2017-05-04 1:56 GMT+02:00 Luke Small <lukensm...@gmail.com>: > Four words Peter..."dynamic IP address". I'm sure that there are folks that > ssh into machines that are on a dynamic IP address that don't have a modem > on a power backup, or even possibly on an ISP that may down, possibly when > they are out of town. I don't know if it is possible or already done, but > you could have a computer check into a target machine that often changes > the ip address or system while the firewall is locked down to only send > messages to that remote machine and if it is compromised, can't send it > anywhere else. Or you ssh into the machine and it only accepts incoming > port 22 requests from a machine that has a dynamic url and listed in your > pf.conf. maybe you could even signify in the pf.conf that the url will > often have a different ip address and it could request that ip address > every time it gets a hit on that rule or a maximum upperbound. >
Also, if the problem really is "I need to log in from a remote machine on an unknown ip and strict rules on not letting others in" then you have more or less described a roadwarrior ipsec setup, so get some kind of VPN going there with certs and secrets and you can travel around the world and know that only your machine with the correct magic can connect to the stationary resource(s). That problem was solved a long time ago. -- May the most significant bit of your life be positive.
