[lug] firewall trickery

David L. Anselmi anselmi at anselmi.us
Wed Feb 1 18:02:52 MST 2006


Daniel Webb wrote:
[...]
> Wow, thanks.  I was making that a lot harder than it is, huh?  I guess I
> didn't consider that solution because I thought the overhead would be large,
> but sure enough it's trivial:
> 
> for f in $(seq 20000 20200); do sshd -o "AllowUsers user" -o "port $f"; done 
> 
> uses 2MB more memory than before.

To make it a little harder than this, you could also use openvpn, 
especially if you're connecting to a machine behind the firewall using a 
protocol other than ssh.

openvpn decrypts packets coming in and puts them out on a virtual 
interface.  It knows who the user is for the decryption and can assign 
each a separate IP on the virtual interface.  Then you can write 
netfilter rules based on those IPs.

(The way I do it) It's a little harder to set up than ssh because it 
uses certificates rather than just public keys so you need a basic sort 
of PKI (and I made mine a little fancier than the included scripts).

Dave



More information about the LUG mailing list