DaemonForums  

Go Back   DaemonForums > NetBSD > NetBSD Security

NetBSD Security Securing NetBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 11th July 2008
Kristijan Kristijan is offline
New User
 
Join Date: Jul 2008
Posts: 2
Thanked 0 Times in 0 Posts
Default Exempting clients from AuthPF

Hi all,

I'm running NetBSD with pf and authpf for my firewall. I wrote the rules myself, which have seemed to work well for the past year or so. AuthPF is only used for wireless clients coming through my WLAN.

The problem I'm facing is I want to exempt a client from having to authorize against the AuthPF and bypass the rules. The client is an iPhone (192.168.1.15).

Now here is the weird part...This has been working fine for a good year with my Nokia. Today I got the new iPhone, and in DHCP all I did was remove the MAC address of the Nokia and replaced it with the MAC of the iPhone. Restarted DHCP and told the iPhone to renew the lease. This all worked fine and it obtained the correct IP. However, when I try and browse, all my requests are being redirected (as per my rules for non-authenticated users).

Nothing in the pf.conf changed, so I'm not sure where the issue is. The only thing that changed was the phone (and the browser used) and the MAC address in DHCP.

Below is my /etc/pf.conf ... Any insight is much appreciated.

Code:
##########
# Macros #
##########

ext_if="ppp0"
int_if="fxp0"
wi_if="fxp1"
adsl_if="sip0"

homer="192.168.0.2"
krusty="192.168.1.1"
auth_web="192.168.0.10"
phone="192.168.1.15"

routable="{ 192.168.0.0/24, 192.168.1.0/24 }"
nonroutable="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"

###########
# Options #
###########

set block-policy drop
set loginterface $ext_if

#########
# Scrub #
#########

scrub no-df random-id fragment reassemble

##########
# Tables #
##########

table <authpf_users> persist

###########
# NAT/RDR #
###########

nat on $ext_if from $routable to any -> ($ext_if)
nat on $adsl_if from $routable to any -> ($adsl_if)

# Azureus
rdr on $ext_if proto tcp from any to any port 61980 -> $homer port 61980
rdr on $ext_if proto udp from any to any port 61980 -> $homer port 61980

# uTorrent
rdr on $ext_if proto tcp from any to any port 10394 -> $homer port 10394
rdr on $ext_if proto udp from any to any port 10394 -> $homer port 10394

# WWW redirect for non-AuthPF users
rdr on $wi_if proto tcp from ! <authpf_users> to any port 80 -> $auth_web

# WWW from Internet to krusty ***TEMP***
#rdr on $ext_if proto tcp from any to any port 80 -> $auth_web

# uTorrent Web-UI
# rdr on $ext_if proto tcp from any to any port 8181 -> $homer port 8181

################
# Filter Rules #
################

pass out quick keep state
pass quick on lo0

# Azureus
pass in quick on $ext_if proto tcp from any to any port 61980 flags S/SA keep state
pass in quick on $ext_if proto udp from any to any port 61980

# uTorrent
pass in quick on $ext_if proto tcp from any to any port 10394 flags S/SA keep state
pass in quick on $ext_if proto udp from any to any port 10394

# SSH
pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA keep state

# Non routable
block drop in quick on $ext_if from $nonroutable to any
block drop out quick on $ext_if from any to $nonroutable

# DNS, SSH & WWW-redirect for wireless so user can AuthPF
pass in quick on $wi_if proto udp from 192.168.1.0/24 to any port 53
pass in quick on $wi_if proto tcp from 192.168.1.0/24 to $krusty port 22 flags S/SA keep state
pass in quick on $wi_if proto tcp from ! <authpf_users> to any port 80 flags S/SA keep state

# Mobile WiFi access
pass in quick on $wi_if from $phone to any flags S/SA keep state

# WWW from Internet to krusty ***TEMP***
#pass in quick on $ext_if proto tcp from any to any port 80 flags S/SA keep state

# uTorrent Web-UI
# pass in quick on $ext_if proto tcp from any to any port 8181 flags S/SA keep state

# AuthPF anchor
anchor "authpf/*"

# Drop All
block in quick on $wi_if
block in quick on $ext_if
-Kristijan
Reply With Quote
  #2   (View Single Post)  
Old 12th July 2008
Kristijan Kristijan is offline
New User
 
Join Date: Jul 2008
Posts: 2
Thanked 0 Times in 0 Posts
Default

Ok, and for some reason...I get up this morning, and it works.
No changes made apart from the ones stated below.

-Kristijan
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Sapm control from relaying allowed clients (out bound spam) osman General software and network 0 8th May 2009 05:26 AM
Configuring authpf freebsd kasse FreeBSD General 0 7th February 2009 12:32 PM
torrent clients are driving me nuts graudeejs FreeBSD General 28 9th January 2009 12:43 PM
FreeBSD server, Windows clients, daily backups Weaseal FreeBSD General 4 25th December 2008 05:50 PM


All times are GMT. The time now is 12:51 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick