On Sun, Feb 04, 2007 at 10:51:58PM +0100, Erik Norgaard wrote: > Noah wrote: > > >the servers and clients are not on the same LAN segment. capturing MAC > >has nothing to do with this scenario. > > You haven't exactly told a lot about the network you want to setup. The > logic thing is to authenticate against the firewall connected to the > same subnet - and that will know the mac address. The same setup is > assumed in the scenario using pfauth (or is it authpf).
It sounded a little bit like perhaps he wants to dynamically allow services temporarily, but firewall them off (using a local machine firewall rather than a dedicated firewall) all other times. Hazarding a guess, maybe this is due to the common SSH brute force attacks? :) If the firewall is PF, it's simple enough to include a table of IPs for which the service is allowed, and make the CGI on the webpage issue a "pfctl -t <table> -T add $ENV{REMOTE_IP}" command. A separate process could watch the logs for an ssh logout and remove the IP from the table when a logout from that IP occurs. It's a dirty solution. If the problem is specifically the SSH attacks, there are better ones (denyhosts, or pf rules to block IPs dynamically when they connect too frequently), but you're right--it's hard to give good answers when the problem is so ill-defined. Erik _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"