On 22 May 2009 at 15:05, Aaron Martinez wrote: > Hi All, > > I am setting up an openbsd 4.5 stable based pf firewall and was > wondering if there is a way to make it so only certain users could log > in from certain IP addresses. I have authpf set up and working well, > but the problem is if someone that isn't coming from one of my "safe" ip > addresses, i don't want them to be able to log in using a login name > that has a standard shell like ksh. I saw the "Match" statement for > sshd but it looks like the only things that can be set are: > AllowAgentForwarding, AllowTcpForwarding, Banner, ChrootDirectory, > ForceCommand, GatewayPorts, GSSAPIAuthentication, > HostbasedAuthentication, KbdInteractiveAuthentication, > KerberosAuthentication, MaxAuthTries, MaxSessions, > PasswordAuthentication, PermitEmptyPasswords, PermitOpen, > PermitRootLogin, RhostsRSAAuthentication, RSAAuthentication, > X11DisplayOffset, X11Forwarding and X11UseLocalHost. none of which > would allow for what i'm trying. (if i'm understanding this correctly) > > > I'm trying to have authpf authenticate people before they are able to > use certain services behind the firewall, i.e. pptp server, pop server > etc., while allowing certain people from static IP addresses to actually > log into the openbsd firewall.
You did say you are setting up a pf firewall, so why not use its firewalling functionality to limit those services to the specific _static IP addresses_? This is one of the simplest use cases for pf! > Any ideas greatly appreciated. > > > Thanks in advance. > > Aaron Martinez
