El 18/12/2009, a las 12:20, "Karl O. Pinc" <k...@meme.com> escribió:
On 12/18/2009 10:16:44 AM, Peter N. M. Hansteen wrote:
Jim Flowers <jflow...@ezo.net> writes:
To lock down services (particularly ssh) as tightly as possible, I
like to allow
administrative access to a firewall only from specific ip
addresses.
Unfortunately, some of the administrators are working from dynamic
ip addresses
that change with some frequency.
Is there a straightforward way to incorporate dynamic ip source
addresses in the
pf ruleset?
I'd say this sounds like a situation where authpf could come in quite
handy.
How? I thought authpf grants additional rights to those who
can ssh. But he wants to restrict those allowed to ssh period.
If I remember well, sometime ago somebody did a port knocking program
and he asked in the OpenBSD misc list about to include it into the
ports tree. He had very bad responses and a very ugly discussion. All
the people involved into the discussion ( I wasn't ) didn't understood
special cases like this: if you want to "close" ssh access from the
world and let some people open ports for administration, maintenance,
or whatever you want then authpf is not a solution but port knocking
is. Google about that and you see your solution there. You can, for
example, define a port combination to execute some script to send you
a sms with the status of one specifical service and/or another to
open, for the IP which is doing the combination (of course), the
redirection port to the SWAT (samba web administration) in one
specifical server so you can define different port combinations for
different groups of users...
Google it.
Regards,
Alvaro