temporary IP addition to firewall rules
admin2 at enabled.com
Sun Feb 4 18:16:43 UTC 2007
Erik Norgaard wrote:
> Noah wrote:
>> Does anybody have a recommendation for a program out there that would
>> allow somebody to enter an account and password on my website, their
>> IP address is cached, and the cached IP address is added temporarily
>> to the firewall ruleset to be allowed.
> I am not aware of anything that works like that, pfauth may do the job
> for you, but not using a web site. Generally the problem is that web
> pages are stateless, so your firewall won't know when to remove the ip
> You can hack up a solution that does sort of the same:
> - let your web page manage accounts, the web server can get ip of the
> client registering and hence also the corresponding mac.
the servers and clients are not on the same LAN segment. capturing MAC
has nothing to do with this scenario.
> - tell your dhcp server not to expire ip delegations, or make host
> entries with the registered ip/mac, but that requires the dhcp server
> to be restarted at every new client.
> - make a static entry in your arp table to prevent others from taking
> over the ip later.
> People will only need to authenticate first time. You can decide to
> expire their accounts and revoke access after a given time with a
> cron-job if you like.
> Alternatively, require people to connect with IPSec tunnel and allow
> only tunneled traffic to be routed. When they register a set of keys
> are generated for use with that client only. This is really the ideal
> as you can for example leave an AP open, yet have traffic encrypted.
> Cheers, Erik
More information about the freebsd-questions