Prevention of outgoing file transfers?

[Matt McCutchen]

On 4/27/07, Duncan Grove <duncan.grove at dsto.defence.gov.au> wrote:
> Does anyone know if it is possible to firewall and/or configure rsync
> via a web proxy using RSYNC_PROXY to prevent push mode file transfers
> yet still allow pull mode?

> I realise that data (hash values, etc) still goes from the intranet to
> internet for the pull case but don't really mind about that. What I am
> keen to guard against is the accidental use of rsync in push mode from
> mirroring an internal repository to the Internet.

RSYNC_PROXY affects connections directly to rsync daemons but not
connections over SSH.  It would be possible (but would take a bit of
work) to implement a proxy that looks inside rsync daemon connections
and allows pulls while blocking pushes.  An rsync connection is a pull
if and only if it includes the --sender option.

Since SSH connections are encrypted, an rsync push looks just like any
other SSH connection to a firewall; there's no way to block rsync
pushes without blocking all SSH traffic.

I think the most appropriate solution would be to install a wrapper
script around rsync that refuses to push to hosts outside a set you
specify.  This won't prevent a user from compromising the data in the
repository if he/she really wants to, but it is likely to prevent most
accidents.

The quick-and-dirty approach would be to refuse if the last argument
begins with HOST: , HOST:: , or rsync://HOST/ and HOST is not on the
safe list.  However, this assumes that the last argument is the
destination; this won't be true if users pass additional options after
the destination.

Matt