On Mon, Sep 28, 2009 at 11:28:51PM +0200, Simen Stavdal wrote: > Hello misc, > > I have an openbsd host running that I wish to access in different > manners depending on where the users connect from. > This host runs sftp chrooted for internet users, and at the same > time, I wish to administer the box with ssh. > At the same time, I do not wish to allow ssh from the internet. We > have a policy that only vpn connected users can administer local > systems. > The host is located on a dmz with one interface and one public ip address. > > Between the users, the internet and this server I have two firewalls > running openbsd 4.1 GENERIC.MP (with Carp over Vlan over trunk). > > Internet -----Firewall-------DMZ with SFTP server > | > Internal users > > I want to allow all ssh services for internal users, and sftp _only_ > from the internet. > Since sftp/scp/ssh all run on the same port number (22 default), is > there a way to filter the traffic with pf? > I've seen that you can queue the traffic with ALTQ, but is there a > way to block/allow before this stage? > Any best practice on the subject?
Two sshd_configs. One locked down to sftp only running on a non-standard port and one with the services for internal users on the standard port. Tell your users to use the non-standard port for external use. If your users aren't bright enough to be able to use a non-standard port, have a redirect rule on one of the firewalls that changes the destination port. Personally, I'd try and split the internal traffic and external traffic different machines and if that wasn't possible to different NICs on different subnets. > > Cheers, > Simon. > -- Chris Dukes
