Re: what checking should FW-1 perform?

From: Owen Dunn (
Date: 02/11/05

Date: 11 Feb 2005 16:46:17 +0000 (tony) writes:

> I am look at asking for permission to connect via ssh thro Fw-1 to
> some selected hosts on the other side.
> Both sides are trusted (mostly).
> So I am going to supply the source IP, username and SSH public dsa key
> for each client with a list of IPs want to connect to.
> I am kindof curious as to what checks could be made on the firewall.
> Could just allow connections to port 22 on other side. And accept
> that when the known hosts and user accounts are created on the
> target hosts that would be enough.
> But is it? Can/should the firewall itself restrict the source/target
> IPs, or even check the userid's. What would be good practice?

IIRC from when I last looked at FW-1 in this area, it can recognise
the SSH protocol and distinguish between versions 1 and 2 (presumably
by inspecting the protocol version exchange). Obviously it can
restrict the source/target IP addresses, but it cannot check any data
that's part of the encrypted SSH connection (like login names)
precisely because of the encryption.

Good practice with firewalls is usually to allow only what you need,
so determine a list of source and destination IP addresses and add a
FW-1 rule allowing SSH protocol version 2 only from those sources to
those destinations.