Path: csiph.com!1.us.feeder.erje.net!3.us.feeder.erje.net!feeder.erje.net!news2.arglkargh.de!news.mixmin.net!eternal-september.org!reader01.eternal-september.org!.POSTED!not-for-mail
From: Andreas Kohlbach <ank@spamfence.net>
Newsgroups: comp.os.linux.misc
Subject: Re: Guaranteeing SSH access to specific clients
Date: Fri, 09 Dec 2022 12:44:52 -0500
Organization: A noiseless patient Spider
Lines: 23
Message-ID: <87mt7wsc8b.fsf@usenet.ankman.de>
References: <tmtf02$1ufi$1@gioia.aioe.org> <op.1wvne71ia3w0dxdave@hodgins.homeip.net> <mMicnffNIKpVMQ_-nZ2dnZfqnPadnZ2d@giganews.com>
MIME-Version: 1.0
Content-Type: text/plain
Injection-Info: reader01.eternal-september.org; posting-host="e781e4e81e10332bbfefa3dad878b889"; logging-data="1322045"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX1+v0OrxflEILyYA45nPEk+x"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
Cancel-Lock: sha1:XoGmlqVljfQpSYw5hx0dj1E5OHo= sha1:M7xANPDpiw7GEu7CShuJrqJ85/Q=
X-No-Archive: Yes
Xref: csiph.com comp.os.linux.misc:36432

On Fri, 09 Dec 2022 03:34:32 +0000, Robert Heller wrote:
>
> If the accepted clients have specific, known IP addresses, then if the server 
> has a firewall (eg iptables, firewalld, etc.), then firewall rules could be 
> set up to "reject" (or drop) port 22 packets from non-accepted IP addresses.  
> No changes to sshd or special settings in /etc/ssh/*config would be needed.  

SSH has options itself to deal with traffic.

As long as a server can deal with these things I refrained from using a
package filter.

Example SMB. I set up

bind interfaces only = Yes

and

interfaces = 127.0.0.0/8 eth0

to only allow localhost and what comes over Ethernet (my other computer).
-- 
Andreas