limiting access thru pptp
maybe this is not exactly the right list, but I couldn't find a better
I'm gonna setup up some small network with some W3K workstations and a
linux server behind a firewall (think i'm gonna use shorewall on a
debian box for that)
to administrate the w3k boxes from outside i'll have to setup some
VPN. i think i'll use pptp for that and install it on the firewall
machine (i know it's not the best thing to have an extra service
running on the fw, i'm still thinking about forwarding the pptp port
to our linux server and have pptpd there)
the problem is that i'll have to allow some database guys remote
access to their Win 2003 Server to the Terminal Server Service so that
they can maintain their DB. i don't want to open our whole network to
them, just let them access their server. the first idea that came to my mind
is that i could forward the port of the Terminal Server Service (it's
3389/tcp - please correct me if i'm wrong) to the Win 2003 Server
machine. but i think i'll not know their source ip, so i would have to
open that port to the whole world, which i would like to avoid at all
So I came up with the second idea of using the pptp on the firewall,
create an account for the database guys there and somehow restrict
their access to the ip of their w3k machine (while my account still
has access to the whole network). i think that could easily be
implemented as a fw rule if i could force pptpd or pppd to assign a
static ip to their user login. but scanning the docs of pptpd and pppd
i couldn't find a way to assign a static ip to a special login name.
am i missing something or am i completely wrong with the concepts of
pppd? does anybody know if this can be done with pptpd/pppd or can
anyone suggest a different solution?
any help is appreciated, thanks in advance.
cheers from berlin, germany: stephan.