Date: Mon, 7 Dec 2009 09:42:53 -0000 From: "Torsten Kersandt" <torsten@cnc-london.net> To: "'Tom Uffner'" <tom@uffner.com> Cc: freebsd-pf@freebsd.org Subject: RE: Limit connections doesn't work Message-ID: <017601ca7721$a69550f0$f3bff2d0$@net> In-Reply-To: <4B1C37BC.1010104@uffner.com> References: <6783768.102251260022192330.JavaMail.root@zimbra-store> <4B1BAF1D.9070105@gmx.de> <015501ca768f$a42353e0$ec69fba0$@net> <4B1C37BC.1010104@uffner.com>
next in thread | previous in thread | raw e-mail | index | archive | help
HI tom I know, and this is what I said. Yes you right and can replace the reload and put it into the a table with the pf command. But the server is on a 1mb/10mb ADSL line and trough put does not really matter. It was send as an example only not as a must do. This script have done 5 years ago as a quick hack And because I'm not a expert with PF, I'm subscribed to this list so I can learn without prejudice Torsten -----Original Message----- From: Tom Uffner [mailto:tom@uffner.com] Sent: 06 December 2009 23:01 To: Torsten Kersandt Cc: freebsd-pf@freebsd.org Subject: Re: Limit connections doesn't work Torsten Kersandt wrote: > HI > I personally have all ssh and alike ports closed on my servers. > If I want to connect to the server per ssh or whatever function, I login to a hidden php which adds my current IP to a sql table. > I use sql because I'm not the only one using this and want to keep track which admin is logging in. > A cron job is running every minute looking in the table and adding the new ip addresses to the pf include file and reloading PF > > Every night at 4am, I empty the text file and reload pf. > > I know that this could be done more elegant but KISS is what I like. that script is horribly inefficient and disruptive to your firewall throughput. you could save a lot of unnecessary cpu cycles and speed up your connections a bit by simply replacing the reloads with pfctl commands that manipulate the table directly. > #!/bin/sh > ### MySQL Setup ### > MUSER="username" > MPASS="password" > MHOST="localhost" > MYSQL="/usr/local/bin/mysql" > # > ### Get all new IP addresses ### > DBS="$($MYSQL -u $MUSER -h $MHOST -p$MPASS -Bse 'select ipAddress from intranet.ipCleared WHERE `timestamp` > (UNIX_TIMESTAMP()-60)')" > for ip in $DBS > do > ## this bit is emailed to me over cron run-output if a new IP address was found > echo $ip >> /usr/local/etc/pf/pf.VNCallow > echo "Added $ip to VNC Access from MYSQL Table" > /etc/rc.d/pf reload > done that loop at the end is anything but KISS. select the new addresses and add them to the table with something like pfctl -t VNCallow -T add $DBS instead of that do loop. for persistence across reboots, select all the address in your SQL table & add them to the pf table when pf starts. clear the table with pfctl -t VNCallow -T flush
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?017601ca7721$a69550f0$f3bff2d0$>