mikel king wrote:
Way back about 10 years ago, I was playing around with IPFW a lot. I
wrote a script to update IPFW from changes made to a MySql db. It was a
just for fun project, that turned out to be rather useful I have some
developers that I managed who like you were road warriors. They logged
in to the https web page w/ their username and password which grabbed
their IP address and stored it in a table on with their login id.
The script called fud (for firewall update daemon) connected to the db
and ran a query to check for any rule changes. If there were it would
apply them to the rule set and clear the change flag. Using this
combination I was able to allow ssh access only to the necessary ip
addresses.
We use a similar approach but only rely on tcpwrappers.
Here's what we do (simplified & obfuscated slightly), just
for reference (or, maybe commentary :-D )
On server:
[505] Fri 05.Mar.2010 10:21:37
[ad...@foo][~] cat /etc/hosts.allow | grep sshd
# Wrapping sshd(8) is not normally a good idea, but if you
sshd: /var/tmp/skyangel.ip : allow
sshd: all : deny
On "skyangel":
[13] Fri 05.Mar.2010 10:22:56
[ad...@skyangel][~] sudo crontab -l |grep dhcp
@reboot /usr/local/bin/php -q /root/scripts/dhcp.php
* */4 * * * /usr/local/bin/php -q /root/scripts/dhcp.php
"dhcp.php" uses lynx to dump a server-side HTTPS page and sends
a secret in the URI. Server-side page is able to decrypt this
and determine it's really "skyangel", then writes the connecting
IP addy to /var/tmp/skyangel.ip.
KDK
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
