Re: ipfw and temporary port access
Daniel Bye wrote: On Sat, Sep 16, 2006 at 03:06:13PM -0700, Noah wrote: Hi there, I am trying to figure out how to open a port temporarily for a specific IP who is able to provide a proper username and password on the website of the box. After authentication is verified then the IP address is cached and temporarily allowed to access a specific port on the server. This temporary firewall changes would be handled by ipfw. Any clues if a system like this is a already coded and out there somewhere? Take a look at security/doorman or security/knock, both of which might fit the bill. Hi there, I have really specific needs and wondering if somebody has written a port knocker out there already that fits the criteria of what I am looking for. Portknocker capabilities: 1) User needs to telnet to specific port and/or log into a website. 2) Learns the IP address that the user is coming from in step 1. 3) Opens ssh port to specifically to the IP address grabbed in step 1 but also keeps ssh port open to statically defined IPs in /etc/rc.firewall . 4) As soon as the user disconnects from the ssh port the IP address in step 1 no longer can access the ssh port unless they log back in like the procedure in step 1. I reviewed two programs doorman and knock (found in FreeBSD /usr/ports/security) Doorman Review: I am unable to figure out how to configure the ability to capture the IP address of where the UDP packet was sent. Therefore this program does not completely match what I am looking for, or I do not understanding how to configure it. Knock Review: This is nice but still requires closing the port as a step when done. It would be nice to automatically close the ssh port when the user disconnects from the ssh port. Also I am not clear but I don't think there is a way to grab the source IP address, right? Anybody know of other programs I could check out? Cheers, Noah Dan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw and temporary port access
Peter N. M. Hansteen wrote: Noah [EMAIL PROTECTED] writes: Any clues if a system like this is a already coded and out there somewhere? Apart from the ipfw reqirement, you have just described authpf, see eg http://www.freebsd.org/cgi/man.cgi?query=authpfapropos=0sektion=0manpath=FreeBSD+6.1-RELEASEformat=html Hi there, authpf needs ssh access which is not something we have universally open - is there a way to integrate authpf without granting ssh access? Cheer,s Noah ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw and temporary port access
Noah [EMAIL PROTECTED] writes: authpf needs ssh access which is not something we have universally open - is there a way to integrate authpf without granting ssh access? Out of the box, no. Then again, you only need ssh in to the authenticating gateway. It's up to you to decide which OpenSSH supported authentication methods you require before loading the rules which actually let traffic through. Cheers, -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw and temporary port access
Noah [EMAIL PROTECTED] writes: Any clues if a system like this is a already coded and out there somewhere? Apart from the ipfw reqirement, you have just described authpf, see eg http://www.freebsd.org/cgi/man.cgi?query=authpfapropos=0sektion=0manpath=FreeBSD+6.1-RELEASEformat=html -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw and temporary port access
On Sat, Sep 16, 2006 at 03:06:13PM -0700, Noah wrote: Hi there, I am trying to figure out how to open a port temporarily for a specific IP who is able to provide a proper username and password on the website of the box. After authentication is verified then the IP address is cached and temporarily allowed to access a specific port on the server. This temporary firewall changes would be handled by ipfw. Any clues if a system like this is a already coded and out there somewhere? Take a look at security/doorman or security/knock, both of which might fit the bill. Dan -- Daniel Bye PGP Key: http://www.slightlystrange.org/pgpkey-dan.asc PGP Key fingerprint: D349 B109 0EB8 2554 4D75 B79A 8B17 F97C 1622 166A _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgpm8ocTz1lr8.pgp Description: PGP signature
ipfw and temporary port access
Hi there, I am trying to figure out how to open a port temporarily for a specific IP who is able to provide a proper username and password on the website of the box. After authentication is verified then the IP address is cached and temporarily allowed to access a specific port on the server. This temporary firewall changes would be handled by ipfw. Any clues if a system like this is a already coded and out there somewhere? Cheers, Noah ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]