From owner-freebsd-questions@FreeBSD.ORG Sun Feb 4 22:17:52 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 060E616A405 for ; Sun, 4 Feb 2007 22:17:52 +0000 (UTC) (envelope-from erik@cepheid.org) Received: from mail.cepheid.org (wintermute.cepheid.org [64.92.165.98]) by mx1.freebsd.org (Postfix) with ESMTP id DDE5113C48E for ; Sun, 4 Feb 2007 22:17:51 +0000 (UTC) (envelope-from erik@cepheid.org) Received: by mail.cepheid.org (Postfix, from userid 1006) id 2040117107; Sun, 4 Feb 2007 16:17:51 -0600 (CST) Date: Sun, 4 Feb 2007 16:17:50 -0600 From: Erik Osterholm To: freebsd-questions@freebsd.org Message-ID: <20070204221750.GA10532@idoru.cepheid.org> Mail-Followup-To: Erik Osterholm , freebsd-questions@freebsd.org References: <45C53C7A.30805@enabled.com> <45C5C291.30608@locolomo.org> <45C62301.2090106@enabled.com> <45C6557E.9020207@locolomo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <45C6557E.9020207@locolomo.org> User-Agent: Mutt/1.4.2.2i Subject: Re: temporary IP addition to firewall rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Feb 2007 22:17:52 -0000 On Sun, Feb 04, 2007 at 10:51:58PM +0100, Erik Norgaard wrote: > Noah wrote: > > >the servers and clients are not on the same LAN segment. capturing MAC > >has nothing to do with this scenario. > > You haven't exactly told a lot about the network you want to setup. The > logic thing is to authenticate against the firewall connected to the > same subnet - and that will know the mac address. The same setup is > assumed in the scenario using pfauth (or is it authpf). It sounded a little bit like perhaps he wants to dynamically allow services temporarily, but firewall them off (using a local machine firewall rather than a dedicated firewall) all other times. Hazarding a guess, maybe this is due to the common SSH brute force attacks? :) If the firewall is PF, it's simple enough to include a table of IPs for which the service is allowed, and make the CGI on the webpage issue a "pfctl -t -T add $ENV{REMOTE_IP}" command. A separate process could watch the logs for an ssh logout and remove the IP from the table when a logout from that IP occurs. It's a dirty solution. If the problem is specifically the SSH attacks, there are better ones (denyhosts, or pf rules to block IPs dynamically when they connect too frequently), but you're right--it's hard to give good answers when the problem is so ill-defined. Erik