Date: Sun, 4 Feb 2007 16:17:50 -0600 From: Erik Osterholm <freebsd-lists-erik@erikosterholm.org> To: freebsd-questions@freebsd.org Subject: Re: temporary IP addition to firewall rules Message-ID: <20070204221750.GA10532@idoru.cepheid.org> In-Reply-To: <45C6557E.9020207@locolomo.org> References: <45C53C7A.30805@enabled.com> <45C5C291.30608@locolomo.org> <45C62301.2090106@enabled.com> <45C6557E.9020207@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Feb 04, 2007 at 10:51:58PM +0100, Erik Norgaard wrote:
> Noah wrote:
>
> >the servers and clients are not on the same LAN segment. capturing MAC
> >has nothing to do with this scenario.
>
> You haven't exactly told a lot about the network you want to setup. The
> logic thing is to authenticate against the firewall connected to the
> same subnet - and that will know the mac address. The same setup is
> assumed in the scenario using pfauth (or is it authpf).
It sounded a little bit like perhaps he wants to dynamically allow
services temporarily, but firewall them off (using a local machine
firewall rather than a dedicated firewall) all other times. Hazarding
a guess, maybe this is due to the common SSH brute force attacks? :)
If the firewall is PF, it's simple enough to include a table of IPs
for which the service is allowed, and make the CGI on the webpage
issue a "pfctl -t <table> -T add $ENV{REMOTE_IP}" command. A separate
process could watch the logs for an ssh logout and remove the IP from
the table when a logout from that IP occurs.
It's a dirty solution. If the problem is specifically the SSH
attacks, there are better ones (denyhosts, or pf rules to block IPs
dynamically when they connect too frequently), but you're right--it's
hard to give good answers when the problem is so ill-defined.
Erik
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070204221750.GA10532>