Hi Chris,
Thanks for the advise. I never though of doing it this way... - :)
The ssh-part of it is just for administration of the box, so it can run
on a non-standard port number, but I see your point.
If there had been "normal users", I would use two different machines.
Cheers,
Simon.
Chris Dukes wrote:
On Mon, Sep 28, 2009 at 11:28:51PM +0200, Simen Stavdal wrote:
Hello misc,
I have an openbsd host running that I wish to access in different
manners depending on where the users connect from.
This host runs sftp chrooted for internet users, and at the same
time, I wish to administer the box with ssh.
At the same time, I do not wish to allow ssh from the internet. We
have a policy that only vpn connected users can administer local
systems.
The host is located on a dmz with one interface and one public ip address.
Between the users, the internet and this server I have two firewalls
running openbsd 4.1 GENERIC.MP (with Carp over Vlan over trunk).
Internet -----Firewall-------DMZ with SFTP server
|
Internal users
I want to allow all ssh services for internal users, and sftp _only_
from the internet.
Since sftp/scp/ssh all run on the same port number (22 default), is
there a way to filter the traffic with pf?
I've seen that you can queue the traffic with ALTQ, but is there a
way to block/allow before this stage?
Any best practice on the subject?
Two sshd_configs. One locked down to sftp only running on a non-standard
port and one with the services for internal users on the standard port.
Tell your users to use the non-standard port for external use.
If your users aren't bright enough to be able to use a non-standard port,
have a redirect rule on one of the firewalls that changes the
destination port.
Personally, I'd try and split the internal traffic and external traffic
different machines and if that wasn't possible to different NICs on
different subnets.
Cheers,
Simon.
