You are correct (rw --- leaf/FS SG === 192.168.1.254 --- 192.168.1.0/24) Is the hosts.allow/hosts.deny just belt and braces at that point, i.e. firewall SHOULD successfully block (and, for that matter, ssh still requires a password <grin>)?
> -----Original Message----- > From: Charles Steinkuehler [mailto:[EMAIL PROTECTED]] > Sent: Monday, February 25, 2002 3:39 PM > To: Keith Laidlaw > Cc: LEAF > Subject: Re: [Leaf-user] Open ssh and weblet to my VPN > > > > My "remote network" is actually a roadwarrior (i.e. on the "internet" > side). > > Sorry I wasn't clear. > > OK, so you're creating a host <-> subnet connection, with the subnet being > your firewalled home network, and the host being a random road-warrior IP? > > > As a result, I would have to open it up to ANY valid ip > address. Perhaps > > opening it up is ok as long as I keep my firewall rules intact (ports 22 > and > > 80 are blocked on eth0 but ipsec0 bypasses those rules) > > If the answer to my above question is "yes", then this will work. > You loose > the hosts.allow/hosts.deny "defense in depth", but firewall rules should > prevent any external users from hitting your ssh & weblet ports. > > NOTE: If you have any untrusted internal networks/machines, > you'll have to > explicitly firewall them with custom ipchains rules, or possibly > stick them > in hosts.deny (I think you can override hosts.allow with more specific > settings in hosts.deny, but it's been a while since I read through the man > pages...I'd test it before trusting any configuration anyway...). > > Charles Steinkuehler > http://lrp.steinkuehler.net > http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) > > > _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
