[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Openbsd Bridge with IP addess. SSH access
On Mar 21, 2005, at 10:51 AM, Keith wrote:
Hi, I have basicaly setup a transparent bridge with two nic's as shown
---Router---[$ext_if - FW - $int_if]---[Switch]----[Servers
This works fine but I have given the internal nic a public IP address
but am having trouble working out how to restict access to the FW via
SSH on that NIC.
i thought that I could setup a default block policy then allow access
to the SSH Server from certain IP addresses.
Can someone help ?
You can filter on IP, but if you intend to prevent external access that
way, just remember that IP's are spoofable. It's certainly not a bad
place to start, though, and routing limits the physical domain of where
your spoofers may reside and still get packet responses. Using a
bridge, it's one of your few options. You can also require "flags
S/SA," and keep state on the connections.
What sort of access restrictions did you want to impose?
A few things to note:
traffic that addresses the bridge won't get tagged with brconfig tag
(it's not being bridged).
traffic that addresses the bridge won't necessarily appear on the
interface for your pf rules ("borken by design," see:
and the rest of the thread.).