On Thursday 15 January 2004 04:54, Russell Fulton wrote: > At the moment I a regenerating the whole pf.conf file whenever there are > changes in the database, I then use ssh to copy the file to the firewall > and use pfctl -f to load it. As soon as I have some time I plan to just > load the deltas using pfctl (or a custom C program using the ioctls) to > update just the tables and rules that have changed. This would be > easier although probably not by much if everything was table based.
Probably you already knows that you can manipulate tables with "pfctl -T". > We are also looking at moving many of our 'standard' machines to dynamic > table whereby they will have to log in to a 'service' which will open up > their access through the firewall and inform our traffic meter which > user is on the particular IP, this will pave the way for allowing > increased usage of dynamic IP addresses. Rather like pfauth but we will > write a custom daemon to run on the firewall. This can be usefull. Maybe. http://www.piout.net/phpauthpf.html A form simply ask the user for a login and a password. Then the php script try to authenticate the user with active directory using ldap. If the user is correctly identified, it search for the groups he is in. If he is in the allowed group it adds the ip in the auth table so pf will let the user go to internet then it changes the page with google.com and it opens a little popup. This popup will refresh every 100 seconds. When it refreshes, it writes the time to a file. The script checkips.sh is executed regularily so when the file are not updated, it will delete the ip in the auth table and kill the states. Ed
