Hi, On Fri, Dec 18, 2009 at 03:40:36PM +0000, Jim Flowers wrote: > To lock down services (particularly ssh) as tightly as possible, I like to > allow > administrative access to a firewall only from specific ip addresses. > > Unfortunately, some of the administrators are working from dynamic ip > addresses > that change with some frequency. > > Is there a straightforward way to incorporate dynamic ip source addresses in > the > pf ruleset?
- Use a table for these IP src addresses in your pass rule - Run regularly via cron a script to resolve these dynamic IPs and add/modify/delete it in the src table via 'pfctl' A++ Laurent