Thread: authpf setup
View Single Post
Old 27th February 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

What you show are two servers, each with publicly reachable IP addresses, and a plan to limit SSH access from one address. You can do that with a one line pass rule on Machine B, permitting only Machine A to reach Machine B's sshd(8) daemon. AuthPF is unnecessary, if what you posted is your entire topology.

In addition, with reasonable authentication methods (hint: NOT passwords), you could permit Machine B to allow SSH access from the entire Internet. I would be more concerned about attack vectors through your MTA, Web, and DNS services than SSH.

AuthPF is designed to use SSH authentication for a network gateway. It does this by altering PF rules for the authenticated user or authenticated IP address. Those rules would then permit access by the authenticated user to services that might not have any authentication of their own, such as http.
Reply With Quote