2008/12/13 carlopmart <[email protected]>: > ropers wrote: >>>>> >>>>> carlopmart wrote: >>>>>> >>>>>> How can I establish a time range and timeout for an authpf rule? >>>>>> For example I will to permit access from my windows servers access >>>>>> (previous >>>>>> ssh authentication) to windowsupdate servers from 10:00 am to 13:00 am >>>>>> and block this traffic if any connection is established during 10 >>>>>> minutes. >> >>> Wade, Daniel wrote: >>>> >>>> Crontab job to load a different pf.conf >> >> 2008/12/12 carlopmart <[email protected]>: >>> >>> Thanks Daniel, but I had already thought about this option but exists >>> some >>> problems: >>> >>> a) I need to mantain several pf.conf files for every access >>> b) i can't control timeouts when servers doesn't generate traffic ... >> >> About (a): >> I guess if you're really worried about maintaining two pf.conf files, >> you could write a script that will edit your one single pf.conf (so >> that it would comment out/de-comment specific lines; by content, not >> by line number) and call that script via crontab. It would however be >> really easy to clobber your pf.conf when doing this, if you're not >> careful. >> >> About (b): >> I understand you would prefer to only permit your Windows-based >> servers to access Microsoft's windowsupdate servers if and only if >> they will actually try to reach windowsupdate between 10 and 13 am. >> >> I'm no Hansteen, Hartmeier or Henning, but it is my understanding that >> Pf has no clairvoyance feature. Is it really harmful to allow your >> servers to access windowsupdate from 10 to 13, whether they actually >> will do it or not? Also, from what I understand you want to >> dynamically change your active ruleset to allow access once traffic >> starts flowing during that time. What is the difference between that >> and allowing access during that time anyway? Or what am I missing? Am >> I horribly misunderstanding you? >> >> A somewhat confused >> --ropers >> > > > many thaks for your answers ropers. About a) question. Ok, if I only need to > maintain two pf.conf files, crontab is the perfect solution as I can open > rules dynamically with pfctl, but I have other situations on I need to open > and close rules if traffic doesn't exists ... but if crontab is the only > solution at this moment, then I will use it. > > About b) question, you have understand me perfectly ... and you are rigth in > this case it doesn't matter. But suppose that instead of being windows > servers, are remote users. I do not like the rules that were permanently > open in that time slot. How can I close this rules inmediatly??
Hm, have you looked at authpf? http://www.openbsd.org/cgi-bin/man.cgi?query=authpf regards, --ropers
