Security Basics mailing list archives
How (best) to use web-from entry of an OTP/OPIE password to control a PF-firewall?
From: "Albert T" <albert.t680333 () gmail com>
Date: Mon, 19 Nov 2007 14:09:41 -0800
Hello. I'm in the process of setting up my own network for my small office. I've set up a small/lightweight FreeBSD-based firewall at the "edge" of my network. It's running the PF firewall. I've got that working well for simple usage. I understand how to set up OpenVPN passthrough from a remote client that has a VPN client; but, that requires the remote user to (a) have the OpenVPN client, and/or (b) have "shell" access. I'd like to do something a bit different -- client-less and browser-only -- but I'm simply not sure how best to go about it. Here's a description of what I'm shooting for. I've installed the Lighttpd web server on the firewall. I'd like to have Lighttpd listen on, and serve up a page/form at, one of my several IP addresses. That form should be an "S/KEY" / "OPIE" authentication form. A user would navigate to that URL, enter OTP credentials (from a OTP calculator, currently a J2ME). If the credentials are VERIFIED, then I'd like to "talk to" the PF firewall, and have it open port80 access at a different IP address to ONLY the authenticating IP address, and for a limited time (say, 1 hour). If the credentials are NOT VERIFIED, and there are for example 3 failed attempt within 15 minutes, then PF would be told to BLOCK ip access from that IP for a given amount of time (say 24 hours). Like I said, I'm not sure how to best go about this. Getting to this point was not the easiset thing in the world, but reading and patience paid off. But doing *this* -- I'm now having much luck even figuring out how to narrow nown my searching. I'd guess that some sort of PHP or CGI script on the Lighttpd page/site would need to have that "listen and control" logic. Is this a good way to go about this? Can anyone point me in the direction of an EXISTING OpenSource solution somewhere? Thanks a bunch, Albert
Current thread:
- How (best) to use web-from entry of an OTP/OPIE password to control a PF-firewall? Albert T (Nov 19)
- Message not available
- Re: How (best) to use web-from entry of an OTP/OPIE password to control a PF-firewall? Albert T (Nov 20)
- Re: How (best) to use web-from entry of an OTP/OPIE password to control a PF-firewall? Sean Malloy (Nov 20)
- Re: How (best) to use web-from entry of an OTP/OPIE password to control a PF-firewall? Brian Mayeur (Nov 20)
- Re: How (best) to use web-from entry of an OTP/OPIE password to control a PF-firewall? Albert T (Nov 20)
- Message not available
- Re: How (best) to use web-from entry of an OTP/OPIE password to control a PF-firewall? Albert T (Nov 20)
- Re: How (best) to use web-from entry of an OTP/OPIE password to control a PF-firewall? Nick Owen (Nov 20)
- Re: How (best) to use web-from entry of an OTP/OPIE password to control a PF-firewall? Albert T (Nov 20)
- Re: How (best) to use web-from entry of an OTP/OPIE password to control a PF-firewall? Albert T (Nov 20)
- Message not available
- Re: How (best) to use web-from entry of an OTP/OPIE password to control a PF-firewall? Albert T (Nov 20)