Adding rules to IPFW via web interface

We have FreeBSD-7.4-RELEASE with apache + nginx + php + mysql

Sometimes it happens that you need to get remote access via ssh, but IP data does not contain IP data. This may be due to various reasons. Other networks and so on.
Yes, and open access to all ssh does not make sense, since it is a direct security threat. Changing ssh-port also will not work. Rather give, but for the first time. Then the port scanner will do its dirty work and the selection of logins / passwords for ssh will continue.

Since the remote machine that you want to access is a bunch of apache + nginx + php + mysql (I’ll not stop at the installation now), the solution has chosen the following:

1. Added virtual host on port 443
2. Created certificates
3. Created 2 files with which I will add rules to IPFW
')
index.php

<? $IP=$_SERVER['REMOTE_ADDR']; ?> <form action="ipfwadd.php" name="myform" method="post"> <table border="1"> <tr> <td> :</td><td><input type="text" name="rules" maxlength="15" size="5"></td> </tr> <tr> <td>IP:</td><td><? echo $IP ?> </tr> <tr> <td>pass/deny</td><td> <select name=passdeny size=1> <option value=pass>pass</option> <option value=deny>deny</option> </select> </td> </tr> <tr> <td>UDP/TCP:</td><td> <select name=tcpudp size=1> <option value=tcp>TCP</option> <option value=udp>UDP</option> </select> </td> </tr> <tr> <td>:</td><td><input type="text" name="ports" maxlength="6" size="8"></td> </tr> </table> <input name="Submit" type=submit value=" "> </form> 

ipfwadd.php

 <meta http-equiv="refresh" content="0; url=/"> <? $rules = $_POST['rules']; $IP = $_SERVER['REMOTE_ADDR']; $ports = $_POST['ports']; $tcpudp = $_POST['tcpudp']; $passdeny = $_POST['passdeny']; $grepip = shell_exec("sudo ipfw add $rules $passdeny $tcpudp from $IP to me $ports"); ?> 

4. Next put sudo from ports
[anton@raccoon ~]$ su -
Password:
[root@raccoon ~]# whereis sudoers
sudoers: /usr/ports/security/sudo/
[root@raccoon ~]# cd /usr/ports/security/sudo/
[root@raccoon /usr/ports/security/sudo]# make install
5. We edit /usr/local/etc/sudoers so that the user from whom the web server starts is access to ipfw. I have this user www. Accordingly added such a line
www ALL=NOPASSWD:/etc/rc.d/ipfw, /sbin/ipfw

6. Naturally, do not forget to protect the virtual host either by http authorization or through a certificate

7. Then we try to add data to ipfw via the web. If everything is done correctly, then in messages we will see something like the following:
# cat /var/log/messages|grep ipfw
Feb 10 13:16:03 raccoon sudo: www : TTY=unknown ; PWD=/usr/local/www/ssl ; USER=root ; COMMAND=/sbin/ipfw add 150 pass tcp from 213.130.11.4 to me 80,88
Feb 11 20:24:06 raccoon sudo: www : TTY=unknown ; PWD=/usr/local/www/ssl ; USER=root ; COMMAND=/sbin/ipfw add 150 pass tcp from 88.155.65.100 to me 80,88
Feb 17 18:43:51 raccoon sudo: www : TTY=unknown ; PWD=/usr/local/www/ssl ; USER=root ; COMMAND=/sbin/ipfw add 150 pass tcp from 88.155.91.120 to me 80,88
Mar 3 22:19:02 raccoon sudo: www : TTY=unknown ; PWD=/usr/local/www/ssl ; USER=root ; COMMAND=/sbin/ipfw add 150 pass tcp from 88.155.8.131 to me 80,88
Mar 9 10:03:48 raccoon sudo: www : TTY=unknown ; PWD=/usr/local/www/ssl ; USER=root ; COMMAND=/sbin/ipfw add 150 pass tcp from 88.155.81.41 to me 80,88

That's basically it. It was written without “protection from a fool”, as it was done personally for its own purposes. Now, just being from a phone, tablet, and so on, get into the work network