mailing list archives
How (best) to use web-from entry of an OTP/OPIE password to control a PF-firewall?
From: "Albert T" <albert.t680333 () gmail com>
Date: Mon, 19 Nov 2007 14:09:41 -0800
I'm in the process of setting up my own network for my small office.
I've set up a small/lightweight FreeBSD-based firewall at the "edge"
of my network.
It's running the PF firewall. I've got that working well for simple usage.
I understand how to set up OpenVPN passthrough from a remote client
that has a VPN client; but, that requires the remote user to (a) have
the OpenVPN client, and/or (b) have "shell" access.
I'd like to do something a bit different -- client-less and
browser-only -- but I'm simply not sure how best to go about it.
Here's a description of what I'm shooting for.
I've installed the Lighttpd web server on the firewall.
I'd like to have Lighttpd listen on, and serve up a page/form at, one
of my several IP addresses.
That form should be an "S/KEY" / "OPIE" authentication form. A user
would navigate to that URL, enter OTP credentials (from a OTP
calculator, currently a J2ME).
If the credentials are VERIFIED, then I'd like to "talk to" the PF
firewall, and have it open port80 access at a different IP address to
ONLY the authenticating IP address, and for a limited time (say, 1
If the credentials are NOT VERIFIED, and there are for example 3
failed attempt within 15 minutes, then PF would be told to BLOCK ip
access from that IP for a given amount of time (say 24 hours).
Like I said, I'm not sure how to best go about this. Getting to this
point was not the easiset thing in the world, but reading and patience
paid off. But doing *this* -- I'm now having much luck even figuring
out how to narrow nown my searching.
I'd guess that some sort of PHP or CGI script on the Lighttpd
page/site would need to have that "listen and control" logic.
Is this a good way to go about this?
Can anyone point me in the direction of an EXISTING OpenSource
Thanks a bunch,
Re: How (best) to use web-from entry of an OTP/OPIE password to control a PF-firewall? Kurt Buff (Nov 20)