Torsten Kersandt wrote:
HI
I personally have all ssh and alike ports closed on my servers.
If I want to connect to the server per ssh or whatever function, I login to a
hidden php which adds my current IP to a sql table.
I use sql because I'm not the only one using this and want to keep track which
admin is logging in.
A cron job is running every minute looking in the table and adding the new ip
addresses to the pf include file and reloading PF
Every night at 4am, I empty the text file and reload pf.
I know that this could be done more elegant but KISS is what I like.
that script is horribly inefficient and disruptive to your firewall
throughput.
you could save a lot of unnecessary cpu cycles and speed up your
connections a bit by simply replacing the reloads with pfctl
commands that manipulate the table directly.
#!/bin/sh
### MySQL Setup ###
MUSER="username"
MPASS="password"
MHOST="localhost"
MYSQL="/usr/local/bin/mysql"
#
### Get all new IP addresses ###
DBS="$($MYSQL -u $MUSER -h $MHOST -p$MPASS -Bse 'select ipAddress from
intranet.ipCleared WHERE `timestamp` > (UNIX_TIMESTAMP()-60)')"
for ip in $DBS
do
## this bit is emailed to me over cron run-output if a new IP address was found
echo $ip >> /usr/local/etc/pf/pf.VNCallow
echo "Added $ip to VNC Access from MYSQL Table"
/etc/rc.d/pf reload
done
that loop at the end is anything but KISS.
select the new addresses and add them to the table with something like
pfctl -t VNCallow -T add $DBS
instead of that do loop. for persistence across reboots, select all the
address in your SQL table & add them to the pf table when pf starts.
clear the table with
pfctl -t VNCallow -T flush
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
