Re: Setting time range and timeout for authpf rules
ropers wrote: carlopmart wrote: How can I establish a time range and timeout for an authpf rule? For example I will to permit access from my windows servers access (previous ssh authentication) to windowsupdate servers from 10:00 am to 13:00 am and block this traffic if any connection is established during 10 minutes. Wade, Daniel wrote: Crontab job to load a different pf.conf 2008/12/12 carlopmart carlopm...@gmail.com: Thanks Daniel, but I had already thought about this option but exists some problems: a) I need to mantain several pf.conf files for every access b) i can't control timeouts when servers doesn't generate traffic ... About (a): I guess if you're really worried about maintaining two pf.conf files, you could write a script that will edit your one single pf.conf (so that it would comment out/de-comment specific lines; by content, not by line number) and call that script via crontab. It would however be really easy to clobber your pf.conf when doing this, if you're not careful. About (b): I understand you would prefer to only permit your Windows-based servers to access Microsoft's windowsupdate servers if and only if they will actually try to reach windowsupdate between 10 and 13 am. I'm no Hansteen, Hartmeier or Henning, but it is my understanding that Pf has no clairvoyance feature. Is it really harmful to allow your servers to access windowsupdate from 10 to 13, whether they actually will do it or not? Also, from what I understand you want to dynamically change your active ruleset to allow access once traffic starts flowing during that time. What is the difference between that and allowing access during that time anyway? Or what am I missing? Am I horribly misunderstanding you? A somewhat confused --ropers many thaks for your answers ropers. About a) question. Ok, if I only need to maintain two pf.conf files, crontab is the perfect solution as I can open rules dynamically with pfctl, but I have other situations on I need to open and close rules if traffic doesn't exists ... but if crontab is the only solution at this moment, then I will use it. About b) question, you have understand me perfectly ... and you are rigth in this case it doesn't matter. But suppose that instead of being windows servers, are remote users. I do not like the rules that were permanently open in that time slot. How can I close this rules inmediatly?? -- CL Martinez carlopmart {at} gmail {d0t} com
Re: Setting time range and timeout for authpf rules
2008/12/13 carlopmart carlopm...@gmail.com: ropers wrote: carlopmart wrote: How can I establish a time range and timeout for an authpf rule? For example I will to permit access from my windows servers access (previous ssh authentication) to windowsupdate servers from 10:00 am to 13:00 am and block this traffic if any connection is established during 10 minutes. Wade, Daniel wrote: Crontab job to load a different pf.conf 2008/12/12 carlopmart carlopm...@gmail.com: Thanks Daniel, but I had already thought about this option but exists some problems: a) I need to mantain several pf.conf files for every access b) i can't control timeouts when servers doesn't generate traffic ... About (a): I guess if you're really worried about maintaining two pf.conf files, you could write a script that will edit your one single pf.conf (so that it would comment out/de-comment specific lines; by content, not by line number) and call that script via crontab. It would however be really easy to clobber your pf.conf when doing this, if you're not careful. About (b): I understand you would prefer to only permit your Windows-based servers to access Microsoft's windowsupdate servers if and only if they will actually try to reach windowsupdate between 10 and 13 am. I'm no Hansteen, Hartmeier or Henning, but it is my understanding that Pf has no clairvoyance feature. Is it really harmful to allow your servers to access windowsupdate from 10 to 13, whether they actually will do it or not? Also, from what I understand you want to dynamically change your active ruleset to allow access once traffic starts flowing during that time. What is the difference between that and allowing access during that time anyway? Or what am I missing? Am I horribly misunderstanding you? A somewhat confused --ropers many thaks for your answers ropers. About a) question. Ok, if I only need to maintain two pf.conf files, crontab is the perfect solution as I can open rules dynamically with pfctl, but I have other situations on I need to open and close rules if traffic doesn't exists ... but if crontab is the only solution at this moment, then I will use it. About b) question, you have understand me perfectly ... and you are rigth in this case it doesn't matter. But suppose that instead of being windows servers, are remote users. I do not like the rules that were permanently open in that time slot. How can I close this rules inmediatly?? Hm, have you looked at authpf? http://www.openbsd.org/cgi-bin/man.cgi?query=authpf regards, --ropers
