Karl O. Pinc
Fri, 18 Dec 2009 09:12:19 -0800
On 12/18/2009 09:40:36 AM, Jim Flowers wrote: > To lock down services (particularly ssh) as tightly as possible, I > like to allow > administrative access to a firewall only from specific ip addresses. > > Unfortunately, some of the administrators are working from dynamic ip > addresses > that change with some frequency. > > Is there a straightforward way to incorporate dynamic ip source > addresses in the > pf ruleset?
Yes. Make a table with the dynamic source addresses.
Control access using that table.
Update the table with pfctl from a script that
runs periodically and does dns lookups.
Karl <k...@meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein