Hello misc,
I have an openbsd host running that I wish to access in different
manners depending on where the users connect from.
This host runs sftp chrooted for internet users, and at the same time, I
wish to administer the box with ssh.
At the same time, I do not wish to allow ssh from the internet. We have
a policy that only vpn connected users can administer local systems.
The host is located on a dmz with one interface and one public ip address.
Between the users, the internet and this server I have two firewalls
running openbsd 4.1 GENERIC.MP (with Carp over Vlan over trunk).
Internet -----Firewall-------DMZ with SFTP server
|
Internal users
I want to allow all ssh services for internal users, and sftp _only_
from the internet.
Since sftp/scp/ssh all run on the same port number (22 default), is
there a way to filter the traffic with pf?
I've seen that you can queue the traffic with ALTQ, but is there a way
to block/allow before this stage?
Any best practice on the subject?
Cheers,
Simon.