[OmniOS-discuss] question about service firewall rules

Michael Talbott mtalbott at lji.org
Wed Jul 29 17:55:46 UTC 2015 

Hi,

Granted this won't fix the firewall issue, but, I think you can get the results your looking for just by editing /etc/ssh/sshd_config and use "AllowUsers username at 192.168.1.0/24"

From sshd_config's man page:

       AllowUsers
           This keyword can be followed by a number of user names, separated
           by spaces. If specified, login is allowed only for user names that
           match one of the patterns.  Asterisk (*) and question mark (?) can
           be used as wildcards in the patterns. Only user names are valid; a
           numerical user ID is not recognized. By default login is allowed
           regardless of the user name.

           If a specified pattern takes the form user at host then user and host
           are checked separately, restricting logins to particular users from
           particular hosts.


________________________
Michael Talbott
Systems Administrator
La Jolla Institute

> On Jul 29, 2015, at 10:40 AM, sergey ivanov <sergey57 at gmail.com> wrote:
> 
> Hi,
> I want to restrict ssh logins to my OmniOS boxes to particular subnets.
> I am trying to do the following:
> ---
> # svccfg -s ssh setprop firewall_config/policy = astring: allow
> # svccfg -s ssh setprop firewall_config/apply_to = astring:
> network:192.168.1.0/24
> # svccfg -s ssh setprop firewall_config/apply_to = astring:  host:128.8.128.117
> # svcadm refresh ssh
> # svcadm refresh ipfilter
> ---
> It works, but when I want to restart service ssh, it goes to
> maintenance mode with log lines in
> /var/svc/log/network-ipfilter\:default.log telling:
> ---
> [ Wed Jul 29 15:11:14 UTC 2015 /lib/svc/method/ipfilter:
> svc:/network/ssh:default has invalid ipf configuration. ]
> [ Wed Jul 29 15:11:14 UTC 2015 /lib/svc/method/ipfilter: placing
> svc:/network/ssh:default in maintenance. ]
> ---
> Everything returns to working mode by disabling both ssh and ipfilter
> services and reenabling them. Is it known problem, or I am doing
> something wrong?
> -- 
> Regards,
> Sergey Ivanov | sergey57 at gmail.com
> http://www.linkedin.com/pub/sergey-ivanov/8/270/a09
> _______________________________________________
> OmniOS-discuss mailing list
> OmniOS-discuss at lists.omniti.com
> http://lists.omniti.com/mailman/listinfo/omnios-discuss

More information about the OmniOS-discuss mailing list