Alvaro Mantilla Gimenez
Fri, 18 Dec 2009 16:04:45 -0800
El 18/12/2009, a las 12:20, "Karl O. Pinc" <k...@meme.com> escribió:
On 12/18/2009 10:16:44 AM, Peter N. M. Hansteen wrote:Jim Flowers <jflow...@ezo.net> writes:To lock down services (particularly ssh) as tightly as possible, Ilike to allowadministrative access to a firewall only from specific ipaddresses.Unfortunately, some of the administrators are working from dynamicip addressesthat change with some frequency. Is there a straightforward way to incorporate dynamic ip sourceaddresses in thepf ruleset?I'd say this sounds like a situation where authpf could come in quite handy.How? I thought authpf grants additional rights to those who can ssh. But he wants to restrict those allowed to ssh period.
If I remember well, sometime ago somebody did a port knocking program and he asked in the OpenBSD misc list about to include it into the ports tree. He had very bad responses and a very ugly discussion. All the people involved into the discussion ( I wasn't ) didn't understood special cases like this: if you want to "close" ssh access from the world and let some people open ports for administration, maintenance, or whatever you want then authpf is not a solution but port knocking is. Google about that and you see your solution there. You can, for example, define a port combination to execute some script to send you a sms with the status of one specifical service and/or another to open, for the IP which is doing the combination (of course), the redirection port to the SWAT (samba web administration) in one specifical server so you can define different port combinations for different groups of users...
Google it.
Regards,
Alvaro