On 6/30/26 17:15, Dave Polaschek wrote:
Hello,

I have a server on which I would like to stand up an OpenBSD server running a 
few different services on a few different ports (starting with WEBDAV services 
offered by Radicale[1], but adding more services in the future) for friends and 
family looking to escape iCloud and google-cloud. This will probably be a small 
number of services and a small number of users to begin with, but may grow over 
time (as these things do, if they work).

Given the constant hammering a previous httpd server took from scrapers, I 
would like to restrict access to this server. It looks as though authpf might 
be able to do the job of authorizing folks, and it seems pretty clear how to do 
that on a gateway, but less clear how to have authpf authorize connections to 
the server on which authpf is running.

What I'm thinking of is the following pattern:
* user opens connection to ssh with a username / key which triggers authpf
* authpf tells pf to open ports 80 and 443 for that user
* user syncs calendar and/or contacts
* user shuts down ssh connection and the open ports close

I've been reading The Book of Pf and playing with these services inside my home 
network, so I'm reasonably confident I can eventually make this all work, 
provided I haven't missed anything. I have scripts running which look at 
attempts to ssh in as root, and adding those ip addresses to a pf table to 
block people, and that seems to be working (I'm not really worried about them 
getting in, but it seemed like a useful learning exercise to learn my way 
around pf). I haven't locked myself out yet, so I probably haven't made all the 
mistakes I need to make in order to learn, though.

Is this a sensible idea? Currently we have contacts, calendars, photos, and a small 
amount of file storage as the things we rely on iCloud (or google-cloud) for. I would 
prefer to stand up my own services, rather than changing one corporate overlord for 
another, although I have thought about switching people to murena's "cloud"[4] 
because it would definitely be simpler.

I have also looked at using iocaine-powder[2] as a front-end[3] for all of this 
to feed the scrapers garbage, but if I'm going to restrict my server to just 
friends and family, it seems as though something with authpf would be tons 
simpler. But it's entirely possible that I'm confused.

Alternately, if there's someone who already offers services like this, I'd love 
a pointer. It's an interesting technical quest, but it's really just another 
yak that needs shaving on the way to helping my family, and I have plenty of 
other projects to keep me busy. Our main goal is to stop giving Apple and 
Google money. They have plenty.

Thanks for any help de-confusing me.

1: https://radicale.org/
2: https://opensourcesecurity.io/2026/2026-01-iocaine-algernon/
3: https://chronicles.mad-scientist.club/tales/only-junk-fans/
4: https://murena.com/workspace/

-DaveP


Your strategy seems reasonable.
I'd suggest configuring sshd to be key-only for an externally exposed
system, and for log noise reduction, consider moving sshd to a
non-standard port (NOT a security gain (or at least, it shouldn't be!),
but it will reduce the amount of noise in the logs tremendously).

The only difference between putting authpf on a gateway system vs. on
the target machine is, you have to allow ssh to the target machine
and have PF running and configured appropriately there.

Nick.

Reply via email to