On Mar 5, 2010, at 10:44 AM, John wrote:
On Fri, Mar 05, 2010 at 10:19:09AM -0500, mikel king wrote:
On Mar 5, 2010, at 8:26 AM, John wrote:
Way back about 10 years ago, I was playing around with IPFW a lot. I
wrote a script to update IPFW from changes made to a MySql db. It was
a just for fun project, that turned out to be rather useful I have
some developers that I managed who like you were road warriors. They
logged in to the https web page w/ their username and password which
grabbed their IP address and stored it in a table on with their login
id.
The script called fud (for firewall update daemon) connected to the
db
and ran a query to check for any rule changes. If there were it would
apply them to the rule set and clear the change flag. Using this
combination I was able to allow ssh access only to the necessary ip
addresses.
I kind of scrapped it when VPNs became easier to deploy and I have no
idea where this set of scripts are now, but it would be rather
trivial
to build a new version.
If anyone thinks it's worth revisiting hit me off list.
Maybe I'll have to learn how to do a VPN from FreeBSD....
One thought that occurs to me is that pf tables would provide a
direct API without having to hit a database.
I think I really like this. I may have to implement it for pf.
It should be really easy with CGI and calls to pfctl.
--
There's probably a dozen ways to slice it now. I went with php, mysql
and ipfw, just because that was the theme back then. I also found it
handy to be able to login into the system and manually enter the ip
addressing if necessary. I would definitely add some better logging
than I did back then. Hmmm giving me an idea for another article on
BSDNews.net... ;-)
cheers,
m!
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"