[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bastion host



Martin Randall <[email protected]> writes:
> 2)   Allow inbound ssh from anywhere
Than you need to change this bit
pass in quick on $ext_if inet proto tcp \
from ($ext_if) \
to ($ext_if) port 22 \
flags S/SA synproxy state
- which says only packets with a source address equal to your external
interface's possibly dynamic IP address is to pass - to something more like 
pass in quick on $ext_if inet proto tcp \
from any \
to ($ext_if) port 22 \
flags S/SA synproxy state
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"