Re: temporary IP addition to firewall rules
Noah wrote: Erik Norgaard wrote: Noah wrote: the servers and clients are not on the same LAN segment. capturing MAC has nothing to do with this scenario. You haven't exactly told a lot about the network you want to setup. The logic thing is to authenticate against the firewall connected to the same subnet - and that will know the mac address. The same setup is assumed in the scenario using pfauth (or is it authpf). alot of assumptions that are incorrect. the fireware is running as part of freeBSD there is no edge firewall device to the LAN segment. your ideas will not work for my scenario. Unless you are willing to spend some time explaining your setup, what you have and what you try to achieve, not many people are going to spend time trying to help you solve your problem. - I'm out, good luck. -- Ph: +34.666334818 web: http://www.locolomo.org smime.p7s Description: S/MIME Cryptographic Signature
Re: temporary IP addition to firewall rules
Noah wrote: Does anybody have a recommendation for a program out there that would allow somebody to enter an account and password on my website, their IP address is cached, and the cached IP address is added temporarily to the firewall ruleset to be allowed. I am not aware of anything that works like that, pfauth may do the job for you, but not using a web site. Generally the problem is that web pages are stateless, so your firewall won't know when to remove the ip again. You can hack up a solution that does sort of the same: - let your web page manage accounts, the web server can get ip of the client registering and hence also the corresponding mac. - tell your dhcp server not to expire ip delegations, or make host entries with the registered ip/mac, but that requires the dhcp server to be restarted at every new client. - make a static entry in your arp table to prevent others from taking over the ip later. People will only need to authenticate first time. You can decide to expire their accounts and revoke access after a given time with a cron-job if you like. Alternatively, require people to connect with IPSec tunnel and allow only tunneled traffic to be routed. When they register a set of keys are generated for use with that client only. This is really the ideal as you can for example leave an AP open, yet have traffic encrypted. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org smime.p7s Description: S/MIME Cryptographic Signature
Re: temporary IP addition to firewall rules
Erik Norgaard wrote: Noah wrote: Does anybody have a recommendation for a program out there that would allow somebody to enter an account and password on my website, their IP address is cached, and the cached IP address is added temporarily to the firewall ruleset to be allowed. I am not aware of anything that works like that, pfauth may do the job for you, but not using a web site. Generally the problem is that web pages are stateless, so your firewall won't know when to remove the ip again. You can hack up a solution that does sort of the same: - let your web page manage accounts, the web server can get ip of the client registering and hence also the corresponding mac. the servers and clients are not on the same LAN segment. capturing MAC has nothing to do with this scenario. - tell your dhcp server not to expire ip delegations, or make host entries with the registered ip/mac, but that requires the dhcp server to be restarted at every new client. - make a static entry in your arp table to prevent others from taking over the ip later. People will only need to authenticate first time. You can decide to expire their accounts and revoke access after a given time with a cron-job if you like. Alternatively, require people to connect with IPSec tunnel and allow only tunneled traffic to be routed. When they register a set of keys are generated for use with that client only. This is really the ideal as you can for example leave an AP open, yet have traffic encrypted. Cheers, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: temporary IP addition to firewall rules
On 2/4/07, Noah [EMAIL PROTECTED] wrote: Does anybody have a recommendation for a program out there that would allow somebody to enter an account and password on my website, their IP address is cached, and the cached IP address is added temporarily to the firewall ruleset to be allowed. Have you checked authpf? There is a man page and http://openbsd.unixtech.be/faq/pf/authpf.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: temporary IP addition to firewall rules
Noah wrote: the servers and clients are not on the same LAN segment. capturing MAC has nothing to do with this scenario. You haven't exactly told a lot about the network you want to setup. The logic thing is to authenticate against the firewall connected to the same subnet - and that will know the mac address. The same setup is assumed in the scenario using pfauth (or is it authpf). Also, unless you are going to give a lot of instructions to people on how to configure their network, you will have a dhcp server on the same subnet - why not let that also do the web service for user management? You haven't told either, how people connect - is it wireless or wired? Some access points supports that people authenticate WPA+something and the access point will verify against a radius server. And there are other possibilities depending on your setup. But whichever way you setup your network, I think the best solution is if people establish an IPSec tunnel to the firewall, such that all traffic not destined for the local subnet must be tunneled through that. This gives you maximum control - you can even setup your firewall so that traffic coming in on a IPSec tunnel is also filtered. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org smime.p7s Description: S/MIME Cryptographic Signature
Re: temporary IP addition to firewall rules
On Sun, Feb 04, 2007 at 10:51:58PM +0100, Erik Norgaard wrote:
Noah wrote:
the servers and clients are not on the same LAN segment. capturing MAC
has nothing to do with this scenario.
You haven't exactly told a lot about the network you want to setup. The
logic thing is to authenticate against the firewall connected to the
same subnet - and that will know the mac address. The same setup is
assumed in the scenario using pfauth (or is it authpf).
It sounded a little bit like perhaps he wants to dynamically allow
services temporarily, but firewall them off (using a local machine
firewall rather than a dedicated firewall) all other times. Hazarding
a guess, maybe this is due to the common SSH brute force attacks? :)
If the firewall is PF, it's simple enough to include a table of IPs
for which the service is allowed, and make the CGI on the webpage
issue a pfctl -t table -T add $ENV{REMOTE_IP} command. A separate
process could watch the logs for an ssh logout and remove the IP from
the table when a logout from that IP occurs.
It's a dirty solution. If the problem is specifically the SSH
attacks, there are better ones (denyhosts, or pf rules to block IPs
dynamically when they connect too frequently), but you're right--it's
hard to give good answers when the problem is so ill-defined.
Erik
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: temporary IP addition to firewall rules
Erik Norgaard wrote: Noah wrote: the servers and clients are not on the same LAN segment. capturing MAC has nothing to do with this scenario. You haven't exactly told a lot about the network you want to setup. The logic thing is to authenticate against the firewall connected to the same subnet - and that will know the mac address. The same setup is assumed in the scenario using pfauth (or is it authpf). alot of assumptions that are incorrect. the fireware is running as part of freeBSD there is no edge firewall device to the LAN segment. your ideas will not work for my scenario. Also, unless you are going to give a lot of instructions to people on how to configure their network, you will have a dhcp server on the same subnet - why not let that also do the web service for user management? You haven't told either, how people connect - is it wireless or wired? Some access points supports that people authenticate WPA+something and the access point will verify against a radius server. And there are other possibilities depending on your setup. But whichever way you setup your network, I think the best solution is if people establish an IPSec tunnel to the firewall, such that all traffic not destined for the local subnet must be tunneled through that. This gives you maximum control - you can even setup your firewall so that traffic coming in on a IPSec tunnel is also filtered. Cheers, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
temporary IP addition to firewall rules
Hi, Does anybody have a recommendation for a program out there that would allow somebody to enter an account and password on my website, their IP address is cached, and the cached IP address is added temporarily to the firewall ruleset to be allowed. cheers, Noah ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
temporary IP addition to firewall rules
Hi, Does anybody have a recommendation for a program out there that would allow somebody to enter an account and password on my website, their IP address is cached, and the cached IP address is added temporarily to the firewall ruleset to be allowed. cheers, Noah ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
