Hey. On 21/09/2011, Rod Whitworth <glis...@witworx.com> wrote: > It need not be spoofed. > If you use authpf whilst your are on a LAN that is NATted (very common) > everyone on that LAN will be able to access your remote host.
Nice one. On 21/09/2011, ropers <rop...@gmail.com> wrote: > The way I understood David's concern (please correct me if wrong) was > that he was simply mindful of the security limitations of using *only* > authpf (and not then also an ipsec tunnel as you're suggesting). It is > true (or at least it's my understanding) that for some purposes, > sometimes people use only authpf. In such a scenario, David's concerns > might be justified ... Exactly. I assume authpf accomplishes what is described in the man page - no more no less ... It loads rules to PF on a per-session basis for a user that authenticates via SSH and SSH takes no further part in the transaction other than to signal termination of the session ... There's no implicit authentication (or encryption) on any other session traffic. Spoofing or tailgating is probable (thank you Peter). Protecting other traffic in that session is up to the user and requires other mechanisms (IPsec). A couple of posters seemed ... conflicted about that. > > Well, unless I'm completely confused too. > > regards, > --ropers > For the purposes of that other discussion ... ... exeunt == exit ... Best wishes.
