Hello, With a PF firewall, I'm currently allowing only specific IP addresses to be redirected for remote control of desktops:
rdr pass on $ext_if proto tcp from <remote_users> to $ex_vnc port 6713 -> $orion port 6713 rdr pass on $ext_if proto tcp from <remote_users> to $ex_vnc port 6714 -> $mozart port 6714 ..[more rdr's of like nature]... Everyone is blocked except for the source IP addresses in the <remote_users> table. I now have a need to allow users with non-static IP's access to the redirects. It seems like a job for authpf and ideally I would just like to add the authpf $user_ip to the <remote_users> table during the authenticated seesion (and remove it after), but it appears authpf cannot do this and that instead it would need to inject a whole duplicate set of redirects via an anchor. Is this a correct understanding? Also, as it is currently, sshd only allows access by via public key - "PasswordAuthentication no", with only the sysadmin (also the only added account) as an allowed user. At this time it appears that I would either have to open up sshd to passwords (I'm not enamored with this idea) and/or teach the remote users to set up and use key pairs (or do it for them). Is this a correct assumption or does authpf offer any kind of workaround? Thanks, Chris