Re: Setting time range and timeout for authpf rules
On 2008-12-13, ropers rop...@gmail.com wrote: About (a): I guess if you're really worried about maintaining two pf.conf files, you could write a script that will edit your one single pf.conf (so that it would comment out/de-comment specific lines; by content, not by line number) and call that script via crontab. It would however be really easy to clobber your pf.conf when doing this, if you're not careful. it's safer to use and redefine macros: $ cat a foo=# bar= $foo pass to 1.1.1.1 $bar pass to 2.2.2.2 $ pfctl -nvf a foo = # bar = pass inet from any to 2.2.2.2 flags S/SA keep state $ pfctl -nvf a -D bar=# -D foo= foo = # bar = pass inet from any to 1.1.1.1 flags S/SA keep state
Re: Setting time range and timeout for authpf rules
On Sun, Dec 14, 2008 at 01:39:50AM +0100, carlopmart wrote: Yes, I see it, but can I define timeouts to authpf rule?? authpf it is a perfect solution for my enviroment, only if i can assign timeouts ... Cron hacks (pkill authpf and switch of configs or somesuch that suits your environment). It shouldn't be a very big patch for authpf itself to do it, though. Enforcing a maximum length for the session would be almost a necessity in a WLAN like environment anyway (it prevents sloppy student A from logging in on her girlfriend's laptop in the morning, forgetting to log out and her then using it all day). -- Jussi Peltola
Re: Setting time range and timeout for authpf rules
carlopmart wrote: Hi all, How can I establish a time range and timeout for an authpf rule? For example I will to permit access from my windows servers access (previous ssh authentication) to windowsupdate servers from 10:00 am to 13:00 am and block this traffic if any connection is established during 10 minutes. Many thanks. Please, any hints? -- CL Martinez carlopmart {at} gmail {d0t} com
Re: Setting time range and timeout for authpf rules
Thanks Daniel, but I had already thought about this option but exists some problems: a) I need to mantain several pf.conf files for every access b) i can't control timeouts when servers doesn't generate traffic ... Wade, Daniel wrote: Crontab job to load a different pf.conf -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of carlopmart Sent: Friday, December 12, 2008 1:30 PM To: openbsd misc Subject: Re: Setting time range and timeout for authpf rules carlopmart wrote: Hi all, How can I establish a time range and timeout for an authpf rule? For example I will to permit access from my windows servers access (previous ssh authentication) to windowsupdate servers from 10:00 am to 13:00 am and block this traffic if any connection is established during 10 minutes. Many thanks. Please, any hints? -- CL Martinez carlopmart {at} gmail {d0t} com -- CL Martinez carlopmart {at} gmail {d0t} com
Re: Setting time range and timeout for authpf rules
carlopmart wrote: How can I establish a time range and timeout for an authpf rule? For example I will to permit access from my windows servers access (previous ssh authentication) to windowsupdate servers from 10:00 am to 13:00 am and block this traffic if any connection is established during 10 minutes. Wade, Daniel wrote: Crontab job to load a different pf.conf 2008/12/12 carlopmart carlopm...@gmail.com: Thanks Daniel, but I had already thought about this option but exists some problems: a) I need to mantain several pf.conf files for every access b) i can't control timeouts when servers doesn't generate traffic ... About (a): I guess if you're really worried about maintaining two pf.conf files, you could write a script that will edit your one single pf.conf (so that it would comment out/de-comment specific lines; by content, not by line number) and call that script via crontab. It would however be really easy to clobber your pf.conf when doing this, if you're not careful. About (b): I understand you would prefer to only permit your Windows-based servers to access Microsoft's windowsupdate servers if and only if they will actually try to reach windowsupdate between 10 and 13 am. I'm no Hansteen, Hartmeier or Henning, but it is my understanding that Pf has no clairvoyance feature. Is it really harmful to allow your servers to access windowsupdate from 10 to 13, whether they actually will do it or not? Also, from what I understand you want to dynamically change your active ruleset to allow access once traffic starts flowing during that time. What is the difference between that and allowing access during that time anyway? Or what am I missing? Am I horribly misunderstanding you? A somewhat confused --ropers
Setting time range and timeout for authpf rules
Hi all, How can I establish a time range and timeout for an authpf rule? For example I will to permit access from my windows servers access (previous ssh authentication) to windowsupdate servers from 10:00 am to 13:00 am and block this traffic if any connection is established during 10 minutes. Many thanks. -- CL Martinez carlopmart {at} gmail {d0t} com