Good morning, First, I would like to thank everyone in advance for any assistance or insight that can be provided with what I am trying to accomplish. The server I am attempting to build is basically a bastion host server in which users can access to SSH out to other firewalled connections. However, my goal is to take three existing stand-alone servers which all have different access restrictions and combine them into a single box.
I will restrict incoming access with Radius based on the IP address assigned to each virtual interface. In my current configuration I have an OpenBSD machine which has a single interface connected to the network (bnx0) on a single /29 network directly connected to a Cisco switch. I have created three bridge interfaces (bridge0, bridge1, and bridge2) which bind three virtual interfaces (vether0, vether1, and vether2) to the single physical interface. My network connections are all active and working on each virtual interface, and I have OpenSSH configured to allow incoming connections on all IP addresses which also works. My problem is, I am separating users based on interface IP and radius, and therefore need to force their outbound SSH sessions to bind to the IP address of the interface they came in on (or at least a different IP) so I can create firewall rules to restrict outbound access. However, all outbound SSH sessions are sourced through the default (bnx0) interface and therefore hamper my ability to effectively firewall the outbound SSH requests since the user could be in one of three firewall groups. I may be just thinking too hard about this but it seems to me there should be (and likely is) a simple way to bind the outgoing connection from the source address. Any ideas, or should I just create three virtual machines and be done with it? Again, thanks in advance for any guidance! James
