On 6/30/26 17:15, Dave Polaschek wrote:
Hello,
I have a server on which I would like to stand up an OpenBSD server running a
few different services on a few different ports (starting with WEBDAV services
offered by Radicale[1], but adding more services in the future) for friends and
family looking to escape iCloud and google-cloud. This will probably be a small
number of services and a small number of users to begin with, but may grow over
time (as these things do, if they work).
Given the constant hammering a previous httpd server took from scrapers, I
would like to restrict access to this server. It looks as though authpf might
be able to do the job of authorizing folks, and it seems pretty clear how to do
that on a gateway, but less clear how to have authpf authorize connections to
the server on which authpf is running.
What I'm thinking of is the following pattern:
* user opens connection to ssh with a username / key which triggers authpf
* authpf tells pf to open ports 80 and 443 for that user
* user syncs calendar and/or contacts
* user shuts down ssh connection and the open ports close
I've been reading The Book of Pf and playing with these services inside my home
network, so I'm reasonably confident I can eventually make this all work,
provided I haven't missed anything. I have scripts running which look at
attempts to ssh in as root, and adding those ip addresses to a pf table to
block people, and that seems to be working (I'm not really worried about them
getting in, but it seemed like a useful learning exercise to learn my way
around pf). I haven't locked myself out yet, so I probably haven't made all the
mistakes I need to make in order to learn, though.
Is this a sensible idea? Currently we have contacts, calendars, photos, and a small
amount of file storage as the things we rely on iCloud (or google-cloud) for. I would
prefer to stand up my own services, rather than changing one corporate overlord for
another, although I have thought about switching people to murena's "cloud"[4]
because it would definitely be simpler.
I have also looked at using iocaine-powder[2] as a front-end[3] for all of this
to feed the scrapers garbage, but if I'm going to restrict my server to just
friends and family, it seems as though something with authpf would be tons
simpler. But it's entirely possible that I'm confused.
Alternately, if there's someone who already offers services like this, I'd love
a pointer. It's an interesting technical quest, but it's really just another
yak that needs shaving on the way to helping my family, and I have plenty of
other projects to keep me busy. Our main goal is to stop giving Apple and
Google money. They have plenty.
Thanks for any help de-confusing me.
1: https://radicale.org/
2: https://opensourcesecurity.io/2026/2026-01-iocaine-algernon/
3: https://chronicles.mad-scientist.club/tales/only-junk-fans/
4: https://murena.com/workspace/
-DaveP
Your strategy seems reasonable.
I'd suggest configuring sshd to be key-only for an externally exposed
system, and for log noise reduction, consider moving sshd to a
non-standard port (NOT a security gain (or at least, it shouldn't be!),
but it will reduce the amount of noise in the logs tremendously).
The only difference between putting authpf on a gateway system vs. on
the target machine is, you have to allow ssh to the target machine
and have PF running and configured appropriately there.
Nick.