thouters.be
- Thomas' Webjar full of joy -
- Writings
- Journal
- Map
Short and secure network connections switcher
:author:Thomas Langewouters .. meta:tags:linux,software .. meta:est:2007/05/15
Note
This is a draft! Vaporware!
Sansc is meant as a solution to simplify indirect network connections. Many of the problems it tries to solve will sound familiar to roaming laptop users. Sansc provides a poor man's VPN. By using SSH as a gateway to hosts behind NAT firewalls. Sansc can also provide consistent and secure POP and SMTP email connections. The built-in routing logic can also determine the fastest path if there is more then one available.
Sansc will recognise the connected network infrastructure from given rules like this one:
recognise kingdomkong on eth0,ath0 when default gateway is bendix.lan recognise gigabit on eth0 when netmask is 168.254.255.255 recognise gigabit on eth0 whirlpool.local is present
Note
- gigabit is a possible point to point link to whirlpool
- bendix is the internet gateway
- kingdomkong is an insecure wireless network
For each patched network service, Sansc will open a listening socket on 127.0.0.1, this way the services Sansc forwards will only be accessible from the local computer.
patch bendix.sn on 2201 reach bendix.sn on bendix.lan:22 at kingdomkong reach bendix.sn on bendix.homeunix.net:22 at internet
For each patch, an entry has to be added to /etc/hosts, so resolving the hostname results in 127.0.0.1.
It can also determine the best path for a connection. A SMTP connection to your ISP doesn't have to be secured over SSH if you are connected to the trusted switched network at home
Advantages over ssh -L
Sansc will only connect to the target host if there access is explicitly requested, contrary to ssh -L.
Use cases
- Favor a FTP connection to a computer over gigabit instead of wireless if there is a gigabit connection to the host.
- Reach a SSH server behind a NAT router (you have a ssh login to the NAT).
- When not connected to the switched Ethernet at home, tunnel insecure POP/SMTP connections over SSH to your trusted internet gateway at home.
Sansc only has to be run on the laptop, it is not required to install it on remote systems.
Implementation details
Use Twisted python? Twisted implements lots of the protocols and features Sansc requires and should result in a proper implementation.
