temporary IP addition to firewall rules

Erik Osterholm freebsd-lists-erik at erikosterholm.org
Sun Feb 4 22:17:52 UTC 2007

On Sun, Feb 04, 2007 at 10:51:58PM +0100, Erik Norgaard wrote:
> Noah wrote:
> >the servers and clients are not on the same LAN segment.  capturing MAC
> >has nothing to do with this scenario.
> You haven't exactly told a lot about the network you want to setup. The
> logic thing is to authenticate against the firewall connected to the
> same subnet - and that will know the mac address. The same setup is
> assumed in the scenario using pfauth (or is it authpf).

It sounded a little bit like perhaps he wants to dynamically allow
services temporarily, but firewall them off (using a local machine
firewall rather than a dedicated firewall) all other times.  Hazarding
a guess, maybe this is due to the common SSH brute force attacks? :)

If the firewall is PF, it's simple enough to include a table of IPs
for which the service is allowed, and make the CGI on the webpage
issue a "pfctl -t <table> -T add $ENV{REMOTE_IP}" command.  A separate
process could watch the logs for an ssh logout and remove the IP from
the table when a logout from that IP occurs.

It's a dirty solution.  If the problem is specifically the SSH
attacks, there are better ones (denyhosts, or pf rules to block IPs
dynamically when they connect too frequently), but you're right--it's
hard to give good answers when the problem is so ill-defined.


More information about the freebsd-questions mailing list