#!/usr/bin/perl

#
# in /etc/pf.conf:
#
#   table <authorized> persist
#   pass in quick proto tcp from any to ($int_if) port ssh
#   block drop in quick log on $int_if from !<authorized> to any
#
# in ~/.ssh/rc:
#
#   /path/to/this/script
#

use strict;
my $ssh_conn = $ENV{'SSH_CONNECTION'} or exit;
my $ip_addr = (split / /, $ssh_conn)[0];
exit if $ip_addr !~ /^10\.1\.5\.\d{1,3}$/;
print "wlan-auth $ip_addr: ",
      `sudo /sbin/pfctl -t authorized -T add '$ip_addr' 2>&1`;