|
|
At 08:53 PM 17/10/2005, Roland Pope wrote:
----- Original Message ----- From: "Mike Tancsa" <mike@xxxxxxxxxx>
Why not bind sshd to all interfaces, and then add a firewall rule
to block all inbound access to port 22, except for the IP that you
eventually assign to the tun interface? That way you dont have to
mess about HUP'ing sshd or getting it to startup post connection etc.
Unfortunately, I have to work within some company security policy
contraints that do not allow me to have an SSH daemon listening on
an Internet Interface, and as result, I have to explicitly specify
the bind address.
This is to prevent the possibility that SSH access from the Internet
becomes available due to a misconfigured firewall or failure of a
firewall rules load while still allowing manament ssh access.
Not sure why the possibility of misconfiguring firewall rules (I
would put them locally on the box itself) are any better or worse
than misconfiguring how sshd starts up or sshd's config file? But
thats a different issue.
I guess your option is to start and stop sshd on the client up and
down events. I have a client box I am testing that does a bgp clean
session on up and down, and things seem to fire just fine from the
client side. I have been testing for about half a day now booting
off a dialup modem every 6 min, and it seems to be reliable
enough. I plan to run it a few more days of tests to make sure all
works reliable. Dont see why it should not.
---Mike
Roland
-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users
____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users
|