[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Openbsd Bridge with IP addess. SSH access

On Mar 21, 2005, at 10:51 AM, Keith wrote:

Hi, I have basicaly setup a transparent bridge with two nic's as shown

---Router---[$ext_if - FW - $int_if]---[Switch]----[Servers

This works fine but I have given the internal nic a public IP address
but am having trouble working out how to restict access to the FW via
SSH on that NIC.

i thought that I could setup a default block policy then allow access
to the SSH Server from certain IP addresses.

Can someone help ?

You can filter on IP, but if you intend to prevent external access that way, just remember that IP's are spoofable. It's certainly not a bad place to start, though, and routing limits the physical domain of where your spoofers may reside and still get packet responses. Using a bridge, it's one of your few options. You can also require "flags S/SA," and keep state on the connections.

What sort of access restrictions did you want to impose?

A few things to note:
traffic that addresses the bridge won't get tagged with brconfig tag rules
(it's not being bridged).
traffic that addresses the bridge won't necessarily appear on the correct
interface for your pf rules ("borken by design," see:
http://www.sigmasoft.com/~openbsd/archive/openbsd-misc/200502/ msg01916.html
and the rest of the thread.).