Date: Fri, 12 Oct 2001 22:02:01 +0200 From: Alson van der Meulen <alm@flutnet.org> To: freebsd-questions@FreeBSD.ORG Subject: Re: How to protect binding to interface ? Message-ID: <20011012220201.D21997@md2.mediadesign.nl> In-Reply-To: <20011012153913.H4157@brained.org> References: <20011010214156.B27378@brained.org> <20011012143031.B21997@md2.mediadesign.nl> <20011012143125.G4157@brained.org> <20011012212703.C21997@md2.mediadesign.nl> <20011012153913.H4157@brained.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Oct 12, 2001 at 03:39:13PM -0400, Simon Perkins wrote: > On Fri, Oct 12, 2001 at 09:27:03PM +0200, Alson van der Meulen wrote: > > > > > > > > > > I think that is a workable solution. I think I stated my question wrongly. > > > What I need is *remote* users not to see public interfaces (bind to them). > > Do you mean 'users logged in thru ssh from a remote location'? or 'users > > on other remote computers making a tcp connection to me'? If it's the > > latter, it's not called binding to an interface, but just packet > > filtering/firewalling. So I assume you mean the former definition. > > > > Yes, I did mean the former. Maybe this is what I need to to > User ssh's to my public IP (say 111.111.111.111) > firewall running on public ip server forwards it to internal host (222.222.222.222) > internal host just has a private ip address (222...). So users even if > they run any server there, would be binding to non-public ip. > > > Now I see, I can do this with 2 computers. But is it possible with > just one computer (maybe with multiple network cards ?) Sure: try ipfw rules like this: allow tcp from any to 111.111.111.111 22 setup reject tcp from any to 111.111.111.111 setup (this is basically an extremelty simple firewall ruleset denying all incoming tcp except ssh). Note that you've todo something else for UDP, just RTFM ;) I suggest you read ipfw(8), maybe /etc/rc.firewall, http://www.freebsd.org/handbook/firewalls.html, and possibly other ipfw documentation. You should probably use reject instead of deny, since reject emulates the behaviour like the port is closed, instead of just ignoring the traffic. People will get a 'connection refused' message when they try to connect, instead of a timeout after a certain period of time. Wheter to use deny or reject is mainly a matter of personal preference, deny has the advantage of slowing down portscans. -- ,-------------------------------------------. > Name: Alson van der Meulen < > Personal: alson@flutnet.org < > School: alson@gymnasiumleiden.nl < `-------------------------------------------' hey, what does mkfs do? --------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011012220201.D21997>