It would be a bad idea to allow arbitrary commands to be executed. That opens up a whole slew of possible breakages and security issues. I don't mind there being options to add specifically to IPFW or PF (as long as PF is the default), and I don't mind there being an option to be able to specify the IPFW rule when in IPFW mode. But we should not get too fancy.
I'm running the PF version on most of the production blades and my home machines now. It's a pretty good test because they usually accumulate ~20-30 different IPs a day or more. kronos has already locked out 9. -Matt On Tue, Jan 20, 2015 at 6:52 AM, bycn82 <[email protected]> wrote: > *I recommend to use this feature in ipfw is because delete ip using > crontab sounds not good for me.* > > *Regards,* > *Bill Yuan* > > On 19 January 2015 at 17:51, Michael Neumann <[email protected]> wrote: > >> >> >> Am 18.01.2015 um 12:31 schrieb bycn82: >> >>> /Hi,/ >>> / >>> / >>> /I just implemented a feature which can work nicely with your >>> sshlockout. / >>> /You can manually insert a state as below and the state will be maintain >>> by ipfw itself./ >>> / >>> / >>> /ipfw state add rulenum 100 udp 192.168.1.1:0 <http://192.168.1.1:0> >>> 8.8.8.8:53 <http://8.8.8.8:53> expiry +600/ >>> / >>> / >>> /so you dont need to implement the logic to maintain the IP addresses or >>> configure any crontab to remove../ >>> >> >> Cool! >> >> I think I will extend sshlockout so that it runs arbitrary commands. >> >> At the moment you run: >> >> sshlockout lockout >> >> which would then be equal to: >> >> sshlockout "pfctl -tlockout -Tadd %s" >> >> So it will works with ipfw: >> >> sshlockout "ipfw state add rulenum 100 udp 192.168.1.1:0 %s:53 >> expiry +600" >> >> What do you think? >> >> Regards, >> >> Michael >> >> >> / >>> / >>> /different state can have different expiry or "life time"./ >>> / >>> / >>> /any comment?/ >>> / >>> / >>> >>> /Regards,/ >>> /Bill Yuan/ >>> >>> On 14 January 2015 at 02:25, Michael Neumann >>> <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> >>> commit ed17c1722f7702eb6422f73152c0091819a1900f >>> Author: Michael Neumann <[email protected] <mailto:[email protected] >>> >> >>> Date: Tue Jan 13 13:04:29 2015 +0100 >>> >>> sshlockout - use a PF table instead of IPFW >>> >>> Summary of changes: >>> usr.sbin/sshlockout/sshlockout.8 | 27 +++++++++++------- >>> usr.sbin/sshlockout/sshlockout.c | 59 >>> +++++++++++++++++++++++++++------------- >>> 2 files changed, 57 insertions(+), 29 deletions(-) >>> >>> http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/ >>> ed17c1722f7702eb6422f73152c0091819a1900f >>> >>> >>> -- >>> DragonFly BSD source repository >>> >>> >>> >
