>>> carlopmart wrote: >>>> >>>> How can I establish a time range and timeout for an authpf rule? >>>> For example I will to permit access from my windows servers access >>>> (previous >>>> ssh authentication) to windowsupdate servers from 10:00 am to 13:00 am >>>> and block this traffic if any connection is established during 10 minutes.
> Wade, Daniel wrote: >> >> Crontab job to load a different pf.conf 2008/12/12 carlopmart <[email protected]>: > Thanks Daniel, but I had already thought about this option but exists some > problems: > > a) I need to mantain several pf.conf files for every access > b) i can't control timeouts when servers doesn't generate traffic ... About (a): I guess if you're really worried about maintaining two pf.conf files, you could write a script that will edit your one single pf.conf (so that it would comment out/de-comment specific lines; by content, not by line number) and call that script via crontab. It would however be really easy to clobber your pf.conf when doing this, if you're not careful. About (b): I understand you would prefer to only permit your Windows-based servers to access Microsoft's windowsupdate servers if and only if they will actually try to reach windowsupdate between 10 and 13 am. I'm no Hansteen, Hartmeier or Henning, but it is my understanding that Pf has no clairvoyance feature. Is it really harmful to allow your servers to access windowsupdate from 10 to 13, whether they actually will do it or not? Also, from what I understand you want to dynamically change your active ruleset to allow access once traffic starts flowing during that time. What is the difference between that and allowing access during that time anyway? Or what am I missing? Am I horribly misunderstanding you? A somewhat confused --ropers
