2010/2/16 Per-Olov SjC6holm <p...@incedo.org>: > Hi "misc" > > I am looking for a tool use as a trigger for dynamically open PF ports from > certain IP:s. > > I will access non critical info but want at least a port knocker as security. > > If I access an IP on my DMZ that is not in use on a port that is fake I want > to dynamically add a PF rule for a totally different purpose. Let's say I > access http://1.2.3.4:45321 which is blocked and logged in PF, what is the > easiest way to create a trigger from the PF log or the PF log device? > > A cron job with grep in the PF log and then run pfctl to add the rule is from > many points of view a bad choice... I don't want to dig through the PF log as > it can be huge, and I don't want to use a cron job as it takes to long.. > > Any suggestions appreciated. > > > Thanks in advance > /Per-Olov >
As many people have already suggested to you in this thread, you are doing it wrong. But if you _really_ want to do it that way, then probably you can simplify your configuration a bit. You can use "log (to pflog10)" to have a separate pflog device with only log entries about port-knocking attempts. Then you can have a small shellscript reading from tcpdump pflog10 in a cycle and adding IP addresses to a table of hosts with permitted access to your rss feed. This is much simpler and quicker than a cron job with full pflog parser. I would strongly encourage you to use per-user http authentication instead. Most rss readers i encountered actually _do_ support it, as they are all based on standard libraries, so you can just give them http://user:p...@host/path/file.rss url if they don't have a separate "authentication" field. -- The best the little guy can do is what the little guy does right
