View Single Post
Old 10th July 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 7,136

Originally Posted by calanon View Post
So the anchor is linked. With the other point would this be correct:
You do not need to use separate /users/ authpf rule files, unless you need rules that are unique to each authenticating user. You can use $user_ip or $user_id in a single rules file, as each user who authenticates will have its set of rules defined under its own anchor point, located at the authpf/* anchor point you defined.
Originally Posted by calanon View Post
It could be my words are wrong:

So I use this bsd machine as the gateway from my exposed LAN to the DMZ.

I want to be able to ssh authpf to the bsd box. Then once authenticated I can ssh into any box in the DMZ. I feel my rules do not reflect this.
Is the address the address of the external interface? Your pass rule
pass in on $extif proto tcp to ($extif) port $allowed_tcp_ports
is the only TCP pass rule in effect, until you authenticate. This rule will pass TCP traffic inbound on the external interface from any IP address, with any source port number, as long as the destination address is an address assigned to that external interface, with a destination port number matching the port numbers for ssh, https, and rdp defined in /etc/services.
Reply With Quote