From owner-freebsd-questions@FreeBSD.ORG Sun Feb 4 18:16:43 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3B12B16A40F for ; Sun, 4 Feb 2007 18:16:43 +0000 (UTC) (envelope-from admin2@enabled.com) Received: from typhoon.enabled.com (typhoon.enabled.com [216.218.220.21]) by mx1.freebsd.org (Postfix) with ESMTP id 2145713C4A8 for ; Sun, 4 Feb 2007 18:16:43 +0000 (UTC) (envelope-from admin2@enabled.com) Received: from [172.23.10.40] (nat-service4.juniper.net [66.129.225.151]) (authenticated bits=0) by typhoon.enabled.com (8.13.8/8.13.8) with ESMTP id l14IGgd4003338 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 4 Feb 2007 10:16:42 -0800 (PST) (envelope-from admin2@enabled.com) Message-ID: <45C62301.2090106@enabled.com> Date: Sun, 04 Feb 2007 10:16:33 -0800 From: Noah User-Agent: Thunderbird 1.5.0.9 (Macintosh/20061207) MIME-Version: 1.0 To: Erik Norgaard References: <45C53C7A.30805@enabled.com> <45C5C291.30608@locolomo.org> In-Reply-To: <45C5C291.30608@locolomo.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: temporary IP addition to firewall rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Feb 2007 18:16:43 -0000 Erik Norgaard wrote: > Noah wrote: > >> Does anybody have a recommendation for a program out there that would >> allow somebody to enter an account and password on my website, their >> IP address is cached, and the cached IP address is added temporarily >> to the firewall ruleset to be allowed. > > I am not aware of anything that works like that, pfauth may do the job > for you, but not using a web site. Generally the problem is that web > pages are stateless, so your firewall won't know when to remove the ip > again. > > You can hack up a solution that does sort of the same: > > - let your web page manage accounts, the web server can get ip of the > client registering and hence also the corresponding mac. > the servers and clients are not on the same LAN segment. capturing MAC has nothing to do with this scenario. > - tell your dhcp server not to expire ip delegations, or make host > entries with the registered ip/mac, but that requires the dhcp server > to be restarted at every new client. > > - make a static entry in your arp table to prevent others from taking > over the ip later. > > People will only need to authenticate first time. You can decide to > expire their accounts and revoke access after a given time with a > cron-job if you like. > > Alternatively, require people to connect with IPSec tunnel and allow > only tunneled traffic to be routed. When they register a set of keys > are generated for use with that client only. This is really the ideal > as you can for example leave an AP open, yet have traffic encrypted. > > Cheers, Erik