How (best) to use web-from entry of an OTP/OPIE password to control a PF-firewall?

["Albert T" <albert.t680333 () gmail com>]

Hello.

I'm in the process of setting up my own network for my small office.

I've set up a small/lightweight FreeBSD-based firewall at the "edge"
of my network.

It's running the PF firewall.  I've got that working well for simple usage.

I understand how to set up OpenVPN passthrough from a remote client
that has a VPN client; but, that requires the remote user to (a) have
the OpenVPN client, and/or (b) have "shell" access.

I'd like to do something a bit different -- client-less and
browser-only -- but I'm simply not sure how best to go about it.

Here's a description of what I'm shooting for.

I've installed the Lighttpd web server on the firewall.

I'd like to have Lighttpd listen on, and serve up a page/form at, one
of my several IP addresses.

That form should be an "S/KEY" / "OPIE" authentication form.  A user
would navigate to that URL, enter OTP credentials (from a OTP
calculator, currently a J2ME).

If the credentials are VERIFIED, then I'd like to "talk to" the PF
firewall, and have it open port80 access at a different IP address to
ONLY the authenticating IP address, and for a limited time (say, 1
hour).

If the credentials are NOT VERIFIED, and there are for example 3
failed attempt within 15 minutes, then PF would be told to BLOCK ip
access from that IP for a given amount of time (say 24 hours).

Like I said, I'm not sure how to best go about this.  Getting to this
point was not the easiset thing in the world, but reading and patience
paid off.  But doing *this* -- I'm now having much luck even figuring
out how to narrow nown my searching.

I'd guess that some sort of PHP or CGI script on the Lighttpd
page/site would need to have that "listen and control" logic.

Is this a good way to go about this?

Can anyone point me in the direction of an EXISTING OpenSource
solution somewhere?

Thanks a bunch,

Albert