On Sat, 4 Sep 2004, SW wrote: > Hi Mike, > > > Comcast does, indeed, have a rather wide IP addresses, true, but your > > friend is only going to get an address in a small subnet > > I wish that was the case...I've been manually updating my firewall whenever > his ip address changes and they are not even close let alone in the same ip > subnet: > > 64.12.116.x > 68.49.152.x > 68.49.155.x > 68.49.156.x > 68.49.157.x > 152.163.252.x > > I'm willing to open up my box to a subnet xxx.xxx.xxx.0 but so far the range > of ip addresses he is getting is so large, it will defeat the purpose to > blocking ssh because I would have to open up to so many ranges. Is there any > solution? Well, for now, you might be able to get away with a /24 (255.255.255.0) for the 64.12 IP and the 152.163 IP. For the other range, you could specify: 68.49.152.0/21 (or 68.49.152.0/255.255.248.0, if your router can't handle CIDR notations). As to other options, I saw someone mention opening up an alternate port, and having them SSH to that. Another possibility is to restrict the authentication methods...preferably to key based authentication. That way, you turn off keymode/password authentication, the only way to authenticate is to have a valid key. The key isn't based on IP address, and anyone without a valid user account and key won't get in. -- Mike Burger http://www.bubbanfriends.org Visit the Dog Pound II BBS telnet://dogpound2.citadel.org or http://dogpound2.citadel.org To be notified of updates to the web site, visit http://www.bubbanfriends.org/mailman/listinfo/site-update, or send a message to: site-update-request@xxxxxxxxxxxxxxxxx with a message of: subscribe -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
