I've seen this in portsentry where are defined to block an IP. One way to this is to make a weblet page (can we authenticate in weblet?) and allow it to execute a script or a shorwall command to allow an IP and ports. The problem is the system cannot know the user is done with automatically. The user has to again come in thro' weblet and delete that specific rule in iptables - again script driven thro' weblet.
You will also encounter problems if that specific user is on a dynamic IP ISP dial-up. He might disconnect and connect again when his IP is likely to change thus negating this rule. One possibility is to define a road-warrior connection in ipsec and allow ipsec thro' to the network. If the samba service is available to the network, the ipsec connection should also be able to access the samba service. loc <-> loc is also on in shorwall. I've not done this and hence am not speaking from experience but logic having used different subsystems. HTH Mohan -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Duke Ionescu Sent: 12 September 2002 00:47 To: [EMAIL PROTECTED] Subject: [leaf-user] How do I punch a dynamic hole thru firewall? [This was originally posted to the LRP mailing list, where I was spat upon :] I'm running LRP, more exactly Dachstein (thx for all your work Charles!). I've been running LRP for many a year and everything works great. What I need is an idea. This may be a bit OT, but I'm looking for advice from someone who's used LRP or BusyBox extensively. Here's the problem: I've opened samba ports for my static IP @ home, and it works great. However, a co-worker is not as fortunate to have a static IP. How do I dynamically punch a hole for him (ports 137-139, 445) so he can access our samba server too? The most straightforward solution I could find is for him to ssh into the LRP box and open the ports himself (...and then close them!). This could be automated via a script (i.e. "/usr/bin/opensesame 1.2.3.4"). However, this is a bit of a pain and for users not as computer literate as my co-worker it would not even be an option. Has anyone run into this before, what creative solutions have you found? Is there a de-facto way you guys do this sort of thang? Thx ------------------------------------------------------- In remembrance www.osdn.com/911/ ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ------------------------------------------------------- In remembrance www.osdn.com/911/ ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
