Re: Setting time range and timeout for authpf rules

Sat, 13 Dec 2008 07:39:34 -0800 

ropers wrote:

carlopmart wrote:

 How can I establish a time range and timeout for an authpf rule?
For example I will to permit access from my windows servers access (previous
ssh authentication) to windowsupdate servers from 10:00 am to 13:00 am
and block this traffic if any connection is established during 10 minutes.



Wade, Daniel wrote:

Crontab job to load a different pf.conf


2008/12/12 carlopmart <carlopm...@gmail.com>:

Thanks Daniel, but I had already thought about this option but exists some
problems:

 a) I need to mantain several pf.conf files for every access
 b) i can't control timeouts when servers doesn't generate traffic ...


About (a):
I guess if you're really worried about maintaining two pf.conf files,
you could write a script that will edit your one single pf.conf (so
that it would comment out/de-comment specific lines; by content, not
by line number) and call that script via crontab. It would however be
really easy to clobber your pf.conf when doing this, if you're not
careful.

About (b):
I understand you would prefer to only permit your Windows-based
servers to access Microsoft's windowsupdate servers if and only if
they will actually try to reach windowsupdate between 10 and 13 am.

I'm no Hansteen, Hartmeier or Henning, but it is my understanding that
Pf has no clairvoyance feature. Is it really harmful to allow your
servers to access windowsupdate from 10 to 13, whether they actually
will do it or not? Also, from what I understand you want to
dynamically change your active ruleset to allow access once traffic
starts flowing during that time. What is the difference between that
and allowing access during that time anyway? Or what am I missing? Am
I horribly misunderstanding you?

A somewhat confused
--ropers





many thaks for your answers ropers. About a) question. Ok, if I only need to 
maintain two pf.conf files, crontab is the perfect solution as I can open rules 
dynamically with pfctl, but I have other situations on I need to open and close 
rules if traffic doesn't exists ... but if crontab is the only solution at this 
moment, then I will use it.



About b) question, you have understand me perfectly ... and you are rigth in 
this case it doesn't matter. But suppose that instead of being windows servers, 
are remote users. I do not like the rules that were permanently open in that 
time slot. How can I close this rules inmediatly??




--
CL Martinez
carlopmart {at} gmail {d0t} com























					Reply via email to