On Wed, Oct 12, 2005 at 11:53:06PM -0400, Michael Dahlberg wrote: > My apologies if this question has been addressed before: > > I'm setting up an IPfilter/NAT router configuration for a Solaris 10 > system (192.168.0.1) where hme0 is the internal interface and hme1 is > the external Internet interface. I want only one system (192.168.0.5) > within the internal domain (192.168.0.0/24) to be able to access the > Solaris 10 via ssh however all internal systems need to pass traffic > through the internal interface so that it can be sent out the external > interface: > > pass in quick on hme0 from 192.168.0.0/24 to any keep state > for internal systems Internet access > > pass in quick on hme0 from 192.168.0.5/32 to 192.168.0.1/32 port = ssh > keep state > for a specific system ssh access to the Solaris router > > It seems that by including the first rule that ALL internal systems > would have ssh access to the Solaris router which would make the > second rule pointless. > > Is there a way to permit all internal systems access to the external > network but only give one internal system ssh access to the router?
sure, just reverse the order and insert a block rule in between: > pass in quick on hme0 from 192.168.0.5/32 to 192.168.0.1/32 port = ssh > keep state block in quick on hme0 from 192.168.0.0/24 to 192.168.0.1/32 port = ssh > pass in quick on hme0 from 192.168.0.0/24 to any keep state > for internal systems Internet access grant.
