Need help on a One-way networking setup?

[GundamW]

I am trying to find out how hard it is to setup 2 SGI machines to only do 1-way ftping.
- Machine A can transfer files to Machine B.
- Machine B can not see/transfer anything to Machine A.
- i.e. The only connection between A and B is the ftping from A to B only.

What kind of hardware and/or software setup do I need?
If it involves coding, any site that can help me?

Thanks in advance.

 

[ToeJam13]

I am trying to find out how hard it is to setup 2 SGI machines to only do 1-way ftping.

The only connection between A and B is the ftping from A to B only.

There are a couple of ways to do this:
[*]On machine A, disable the FTP daemon
[*]On machine A, add an entry in /etc/hosts.deny for service FTP, machine B's IP address

Now here is the problem - a user can still log onto machine A, create a connection to machine B, and still move files over. This is because you can not only GET files but PUT files. If you don't care about this, then the above examples should work for you.

 

[GundamW]

Originally posted by: ToeJam13

I am trying to find out how hard it is to setup 2 SGI machines to only do 1-way ftping.

The only connection between A and B is the ftping from A to B only.

There are a couple of ways to do this:
[*]On machine A, disable the FTP daemon
[*]On machine A, add an entry in /etc/hosts.deny for service FTP, machine B's IP address

Now here is the problem - a user can still log onto machine A, create a connection to machine B, and still move files over. This is because you can not only GET files but PUT files. If you don't care about this, then the above examples should work for you.

Thanks for the reply.

What if I want to totally lock down the connection between A and B?
- I want A to go to any other machines (in A's own network);
- I want B to go to any other machines (in B's own network);
- but A can only do ftp-PUT to B and no other transfer/connection is allowed.
Is that do-able?
Or can a hardware (or software) firewall be used to reconfigure to do this? Like lock all of the ports down but only open 1 port for a 1-way ftp?
Or maybe a 3rd party software to restrict access?

Any info is appreciated. Thanks.

GundamW

 

[n0cmonkey]

Why not play with permissions? You might be able to do -w--w--w- or something.

 

[ToeJam13]

A can only do ftp-PUT to B and no other transfer/connection is allowed. Is that do-able?

I agree with n0cmonkey - you need to play with Unix file permissions.

I'd create an anonymous FTP account on machine B. Create a directory called "uploads" and set it for write only permissions. Without read or execute permissions, nobody will be able to download files.

Next, lock the FTP daemon down to only allow anonymous users. Users with regular shell accounts will have whatever file permissions they have normally via their shell, including read, write, and execute permissions within their home directories.

Lastly, make the changes to either your /etc/hosts.allow or /etc/hosts.deny to lock access to whichever hosts you want to have access to with that system.

If you need any help with the FTP daemon or setting up permissions, I highly suggest buying the book Essential System Administration by O'Reilly & Associates (it has the armadillo on the cover).

 

[GundamW]

Originally posted by: ToeJam13

A can only do ftp-PUT to B and no other transfer/connection is allowed. Is that do-able?

I agree with n0cmonkey - you need to play with Unix file permissions.

I'd create an anonymous FTP account on machine B. Create a directory called "uploads" and set it for write only permissions. Without read or execute permissions, nobody will be able to download files.

Next, lock the FTP daemon down to only allow anonymous users. Users with regular shell accounts will have whatever file permissions they have normally via their shell, including read, write, and execute permissions within their home directories.

Lastly, make the changes to either your /etc/hosts.allow or /etc/hosts.deny to lock access to whichever hosts you want to have access to with that system.

If you need any help with the FTP daemon or setting up permissions, I highly suggest buying the book Essential System Administration by O'Reilly & Associates (it has the armadillo on the cover).

Thanks. I will keep that book in mind.
I will pitch the FTP lock down method to the system engineers and see if it will work with the requirements.
They really don't want any message/status/anything return from B to A.

Here is an idea they (sys egr) think it will work:
Cut the return wire in the network cable (CAT5) to prevent any return traffic from B to A.

But is that even possible? By cutting a wire that way? How is A even know it is connected to B in the beginning?
They said they know someone else who can make it to work. The idea sounds iffy to me but if they said so, who am I to argue.

 

[ToeJam13]

Here is an idea they (sys egr) think it will work: Cut the return wire in the network cable (CAT5) to prevent any return traffic from B to A.

If this guy is your system administrator, have him removed from your company. I am VERY serious! You can't cut wires like that and hope that things will still work... something that even junior network admins should know.