On 25/01/17 11:08, C. L. Martinez wrote: > Hi all, > > I have received a (maybe) "stupid" request from one of our customers. We > have a pair of public OpenBSD firewalls (CARPed) that our development team > use to access to several customers via VPN IPsec tunnels. But this morning we > have received a request from one of these cutomers to access to our > development servers using only one acl to permit their public IP address > (without using VPN IPsec, or VPN SSL tunnels). > > And my (OT) question: how easy is to do a MITM attack (DNS spoofing for > example, or another type of attack that permits to fake source public ip > address) in this scenario? > > Many thanks.
I guess they want to avoid setting up the VPN... Maybe you could use ssh tunneling with pub/priv keys and authpf for dynamic pf rules to access the internal servers? So essentially a ssh-vpn solution... don't know if this feats your setup. Alternatively you could set the external acl on the firewall and enhance the authentication on the internal servers. G