[lug] firewall trickery
David L. Anselmi
anselmi at anselmi.us
Wed Feb 1 18:02:52 MST 2006
Daniel Webb wrote:
[...]
> Wow, thanks. I was making that a lot harder than it is, huh? I guess I
> didn't consider that solution because I thought the overhead would be large,
> but sure enough it's trivial:
>
> for f in $(seq 20000 20200); do sshd -o "AllowUsers user" -o "port $f"; done
>
> uses 2MB more memory than before.
To make it a little harder than this, you could also use openvpn,
especially if you're connecting to a machine behind the firewall using a
protocol other than ssh.
openvpn decrypts packets coming in and puts them out on a virtual
interface. It knows who the user is for the decryption and can assign
each a separate IP on the virtual interface. Then you can write
netfilter rules based on those IPs.
(The way I do it) It's a little harder to set up than ssh because it
uses certificates rather than just public keys so you need a basic sort
of PKI (and I made mine a little fancier than the included scripts).
Dave
More information about the LUG
mailing list