From owner-freebsd-pf@FreeBSD.ORG Sun Dec 6 23:01:27 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4755D106566C for ; Sun, 6 Dec 2009 23:01:27 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (uffner.com [66.208.243.25]) by mx1.freebsd.org (Postfix) with ESMTP id 01B7F8FC16 for ; Sun, 6 Dec 2009 23:01:26 +0000 (UTC) Received: from xiombarg.uffner.com (static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94]) (authenticated bits=0) by eris.uffner.com (8.14.3/8.14.3) with ESMTP id nB6N3UYA083932 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Sun, 6 Dec 2009 18:03:35 -0500 (EST) (envelope-from tom@uffner.com) Message-ID: <4B1C37BC.1010104@uffner.com> Date: Sun, 06 Dec 2009 18:01:16 -0500 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.23) Gecko/20090925 SeaMonkey/1.1.18 MIME-Version: 1.0 To: Torsten Kersandt References: <6783768.102251260022192330.JavaMail.root@zimbra-store> <4B1BAF1D.9070105@gmx.de> <015501ca768f$a42353e0$ec69fba0$@net> In-Reply-To: <015501ca768f$a42353e0$ec69fba0$@net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Limit connections doesn't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Dec 2009 23:01:27 -0000 Torsten Kersandt wrote: > HI > I personally have all ssh and alike ports closed on my servers. > If I want to connect to the server per ssh or whatever function, I login to a hidden php which adds my current IP to a sql table. > I use sql because I'm not the only one using this and want to keep track which admin is logging in. > A cron job is running every minute looking in the table and adding the new ip addresses to the pf include file and reloading PF > > Every night at 4am, I empty the text file and reload pf. > > I know that this could be done more elegant but KISS is what I like. that script is horribly inefficient and disruptive to your firewall throughput. you could save a lot of unnecessary cpu cycles and speed up your connections a bit by simply replacing the reloads with pfctl commands that manipulate the table directly. > #!/bin/sh > ### MySQL Setup ### > MUSER="username" > MPASS="password" > MHOST="localhost" > MYSQL="/usr/local/bin/mysql" > # > ### Get all new IP addresses ### > DBS="$($MYSQL -u $MUSER -h $MHOST -p$MPASS -Bse 'select ipAddress from intranet.ipCleared WHERE `timestamp` > (UNIX_TIMESTAMP()-60)')" > for ip in $DBS > do > ## this bit is emailed to me over cron run-output if a new IP address was found > echo $ip >> /usr/local/etc/pf/pf.VNCallow > echo "Added $ip to VNC Access from MYSQL Table" > /etc/rc.d/pf reload > done that loop at the end is anything but KISS. select the new addresses and add them to the table with something like pfctl -t VNCallow -T add $DBS instead of that do loop. for persistence across reboots, select all the address in your SQL table & add them to the pf table when pf starts. clear the table with pfctl -t VNCallow -T flush