0

We have public IP address hosted on FreeBSD router. We have also a lot of service running inside our LAN network, some of our services need to be accessible outside our home network trough public IP address. Until now I did it forwarding specific ports to specific local ip address. Sample (for Terminal Server i Forwarded port 2305 to local ip server on port 3389, and it is working perfectly when someone call remote desktop connection on "MYpublicIPadres:2305" get access to my Terminal Server.

What I want to do is:

Some how to secure access to that service by specific client (machine or network). Is there a way to I allow access to only specific users (by MAC address or something else) to my service. What I did already is make VPN server-client connection but that method do not offer me a lot. I also can restrict access by specific ip address but most of my clients do not have static public IP address, they coming from DSL connections with different IP addresses each time.

If this is not possible done by using FreeBSD do I have alternatives like IPCOP or something similar to FreeBSD.

Edit: VPN Issues

As You mentioned already that I should go with VPN solution here is issues that I faced

  • I am using sample VPN client build inside Windows OS and that allowing that client can set up VPN from any computer machine (Story Behind: I have department outside our network and I want to be sure that for specific service access only can be madded from department.)
  • When Client call VPN connection it lose connection with other world and a lot of clients want to have bout access to my services and to other internet resources.
joeqwerty
  • 109,901
  • 6
  • 81
  • 172
adopilot
  • 1,521
  • 6
  • 25
  • 41

2 Answers2

1

If you can't secure the service itself a VPN or SSH tunnel is really your best option here.
Since your clients don't have static public IPs you can't restrict by IP, and if clients are coming in over the internet you won't be able to determine their MAC addresses (lost at the first hop).

You could consider something like port knocking for controlling access to the service (google "port knocking" - the first few links are pretty useful for explanation and examples).

Similar stuff can also be rigged up with a web server script & helper programs where you can "authorize" access from an IP for a certain period of time, potentially with something more complex than port knocking, but these implementations are only as secure as the underlying code)

voretaq7
  • 79,879
  • 17
  • 130
  • 214
1

I only really see 2 realistic options here:

  • Use your FreeBSD router to set up a firewall to only allow access to those ports you have forwarded from a certain IP. This will block the majority of attempts at 'hacking' from unknown IPs, even if you lock it down to a certain ISP or Class C range. You can't set it to allow based on MAC address because this is not broadcasted to your machine over the internet, only the IP address.

  • Run a VPN to give access inside your network, securely. If a VPN client is set properly, it shouldn't knock your clients off of the internet. Depending on the VPN, you can configure it to only route certain traffic through the VPN and the rest through the internet. A simple one that comes to mind is Hamachi.

The 'right' way to do this is using the VPN. You could do this with a firewall/port knocking solution but the securest way (in my opinion) is via a VPN.

Dave Drager
  • 8,375
  • 29
  • 45