On Wed, 4 Jan 2023, Joe wrote:
On Tue, 3 Jan 2023 17:06:30 -0500 Tom Browder <tom.browder@gmail.com> wrote:Is it possible to use UFW to limit ssh access to a server by an external host by its MAC address? I now have a permanent IPv4 address for my home IP router and would like to access my home server from my laptop when away from home, but allow no other external access. Is that possible?Another thought is to use a VPN.
Indeed. I use openvpn and take advantage of its feature that it can listen on port 443 and then forward web traffic to a server. One thing this can do is help hide the ovpn instance (in my case I also listen on the default port so not really relevant) but also can help where public wifi restricts the ports that can connect. It doesn't work through a transparent proxy unfortunately (at least the android client doesn't) which I assume was doing SNI snooping - but I've only encountered that once in the UK so far. My plan was to write something that used a dns request to tell ovpn to expect an HTTPS wrapped ovpn stream - but it's one of those projects that I'll probably never actually get around to. I've also thought about TOTP dns requests as a type of port knocking : a dns request to <TOTP>.knock.example.com would open the ssh port for a minute. Small local webpage to do the TOTP port knock in javascript should work anywhere. Something else that has been on my todo list for years.