On 16 feb 2010, at 17.17, Eugene Yunak wrote: > 2010/2/16 Per-Olov Sjvholm <p...@incedo.org>: >> Hi "misc" >> >> I am looking for a tool use as a trigger for dynamically open PF ports from >> certain IP:s. >> >> I will access non critical info but want at least a port knocker as security. >> >> If I access an IP on my DMZ that is not in use on a port that is fake I want >> to dynamically add a PF rule for a totally different purpose. Let's say I >> access http://1.2.3.4:45321 which is blocked and logged in PF, what is the >> easiest way to create a trigger from the PF log or the PF log device? >> >> A cron job with grep in the PF log and then run pfctl to add the rule is from >> many points of view a bad choice... I don't want to dig through the PF log as >> it can be huge, and I don't want to use a cron job as it takes to long.. >> >> Any suggestions appreciated. >> >> >> Thanks in advance >> /Per-Olov >> > > As many people have already suggested to you in this thread, you are > doing it wrong. But if you _really_ want to do it that way, then > probably you can simplify your configuration a bit. > > You can use "log (to pflog10)" to have a separate pflog device with > only log entries about port-knocking attempts. Then you can have a > small shellscript reading from tcpdump pflog10 in a cycle and adding > IP addresses to a table of hosts with permitted access to your rss > feed. This is much simpler and quicker than a cron job with full pflog > parser. > > I would strongly encourage you to use per-user http authentication > instead. Most rss readers i encountered actually _do_ support it, as > they are all based on standard libraries, so you can just give them > http://user:p...@host/path/file.rss url if they don't have a separate > "authentication" field. > > -- > The best the little guy can do is what > the little guy does right
Hi Eugene Thanks. As this is a test shoot only I will go for something home made in C to feed a table for now. And I _really_ want to do it this way as it's a test. a future production environment could maybe be totally different, who knows.... I have done security analysis since early -90 and asked a simple question to this forum. When people does not know, they just mess up the thread with garbage. If only more people were like you Eugene. That is point out your opinion AND a way to do it. Not just the first. The opinion can be right, but also wrong as everything must be set in its correct context. Also, a security tradeoff can be rated differently by different people. Amazing that so many people in this forum cannot read and therefor answer to B when I ask for A. /Per-Olov -- GPG keyID: 5231C0C4 GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4 GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4
