 EGeezerSummertimePremium
join:2002-08-04
Midwest
kudos:7
 ·Callcentric
| reply to Daniel
Re: IP access rules and DHCP clients I'm sure I'm missing something - If the road warrior has a dynamically assigned IP, how would I build an access rule based on the client's IP? It could be anything depending on where and when the user connects.
--
03:14:07 UTC Tuesday, Jan. 19, 2038 - a date that will live in infamy... |
|
 DanielPremium,MVM
join:2000-06-26
San Francisco, CA | That's the point of it: the user sends a cryptographic "knock" to the firewall that only it could have sent, at which point the firewall opens just the SSH port for just that one client (and just for a moment).
--
dmiessler.com -- grep understanding knowledge |
|
|
|
EGeezerSummertimePremium
join:2002-08-04
Midwest
kudos:7 Reviews:
·Callcentric
| I was trying to figure out Ghost's reply(»Re: Is Portknocking "Real" Security?)
... I was thinking more along the lines of a port being accessible by everyone whenever a single user entered the correct port sequence for access. Obviously I forgot that iptables can allow access to ports on a per IP address after a port knocking sequence. Hence, my previous questions do not apply. So it's possible to have thousands of users access a service remotely, but no indication to others that a remote service is listening on a certain port.
Based on that, I'm thinking that one would need a fixed client IP address to implement IP based rules. If the client is DHCP assigned, this IP rules layer wouldn't be in the picture. Hope that clarifies my curiosity.
--
03:14:07 UTC Tuesday, Jan. 19, 2038 - a date that will live in infamy... |
|
