Hi Marian. On 10/09/2011, Marian Hettwer <m...@kernel32.de> wrote: > I'd say SSH tunnels are still in.
Cool. > No. IP spoofing won't help them script kiddy at all. > To successfully authenticate via authpf, you need a valid ip adress for > responses. > With a fake source ip, the script kiddy won't even get a full tcp > handshake ready... This goes to my understanding of how authpf works. Could you clarify which one of these applies? log in via SSH to initiate authpf ... loads a ruleset for that IP address ... from then on normal IP from that address occurs according to the loaded ruleset (e.g. to any port 80 from that address). In other words other ports are opened at the interface and the only access control is the continuation of the SSH session (happening concommittantly on another port). This would allow spoofing to occur. This is how I interpret the FAQ and the man page (specifically the warning in BUGS). OR log in via SSH to initiate authpf ... loads a ruleset for that IP address ... from then on all traffic from that IP address includes some SSH data that authenticates *each* packet as being from that IP address. This would prevent spoofing. OR log in via SSH to initiate authpf ... loads a ruleset for that IP address ... from then on all traffic is passed through SSH and demuxed internally at the gateway. This would prevent spoofing and a bunch of other stuff. > Use SSH and/or IPSEC. I'm starting to think an ESP IPsec tunnel is the way to go. Best wishes.
