On 15:40, Fri 18 Dec 09, Jim Flowers wrote: > To lock down services (particularly ssh) as tightly as possible, I like to > allow > administrative access to a firewall only from specific ip addresses. > > Unfortunately, some of the administrators are working from dynamic ip > addresses > that change with some frequency. > > Is there a straightforward way to incorporate dynamic ip source addresses in > the > pf ruleset?
You can go with the previously mentioned table + resolvingscriptcronjob, or you can not restrict access to ssh based on ip but disable root ssh login and passwordauthentication, ask for public keys, and go with that. This is the way i chose (mostly because of GPRS/UMTS/HSDPA access nowedays) and it's working great. -- Michiel van Baak mich...@vanbaak.eu http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD "Why is it drug addicts and computer aficionados are both called users?"
