Less is more".
MonoWall is open source and anyone could recompile it with SSH support, but
as for MonoWall itself ultimatley the decision is up to Manuel.

Regards
Dan O'Brien

&gt;From: &quot;Gorm J. Siiger&quot; &lt;***@sonnit.dk&gt;
&gt;To: ***@lists.m0n0.ch
&gt;Subject: Re: [m0n0wall] ssh console?
&gt;Date: Tue, 6 Jul 2004 09:07:15 +0200
&gt;
&gt;
&gt; &gt; Perhaps I'm missing something -- if people are psyched for ssh
access,
&gt; &gt; why not run m0n0bsd?
&gt; &gt; Seems like it'd be easy to add ipf(ilter) or the like, and end up
with
&gt; &gt; a text-configurable firewall you can ssh to...
&gt; &gt;
&gt;And we could run Linux..... But we don't !
&gt;
&gt;We like m0n0wall, why should we change to another platform if we like
the
&gt;m0n0wall package. ?
&gt;
&gt;--
&gt;Gorm J. Siiger - SonnIT
&gt;
&gt;---------------------------------------------------------------------
&gt;To unsubscribe, e-mail: m0n0wall-***@lists.m0n0.ch
&gt;For additional commands, e-mail: m0n0wall-***@lists.m0n0.ch
&gt;
sietze
2004-07-07 08:45:30 UTC
Permalink
Hi all,

1)
Post by Peter Curran
The big issue is the size of mfsroot when it has been gunzipped
into memory.
I really don't want to sacrifice more than 16MB of memory to the
m0n0 runtime
on my 64MB 4501. I actually have a 32MB 4511 and this is going
to struggle
to swallow a much bigger firmware image than the current.
If ssh, and other fancy stuff, would mean that we could no longer use our 32
and 48 MB boards, well, that would make quite some people unhappy.

2)
With a lot of other systems you need something to be able to fiddle
underneath the surface, to fix things that otherwise can't be fixed. But the
m0n0wall GUI, for once, is a well designed interface, limiting the need for
other types of access.

3)
There are a lot of firewalls around that already come with ssh. In some
situations they might be more useful then m0n0wall. Someone in this thread
already pointed to complete FreeBSD and M0n0BSD. If you need ssh to "dick
around" or if you would feel more secure with ssh use these.
Why insist on adding ssh to a system that does not have it by design?

Just my 3 cents.

Sietze Dijkstra
NetAdmin
Quark IT - Hilton Travis
2004-07-10 05:45:10 UTC
Permalink
Hi Derek,

... And give up all the m0n0wall offers? Nah, unlikely to happen! :)

--

Regards,

Hilton Travis Phone: +61 (0)7 3343 3889
(Brisbane, Australia) Phone: +61 (0)419 792 394
Manager, Quark IT http://www.quarkit.com.au
Quark AudioVisual http://www.quarkav.net

http://www.threatcode.com/ <-- its now time to shame poor coders
into writing code that is acceptable for use on today's networks

War doesn't determine who is right. War determines who is left.
-----Original Message-----
Sent: Sunday, 4 July 2004 12:26
Subject: Re: [m0n0wall] ssh console?
Post by Fred Wright
Post by Michael A. Alderete
It should be noted that this is a specific design
decision made by
Post by Fred Wright
Post by Michael A. Alderete
Manuel, and that it's pretty firm.
<snip!>
Post by Fred Wright
Well, I can think of a few things: :-)
1) Do things that you might do with exec.php but can't because they
may generate too much output or hang up for too long.
<snip!>
Personally, I like the philosophy behind m0n0wall's design.
However, if you really need SSH and extra stuff on there, you
could always switch to IPCop ( http://www.ipcop.org/ )
--
# Derek Quenneville
# http://www.gameslifeandstuff.com
---------------------------------------------------------------------
Quark IT - Hilton Travis
2004-07-10 05:53:14 UTC
Permalink
Hi Michael,

I personally would like to see an ssh console in m0n0wall - it was one
feature in SmoothWll that I really, really liked - it made passing
things through ssh really, really easy for remote administration at
client sites. And with m0n0wall supporting (some of) the Soekris
hardware encryption cards, if ssh could use these, it'd make it rather
schweet on Soekris and similar hardware.

I also completely agree that "because that would make it easier for
development" is a great reason NOT to include a particular feature. :)
And your "gcc" comment is one that I use all the time - if you want to
make it easy for hackers to develop their own code on your firewall, why
password it, and why not leave gcc on it?

ssh is a highly useful app/server. Even if it is not used to access the
m0n0wall itself, it can be used to securely (encrypted, with
username/password (or preferably certificates) authentication) pass
traffic through the firewall to an internal box (such as a Windows box,
on which a decent and affordable ssh server is not easy to find).

--

Regards,

Hilton Travis Phone: +61 (0)7 3343 3889
(Brisbane, Australia) Phone: +61 (0)419 792 394
Manager, Quark IT http://www.quarkit.com.au
Quark AudioVisual http://www.quarkav.net

http://www.threatcode.com/ <-- its now time to shame poor coders
into writing code that is acceptable for use on today's networks

War doesn't determine who is right. War determines who is left.
-----Original Message-----
Sent: Monday, 5 July 2004 01:46
Subject: Re: [m0n0wall] ssh console?
Post by e***@commonpointservices.com
Shell access via ssh would also make development of new
features a lot
Post by e***@commonpointservices.com
easier for those of us that don't have a seokris and another
bsd box to
Post by e***@commonpointservices.com
be the image server.
By that argument, leaving gcc on there would be a good idea, too. ;-)
Seriously, the fact that it would make development easier is
one of the big reasons why it's *not* included. m0n0wall
wasn't created to be a firewall development environment; it
was created to be a secure and simple (to use) firewall
appliance: set up via web interface, and forget.
It would not be hard to argue that it would be nice to have a
specialized version of m0n0wall (m0n0dev) that was a good
firewall development environment, ideal for hacking on tweaks
for m0n0wall.
But to put those things into m0n0wall itself, just to make
m0n0 hacking easier, would be a significant change from
Manuel's philosophy for the project.
--
_____________________________________________________________
<http://www.alderete.com>
---------------------------------------------------------------------
Continue reading on narkive:
Loading...