temporary IP addition to firewall rules

Noah admin2 at enabled.com
Sun Feb 4 18:16:43 UTC 2007

Erik Norgaard wrote:
> Noah wrote:
>> Does anybody have a recommendation for a program out there that would 
>> allow somebody to enter an account and password on my website, their 
>> IP address is cached, and the cached IP address is added temporarily 
>> to the firewall ruleset to be allowed.
> I am not aware of anything that works like that, pfauth may do the job 
> for you, but not using a web site. Generally the problem is that web 
> pages are stateless, so your firewall won't know when to remove the ip 
> again.
> You can hack up a solution that does sort of the same:
> - let your web page manage accounts, the web server can get ip of the
>   client registering and hence also the corresponding mac.

the servers and clients are not on the same LAN segment.  capturing MAC 
has nothing to do with this scenario.

> - tell your dhcp server not to expire ip delegations, or make host
>   entries with the registered ip/mac, but that requires the dhcp server
>   to be restarted at every new client.
> - make a static entry in your arp table to prevent others from taking
>   over the ip later.
> People will only need to authenticate first time. You can decide to 
> expire their accounts and revoke access after a given time with a 
> cron-job if you like.
> Alternatively, require people to connect with IPSec tunnel and allow 
> only tunneled traffic to be routed. When they register a set of keys 
> are generated for use with that client only. This is really the ideal 
> as you can for example leave an AP open, yet have traffic encrypted.
> Cheers, Erik

More information about the freebsd-questions mailing list