On Mon, 28 Sep 2009 23:28:51 +0200 Simen Stavdal <[email protected]> wrote:
> Hello misc, > > I have an openbsd host running that I wish to access in different > manners depending on where the users connect from. > This host runs sftp chrooted for internet users, and at the same > time, I wish to administer the box with ssh. > At the same time, I do not wish to allow ssh from the internet. We > have a policy that only vpn connected users can administer local > systems. The host is located on a dmz with one interface and one > public ip address. > > Between the users, the internet and this server I have two firewalls > running openbsd 4.1 GENERIC.MP (with Carp over Vlan over trunk). > > Internet -----Firewall-------DMZ with SFTP server > | > Internal users > > I want to allow all ssh services for internal users, and sftp _only_ > from the internet. > Since sftp/scp/ssh all run on the same port number (22 default), is > there a way to filter the traffic with pf? > I've seen that you can queue the traffic with ALTQ, but is there a > way to block/allow before this stage? > Any best practice on the subject? > > Cheers, > Simon. Override limits to the ssh server by Match rules in sshd_config by using the VPN IP space as identifier? - Robert
