Hello, I have a server on which I would like to stand up an OpenBSD server running a few different services on a few different ports (starting with WEBDAV services offered by Radicale[1], but adding more services in the future) for friends and family looking to escape iCloud and google-cloud. This will probably be a small number of services and a small number of users to begin with, but may grow over time (as these things do, if they work).
Given the constant hammering a previous httpd server took from scrapers, I would like to restrict access to this server. It looks as though authpf might be able to do the job of authorizing folks, and it seems pretty clear how to do that on a gateway, but less clear how to have authpf authorize connections to the server on which authpf is running. What I'm thinking of is the following pattern: * user opens connection to ssh with a username / key which triggers authpf * authpf tells pf to open ports 80 and 443 for that user * user syncs calendar and/or contacts * user shuts down ssh connection and the open ports close I've been reading The Book of Pf and playing with these services inside my home network, so I'm reasonably confident I can eventually make this all work, provided I haven't missed anything. I have scripts running which look at attempts to ssh in as root, and adding those ip addresses to a pf table to block people, and that seems to be working (I'm not really worried about them getting in, but it seemed like a useful learning exercise to learn my way around pf). I haven't locked myself out yet, so I probably haven't made all the mistakes I need to make in order to learn, though. Is this a sensible idea? Currently we have contacts, calendars, photos, and a small amount of file storage as the things we rely on iCloud (or google-cloud) for. I would prefer to stand up my own services, rather than changing one corporate overlord for another, although I have thought about switching people to murena's "cloud"[4] because it would definitely be simpler. I have also looked at using iocaine-powder[2] as a front-end[3] for all of this to feed the scrapers garbage, but if I'm going to restrict my server to just friends and family, it seems as though something with authpf would be tons simpler. But it's entirely possible that I'm confused. Alternately, if there's someone who already offers services like this, I'd love a pointer. It's an interesting technical quest, but it's really just another yak that needs shaving on the way to helping my family, and I have plenty of other projects to keep me busy. Our main goal is to stop giving Apple and Google money. They have plenty. Thanks for any help de-confusing me. 1: https://radicale.org/ 2: https://opensourcesecurity.io/2026/2026-01-iocaine-algernon/ 3: https://chronicles.mad-scientist.club/tales/only-junk-fans/ 4: https://murena.com/workspace/ -DaveP

