Probably the reason libwrap does not stop everyone else is because the
connection is tunneled through your firewall. So to your work machine, all
connections seem to be coming from one node (the firewall).
I don't know the answer to your specific question, but why not use ipfwadm
since you are on Linux to restrict who can tunnel in?
Something like this:
ipfwadm -I -a accept -P tcp -S my.home.machine -D firewall 2010
ipfwadm -I -a reject -P tcp -S 0/0 -D firewall 2010
That will allow only your home machine to access the tunnel and reject
everyone else. This is assuming you have root privileges on the firewall,
if not, you will need the help of your admin. Your admin know you are
tunneling, right? :-)
Tin Le
----
Net Images - Premier Web Presence Provider http://www.netimages.com/~tin
Internet Security and Firewall Consulting
Tin Le - [EMAIL PROTECTED]
On Wed, 28 Apr 1999, Lou Rinaldi wrote:
> (simple question, potentially complex solution:)
>
> OS: Linux 2.0.36 (x86)
>
> Background: I want to tunnel into my work machine (which is behind a
> firewall) from home. I initiate a port forward (from the work machine),
> which allows me to ssh into port 2010 on my home machine and login to the
> work machine from home. It works, but securing it seems to be a problem.
>
> after compiling a vanilla (no patches) 1.2.26 --with-libwrap, I set up a
> remote port forward:
>
> ssh -C -f -R 2010:my.work.machine:22 my.home.machine sleep 24000
>
> and put this line in /etc/hosts.allow
>
> sshdfwd-2010: my.home.machine
>
> Outsiders are still able to connect to the forwarded port and they don't
> get disconnected. They are able to enter try and login. Sometimes, it just
> sits there, and does nothing after the connection is established. Even
> after escaping and manually disconnecting, the sshd spawned for that
> connection is still sitting there..... logs aren't much help either.
>
> Yes, I've killed and re-run sshd after making changes to hosts.allow
>
> What's more, I've got "GatewayPorts no" in my /etc/ssh_config
>
> Are there any patches to correct this behavior?
>
> - Lou
>
