I think it is tangentially related to the discussion as OP is obviously looking for some advice on security and I think what I mentioned was likely applicable to maybe other firewalls separate from this one specifically OP is configuring, perhaps on other networks altogether. But you are right it is not directly related, which I stated at the start of my message. I agree that an auto dns checker updating a pf table is a pretty decent way to do this with built in openbsd tools but it leaves one prone to DNS poisoning which can happen on non-openbsd systems completely out of OP's control on the internet.
I dont particularly like relying on something like public DNS for who has TCP layer access. What if the DNS servers are down or having issues and a remote user then cant connect? Maybe that is an acceptable risk. What if the DNS zones get poisoned and now an attacker's own IP address is the only one allowed to access SSH (aside from any other statically allowed IPs)? Maybe that is an acceptable risk. Solely relying on dynamic DNS in this way is not acceptable to me. -----Original Message----- From: owner...@benzedrine.cx [mailto:owner...@benzedrine.cx] On Behalf Of Alvaro Mantilla Gimenez Sent: Saturday, December 19, 2009 12:28 PM To: Justin Krejci Cc: 'Karl O. Pinc'; pf@benzedrine.cx Subject: RE: Restricting source with dDNS (dynamic DNS) On Sat, 2009-12-19 at 06:05 -0600, Justin Krejci wrote: > While also not what the OP specifically requested but a good option to > consider in general is to use the overload option to allow PF to dynamically > add abusing IPs to a table which is then blocked from ssh access. This is > more for frequent TCP connections on port 22 (or any other) for brute force > type activity. This is similar to but not the same as the fail2ban type > scripts. > > I get about 5-10 IP's added to my block table every day which is cleared > daily via cron. > Yes, that is a good option but it is not the purpose of the discussion. He wants to have the ssh port closed and open the ports in a "dynamic" way. His approach to do that with a dns resolution is not the right approach to solve the issue. Port Knocking is, by far, the best option to do that. The problem here is...there is no port knocking support in OpenBSD then the only solution he has in hands is authpf + bruteforce tables "to defend" itself from the offenders....which, again, is not the best approach to solve his problem. Regards, Alvaro > -----Original Message----- > From: owner...@benzedrine.cx [mailto:owner...@benzedrine.cx] On Behalf Of > Alvaro Mantilla Gimenez > Sent: Friday, December 18, 2009 5:31 PM > To: Karl O. Pinc > Cc: pf@benzedrine.cx > Subject: Re: Restricting source with dDNS (dynamic DNS) > > > > El 18/12/2009, a las 12:20, "Karl O. Pinc" <k...@meme.com> escribió: > > > On 12/18/2009 10:16:44 AM, Peter N. M. Hansteen wrote: > >> Jim Flowers <jflow...@ezo.net> writes: > >> > >>> To lock down services (particularly ssh) as tightly as possible, I > >> like to allow > >>> administrative access to a firewall only from specific ip > >> addresses. > > > >>> Unfortunately, some of the administrators are working from dynamic > >> ip addresses > >>> that change with some frequency. > >>> > >>> Is there a straightforward way to incorporate dynamic ip source > >> addresses in the > >>> pf ruleset? > >> > >> I'd say this sounds like a situation where authpf could come in quite > >> handy. > > > > How? I thought authpf grants additional rights to those who > > can ssh. But he wants to restrict those allowed to ssh period. > > > > > > If I remember well, sometime ago somebody did a port knocking program > and he asked in the OpenBSD misc list about to include it into the > ports tree. He had very bad responses and a very ugly discussion. All > the people involved into the discussion ( I wasn't ) didn't understood > special cases like this: if you want to "close" ssh access from the > world and let some people open ports for administration, maintenance, > or whatever you want then authpf is not a solution but port knocking > is. Google about that and you see your solution there. You can, for > example, define a port combination to execute some script to send you > a sms with the status of one specifical service and/or another to > open, for the IP which is doing the combination (of course), the > redirection port to the SWAT (samba web administration) in one > specifical server so you can define different port combinations for > different groups of users... > > Google it. > > Regards, > > Alvaro
