Thread: AuthPF Configuration
View Single Post
  #13   (View Single Post)  
Old 7th July 2014
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
  
Join Date: May 2008
Location: USA
Posts: 7,983
Default
Here's a test configuration I would like you to try.

I assume your inner network is configured as 10.2.0.0/24, and the router's (gateway's) address on that network is 10.2.0.1. This means something akin to "inet 10.2.0.1/24" is in the hostname configuration file.

I assume your outer network is connected via the xl0 device.

I assume you have sshd(8) running on the inner router.

---

This test configuration uses a default pass ruleset, which is unusual. All block and pass rules use log so that you can see them match with # tcpdump -neti pflog0.

The base PF configuration has the following rules, from the general case through to the specific case. As a reminder, when quick is not used, the last matching rule wins. Note the NAT rule uses match.
Code:
# do not hang when blocking
set block-policy return

# the authpf users table is defined, but no rules will refer to it in this test
table <authpf_users> persist

# NAT traffic from the inner to outer network
match out on xl0 from 10.2.0.0/24 to any nat-to xl0

# allow all traffic by default
pass log all

# block the inner network
block in log from 10.2.0.0/24

# pass SSH inbound for authpf use:
pass in log proto tcp from 10.2.0.0/24 to 10.2.0.1 port ssh

# anchor point for authpf rules
anchor "authpf/*"
Please give this a try. I have not tested it, but this simple ruleset should allow all traffic except that originating from the inner network to pass freely. And on the inner network, the only thing allowed is SSH traffic to the router at 10.2.0.1. DNS is not allowed. ICMP is not allowed. The only network connection that should function is:

$ ssh [user@]10.2.0.1

If this ruleset works, please try the following configuration in /etc/authpf/authpf.rules
Code:
# allow this user to pass all traffic
pass from $user_ip to any
pass from any to $user_ip
If, after successfully authenticated, and while the authpf session remains active, the test device should be able to send and receive all traffic through this gateway.

While authenticated, there should be two rules in output to this command:

# pfctl -sr -a authpf/*

While authenticated, there should be the address of the authenticated devices output to this command:

# pfctl -t authpf_users -T show

While authenticated, there should be a process with username and IP address shown with this command:

$ ps -ax | grep authpf

Once the SSH session is disconnected, the rules should no longer appear, the table should be empty, and there will no longer be an authpf process.
Reply With Quote