[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: temporary IP addition to firewall rules
- To: Erik Norgaard <norgaard_(_at_)_locolomo_(_dot_)_org>
- Subject: Re: temporary IP addition to firewall rules
- From: Noah <admin2_(_at_)_enabled_(_dot_)_com>
- Date: Sun, 04 Feb 2007 10:16:33 -0800
- Cc: freebsd-questions_(_at_)_freebsd_(_dot_)_org
Erik Norgaard wrote:
Does anybody have a recommendation for a program out there that would
allow somebody to enter an account and password on my website, their
IP address is cached, and the cached IP address is added temporarily
to the firewall ruleset to be allowed.
I am not aware of anything that works like that, pfauth may do the job
for you, but not using a web site. Generally the problem is that web
pages are stateless, so your firewall won't know when to remove the ip
You can hack up a solution that does sort of the same:
- let your web page manage accounts, the web server can get ip of the
client registering and hence also the corresponding mac.
the servers and clients are not on the same LAN segment. capturing MAC
has nothing to do with this scenario.
- tell your dhcp server not to expire ip delegations, or make host
entries with the registered ip/mac, but that requires the dhcp server
to be restarted at every new client.
- make a static entry in your arp table to prevent others from taking
over the ip later.
People will only need to authenticate first time. You can decide to
expire their accounts and revoke access after a given time with a
cron-job if you like.
Alternatively, require people to connect with IPSec tunnel and allow
only tunneled traffic to be routed. When they register a set of keys
are generated for use with that client only. This is really the ideal
as you can for example leave an AP open, yet have traffic encrypted.
freebsd-questions_(_at_)_freebsd_(_dot_)_org mailing list
To unsubscribe, send any mail to "freebsd-questions-unsubscribe_(_at_)_freebsd_(_dot_)_org"