You are somewhat correct. The MAC option will only work for local computers located on the LAN, otherwise your remote connections will use the MAC address from the last router hop. If your going to be connecting from a particular subnet on the Internet, setup your /etc/hosts.allow /etc/host.deny or iptables to only accept connections from a particular subnet. -----Original Message----- From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Michael Velez Sent: Tuesday, January 18, 2005 5:26 PM To: redhat-list@xxxxxxxxxx Subject: ssh from public internet and firewalls Hello all, I have set up sshd on my RHEL 3 box to be able to ssh to it from the internet. All rules on the modem, router, and RHEL work fine. However, I would like to add a rule to my firewall that only certain MAC addresses can actually make a request to sshd, thereby limiting ssh's from the public internet to two trusted laptops. I have set up my firewall with the mac address option and have put in the mac addresses of those laptops. The problem is that this works fine when the laptops are connecting from within my LAN (i.e. firewall accepts/rejects specific MAC addresses - not a great help there but I guess I'm protected from any devious family member) but it does not work when my laptop is connecting from the public internet? Is there a reason? Will the MAC address reflect the one from the latest hop; that is, will my Linux box only see the router MAC address? There seems to be a MAC option in the sshd_config; is that the answer and how do I use that? Also, can I set up two different authentication mechanisms for whether I'm logging in from within my LAN or from the internet? There is a HOST keyword for the sshd_config file. Can I set up two pseudo-hosts to go verify two different identities with one of the hosts only accepting local IP addresses or something else that's local that I can define? The reason I ask is that I would rather just have to enter a password or no password (with RSA authentication - no passphrase) from within my lan but on the public internet, I would set up an authentication with password and RSA public/private key with passphrase and then only allow that from two laptops. Is this possible and/or is this overkill? Last but not least, I imagine I can change the port on which sshd listens. Do I only have to change the relevant line in /etc/services or is there something else I need to look at? If somebody can point me in the right direction, or suggest/advise the best way of doing this, I would appreciate it. I'll then go figure out the details. Thanks, Michael -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list