>-------- Оригинално писмо -------- >От: Florian Piekert [email protected]
>Относно: Re: [Shorewall-users] open port from script >До: Shorewall Users <[email protected]> >Изпратено на: Петък, 2012, Октомври 19 08:59:57 EEST > Am 19.10.2012 05:57, schrieb Hristo Benev: > > Good morning, > > How about > > Step 1. > You do ssh on your server from the client box with a non-privileged account > into a specifically created home dir for that user. > > Step 2a. > You detect this successfull login in the system logs by tailing the log and > evaluating the login attempts. Then you have the IP, you write this into a > specific file. > or Step 2b. > You don't ssh from the client box, but you scp (secure copy over ssh) a file > you created on the client box that contains the new IP > > Step 3. > You have a cron job running that looks for (via Makefile e.g.) modifications > to the IP file and upon modification executes the make command. In the > Makefile you have the commands to take your rules "basefile" (containing all > rules you have in place anyway) and combines it with the IP file's contents > and appends it to the shorewall rules file and after completion issues the > shorewall restart command. > > The benefits of this approach over your original idea is > > a) you don't use a privileged account on either machine to transfer the IP > information and you don't open a hole even if the client box is compromised > b) you can automate it quite nicely and even if you modify your own ruleset, > it wil "always" be incorporated > > Does it help or does it look too complicated even after the third reading? ;-) > > > > Hi, > > > > I have following situation. I have client box that is behind dynamic IP. > > And I would like to open specific port only for that client IP. > > Every time IP changes I have to reconfigure firewall (Shorewall) and server > > application. > > > > Is there a way to open port from script? > > My initial idea is to detect change of IP on client side ssh to server and > > execute script to close old IP and open for new one. > > I can do replace on IP in /etc/shorewall/rules and reload shorewall. Is > > there more elegant way of doing it? > > > > Any suggestions? > > > > Thanks > > > > ------------------------------------------------------------------------------ > > Everyone hates slow websites. So do we. > > Make your web apps faster with AppDynamics > > Download AppDynamics Lite for free today: > > http://p.sf.net/sfu/appdyn_sfd2d_oct > > _______________________________________________ > > Shorewall-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > > -- > > Florian Piekert, PMP [email protected] > > =========================================================================== > Note: this message was send by me *only* if the eMail message contains a > correct pgp signature corresponding to my address at [email protected]. Do > you need my PGP public key? Check out http://www.floppy.org or send me an > email with the subject "send pgp public key" to this address of mine.Thx! Thank you for the advice... It is not complicated ;) And actually that was one of my initial variants. As for security concerns. remote system is well secured (actually it is sort of appliance). I can use sudoers file and allow the user to execute scrip that has changes hardcoded... just IP will be variable (or even can be detected via SSH_CLIENT variable). And in newer SSH implementation user can be chrooted :) Adding daemon that periodically checks is adding additional delay... I was thinking to add a web server that is pinged and executes a script, but found SSH will be more secure implementation. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
