[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bastion host



Peter N. M. Hansteen wrote:
Martin Randall <[email protected]> writes:


2) Allow inbound ssh from anywhere


Than you need to change this bit

pass in quick on $ext_if inet proto tcp \
from ($ext_if) \
to ($ext_if) port 22 \
flags S/SA synproxy state

- which says only packets with a source address equal to your external
interface's possibly dynamic IP address is to pass - to something more like


pass in quick on $ext_if inet proto tcp \
from any \
to ($ext_if) port 22 \
flags S/SA synproxy state


If you copied directly from the book, might also want to let the author know there's an error, or at least a possible misinterpretation.


--

Scott Plumlee
PGP Public key: http://plumlee.org/pgp/