* IP address ranges for USA and Europe
@ 2005-06-02 18:20 James Cooke
2005-06-02 18:45 ` Taylor, Grant
0 siblings, 1 reply; 3+ messages in thread
From: James Cooke @ 2005-06-02 18:20 UTC (permalink / raw)
To: netfilter
Hi all,
I'm running a VPN server to which IP tables limits connections to the IP
addresses of the client offices. However, now the client wants roaming
access to the VPN via laptops - they will be moving around Europe and
the USA. There are two layers of password security, but I'm still
nervous about opening the server to the entire world...
Therefore, is there a nice way to open the firewall for connections just
from Europe and USA?
I've found lots of IP address ranges, but even those don't seem to be
complete - AOL IPs don't fit in to the list I've compiled so far for
example. So I'm thinking there's got to be something better than writing
out a full list of ranges and allowing them connections...
The SSH brute force thread was very interesting with the recent/tarpit
trap for our less than welcome guests and I would like to implement this
on the VPN ports in the future - but for now I'm just looking for a
quick fix.
Thanks in advance for any input on this...
James
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: IP address ranges for USA and Europe
2005-06-02 18:20 IP address ranges for USA and Europe James Cooke
@ 2005-06-02 18:45 ` Taylor, Grant
2005-06-02 19:26 ` John A. Sullivan III
0 siblings, 1 reply; 3+ messages in thread
From: Taylor, Grant @ 2005-06-02 18:45 UTC (permalink / raw)
To: netfilter
James Cooke wrote:
> Hi all,
>
> I'm running a VPN server to which IP tables limits connections to the IP
> addresses of the client offices. However, now the client wants roaming
> access to the VPN via laptops - they will be moving around Europe and
> the USA. There are two layers of password security, but I'm still
> nervous about opening the server to the entire world...
>
> Therefore, is there a nice way to open the firewall for connections just
> from Europe and USA?
>
> I've found lots of IP address ranges, but even those don't seem to be
> complete - AOL IPs don't fit in to the list I've compiled so far for
> example. So I'm thinking there's got to be something better than writing
> out a full list of ranges and allowing them connections...
>
> The SSH brute force thread was very interesting with the recent/tarpit
> trap for our less than welcome guests and I would like to implement this
> on the VPN ports in the future - but for now I'm just looking for a
> quick fix.
>
> Thanks in advance for any input on this...
>
> James
>
A couple of things come to mind, that being GEOIP and having your client SSH in to a server before they set up the VPN. You could combine the idea behind port knocking as in remembering what port is active or was active and then allow VPN connections from an IP that has an established SSH connection with more than X number of packets or byes. Take a look at http://netfilter.org/patch-o-matic/pom-extra.html#pom-extra-geoip for more information on GeoIP and http://www.maxmind.com/app/geoip_country for information on where to obtain the database.
I would be interested in seeing what you would like to do with the SSH_Brute_Force idea on your VPN. I'm getting ready to expand the idea to other things as well and I would be interested in talking to you about what you are wanting to see if I could not role that in to the new version that I'm going to be working on.
Grant. . . .
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: IP address ranges for USA and Europe
2005-06-02 18:45 ` Taylor, Grant
@ 2005-06-02 19:26 ` John A. Sullivan III
0 siblings, 0 replies; 3+ messages in thread
From: John A. Sullivan III @ 2005-06-02 19:26 UTC (permalink / raw)
To: Taylor, Grant; +Cc: Netfilter users list
On Thu, 2005-06-02 at 13:45 -0500, Taylor, Grant wrote:
> James Cooke wrote:
> > Hi all,
> >
> > I'm running a VPN server to which IP tables limits connections to the IP
> > addresses of the client offices. However, now the client wants roaming
> > access to the VPN via laptops - they will be moving around Europe and
> > the USA. There are two layers of password security, but I'm still
> > nervous about opening the server to the entire world...
> >
> > Therefore, is there a nice way to open the firewall for connections just
> > from Europe and USA?
> >
> ><snip>
>
I do not know if this will be of any help to you but we've taken a
completely different approach. We have implemented out-of-band user
authentication in the ISCS project (http://iscs.sourceforge.net).
Basically, we dynamically reconfigure IP tables for each RAS user and
implement custom iptables rules based upon the DER_ASN.1_DN of their
X.509 cert.
Thus, for example, when someone with a cert where
0=mycompany,OU=executive connects, the are granted access to executive
and financial resources. When someone with O=mycompany,OU=sales
connects, they are given access to sales resources. We still have some
issues to iron out and a few obscure exploits to close but perhaps you
can use the ideas we have implemented. They are well documented in the
code.
The NuFW folks (http://www.nufw.org) have taken this idea much further
but I believe their solution is more geared toward internal users on
trusted networks although that may have changed. Good luck - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com
Financially sustainable open source development
http://www.opensourcedevel.com
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-06-02 19:26 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-06-02 18:20 IP address ranges for USA and Europe James Cooke
2005-06-02 18:45 ` Taylor, Grant
2005-06-02 19:26 ` John A. Sullivan III
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.