Simen Stavdal wrote:
Hello misc,
I have an openbsd host running that I wish to access in different
manners depending on where the users connect from.
This host runs sftp chrooted for internet users, and at the same time,
I wish to administer the box with ssh.
At the same time, I do not wish to allow ssh from the internet. We
have a policy that only vpn connected users can administer local systems.
The host is located on a dmz with one interface and one public ip
address.
Between the users, the internet and this server I have two firewalls
running openbsd 4.1 GENERIC.MP (with Carp over Vlan over trunk).
Internet -----Firewall-------DMZ with SFTP server
|
Internal users
I want to allow all ssh services for internal users, and sftp _only_
from the internet.
Since sftp/scp/ssh all run on the same port number (22 default), is
there a way to filter the traffic with pf?
I've seen that you can queue the traffic with ALTQ, but is there a way
to block/allow before this stage?
Any best practice on the subject?
Cheers,
Simon.
Change the listening IP for one of the service and block access to that
new IP address in PF?
