Date: Sun, 04 Feb 2007 10:16:33 -0800 From: Noah <admin2@enabled.com> To: Erik Norgaard <norgaard@locolomo.org> Cc: freebsd-questions@freebsd.org Subject: Re: temporary IP addition to firewall rules Message-ID: <45C62301.2090106@enabled.com> In-Reply-To: <45C5C291.30608@locolomo.org> References: <45C53C7A.30805@enabled.com> <45C5C291.30608@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Erik Norgaard wrote: > Noah wrote: > >> Does anybody have a recommendation for a program out there that would >> allow somebody to enter an account and password on my website, their >> IP address is cached, and the cached IP address is added temporarily >> to the firewall ruleset to be allowed. > > I am not aware of anything that works like that, pfauth may do the job > for you, but not using a web site. Generally the problem is that web > pages are stateless, so your firewall won't know when to remove the ip > again. > > You can hack up a solution that does sort of the same: > > - let your web page manage accounts, the web server can get ip of the > client registering and hence also the corresponding mac. > the servers and clients are not on the same LAN segment. capturing MAC has nothing to do with this scenario. > - tell your dhcp server not to expire ip delegations, or make host > entries with the registered ip/mac, but that requires the dhcp server > to be restarted at every new client. > > - make a static entry in your arp table to prevent others from taking > over the ip later. > > People will only need to authenticate first time. You can decide to > expire their accounts and revoke access after a given time with a > cron-job if you like. > > Alternatively, require people to connect with IPSec tunnel and allow > only tunneled traffic to be routed. When they register a set of keys > are generated for use with that client only. This is really the ideal > as you can for example leave an AP open, yet have traffic encrypted. > > Cheers, Erik
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45C62301.2090106>