git: sshlockout - use a PF table instead of IPFW

Matthew Dillon dillon at backplane.com
Tue Jan 20 23:23:25 PST 2015


It would be a bad idea to allow arbitrary commands to be executed.  That
opens up a whole slew of possible breakages and security issues.  I don't
mind there being options to add specifically to IPFW or PF (as long as PF
is the default), and I don't mind there being an option to be able to
specify the IPFW rule when in IPFW mode.  But we should not get too fancy.

I'm running the PF version on most of the production blades and my home
machines now.  It's a pretty good test because they usually accumulate
~20-30 different IPs a day or more.  kronos has already locked out 9.

-Matt

On Tue, Jan 20, 2015 at 6:52 AM, bycn82 <bycn82 at gmail.com> wrote:

> ​*I recommend to use this feature in ipfw is because delete ip using
> crontab sounds not good for me.*​
>
> *Regards,*
> *Bill Yuan*
>
> On 19 January 2015 at 17:51, Michael Neumann <mneumann at ntecs.de> wrote:
>
>>
>>
>> Am 18.01.2015 um 12:31 schrieb bycn82:
>>
>>> /Hi,/
>>> /
>>> /
>>> /I just implemented a feature which can work nicely with your
>>> sshlockout. /
>>> /You can manually insert a state as below and the state will be maintain
>>> by ipfw itself./
>>> /
>>> /
>>> /ipfw state add rulenum 100 udp 192.168.1.1:0 <http://192.168.1.1:0>
>>> 8.8.8.8:53 <http://8.8.8.8:53> expiry +600/
>>> /
>>> /
>>> /so you dont need to implement the logic to maintain the IP addresses or
>>> configure any crontab to remove../
>>>
>>
>> Cool!
>>
>> I think I will extend sshlockout so that it runs arbitrary commands.
>>
>> At the moment you run:
>>
>>     sshlockout lockout
>>
>> which would then be equal to:
>>
>>     sshlockout "pfctl -tlockout -Tadd %s"
>>
>> So it will works with ipfw:
>>
>>     sshlockout "ipfw state add rulenum 100 udp 192.168.1.1:0 %s:53
>> expiry +600"
>>
>> What do you think?
>>
>> Regards,
>>
>>   Michael
>>
>>
>>  /
>>> /
>>> /different state can have different expiry or "life time"./
>>> /
>>> /
>>> /any comment?/
>>> /
>>> /
>>>
>>> /Regards,/
>>> /Bill Yuan/
>>>
>>> On 14 January 2015 at 02:25, Michael Neumann
>>> <mneumann at crater.dragonflybsd.org
>>> <mailto:mneumann at crater.dragonflybsd.org>> wrote:
>>>
>>>
>>>     commit ed17c1722f7702eb6422f73152c0091819a1900f
>>>     Author: Michael Neumann <mneumann at ntecs.de <mailto:mneumann at ntecs.de
>>> >>
>>>     Date:   Tue Jan 13 13:04:29 2015 +0100
>>>
>>>          sshlockout - use a PF table instead of IPFW
>>>
>>>     Summary of changes:
>>>       usr.sbin/sshlockout/sshlockout.8 | 27 +++++++++++-------
>>>       usr.sbin/sshlockout/sshlockout.c | 59
>>>     +++++++++++++++++++++++++++-------------
>>>       2 files changed, 57 insertions(+), 29 deletions(-)
>>>
>>>     http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/
>>> ed17c1722f7702eb6422f73152c0091819a1900f
>>>
>>>
>>>     --
>>>     DragonFly BSD source repository
>>>
>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dragonflybsd.org/pipermail/users/attachments/20150120/c5076860/attachment-0002.html>


More information about the Users mailing list