temporary IP addition to firewall rules
Erik Osterholm
freebsd-lists-erik at erikosterholm.org
Sun Feb 4 22:17:52 UTC 2007
On Sun, Feb 04, 2007 at 10:51:58PM +0100, Erik Norgaard wrote:
> Noah wrote:
>
> >the servers and clients are not on the same LAN segment. capturing MAC
> >has nothing to do with this scenario.
>
> You haven't exactly told a lot about the network you want to setup. The
> logic thing is to authenticate against the firewall connected to the
> same subnet - and that will know the mac address. The same setup is
> assumed in the scenario using pfauth (or is it authpf).
It sounded a little bit like perhaps he wants to dynamically allow
services temporarily, but firewall them off (using a local machine
firewall rather than a dedicated firewall) all other times. Hazarding
a guess, maybe this is due to the common SSH brute force attacks? :)
If the firewall is PF, it's simple enough to include a table of IPs
for which the service is allowed, and make the CGI on the webpage
issue a "pfctl -t <table> -T add $ENV{REMOTE_IP}" command. A separate
process could watch the logs for an ssh logout and remove the IP from
the table when a logout from that IP occurs.
It's a dirty solution. If the problem is specifically the SSH
attacks, there are better ones (denyhosts, or pf rules to block IPs
dynamically when they connect too frequently), but you're right--it's
hard to give good answers when the problem is so ill-defined.
Erik
More information about the freebsd-questions
mailing list