On Thu, 21 Aug 2008, Mikhail Teterin wrote:
Surely you don't have that many users who SSH into the NAT router from
random public IPs all over the world, rather than via the LAN? Surely
if you yourself often SSH into your NAT router from a Blackberry device,
that you wouldn't have much of a problem adding a /19 to the allow list.
That's a hell of a lot better than allowing 0/0 and denying individual
/32s.
Myself -- and the owner of the box -- travel quite a bit, ssh-ing "home" from
anywhere in the world. Although we could, I suppose, find out the
destination-country's IP-allocation and add it before leaving, that would be
quite tedious to manage...
One of my clients used to have a microwave link from my network to their
office - and they were totally paranoid about remote access yet needed
live IPs fr other reasons.
They too needed frequent remote access from arbitary addresses.
I overcame these conflicting requirements with a 2-step process. They
"authorised" user first browsed to a website which asked their username
and password. When entered correctly, it opened a hole in the firewall to
allow that IP to their network. A timer ran every 15 minutes to close the
hole (but was over-ridden by the web page which kept refreshing every 10
mins). The last part may not be necessary for you, but this may be a
possible workaround for your traveling access. Leave a default of deny any
except from trusted, fixed hosts, and add transient access as required.
(The system did fail where your browser was proxied, but I catered for
that for the "network guys" by lettig them enter an IP address to open
along with their user/pass - it just defaulted to the requesting host to
make it easy)
YMMV.
RossW
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
