DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 1st July 2014
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 124
Default Wireless Setup With AuthPF Help

Hello,

I am trying to understand the following article with a slight variation for my setup. This will be a dedicated old slow machine that i have laying around that will just provide wireless access with authpf. I have an extra port open on the back of my main firewall so I will be using it (I am out of available pci slots for a wireless card)
Here is the article --> http://home.nuug.no/~peter/pf/en/vegard.authpf.html

IP address of Main Firewall :192.168.1.200 # this is the output of the main firewall into the wireless firewall server
IP address of wireless firewall : 192.168.1.201 # this is the external interface on the wireless firewall

Here is the modified code that I *think is good (please correct me if i am wrong)

/etc/authpf/authpf.conf
Code:
touch /etc/authpf/authpf.conf
/etc/pf.conf
Code:
ext_if="em2"
wi_if = "athn0"

auth_web="192.168.27.20"

table <authpf_users> persist 

match out on $ext_if from $wi_if:network nat-to ($ext_if)

match in on $wi_if proto tcp from any to $myaddr port $tcp_in rdr-to $server
match in on $wi_if proto udp from any to $myaddr port $udp_in rdr-to $server

match in on on $wi_if proto tcp from ! <authpf_users> port 80 rdr-to $auth_web

anchor "authpf/*"

block all

anchor "authpf/*" in on wi0

pass in on $wi_if inet proto tcp from any to $auth_web port 80 keep state

pass in on $wi_if inet proto udp from any port 53 keep state

pass in on $wi_if inet proto udp from any to $wi_if port 67

pass in on $wi_if inet proto tcp from any to $wi_if port 22 keep state

/etc/authpf/authpf.rules
Code:
ext_if = "em2"
wi_if = "athn0"
server = "192.168.27.15"
myaddr = "213.187.n.m"

# Services which live on the internal network 
# and need to be accessible
tcp_services = "{ 22, 25, 53, 80, 110, 113, 995 }"
udp_services = "{ 53 }"
tcp_in = " { 22, 25, 53, 80, 993, 2317, pop3}"
udp_in = "{ 53 }"

pass in on $wi_if inet from <authpf_users> to ! $int_if:network keep state

pass in on $wi_if inet proto tcp from <authpf_users> to $server port $tcp_in keep state
pass in on $wi_if inet proto udp from <authpf_users> to $server port $udp_in keep state

pass in on $wi_if inet proto tcp from <authpf_users> to $myaddr port $tcp_in keep state
pass in on $wi_if inet proto udp from <authpf_users> to $myaddr port $udp_in keep state
My machine is a brand new 5.5 installation so here are my questions.

1.This is the address of the web server? I will be installing apache httpd on the local machine eventually so this will be the ip of $ext_if?
Code:
auth_web="192.168.27.20"

2. This is a table that openbsd knows? (in other words I do not need to create this?)
Code:
table <authpf_users> persist

3. I do not understand this. n and m are placeholders of some sort that openbsd will replace with numbers?
Code:
myaddr = "213.187.n.m"

4. Where did wi0 come from in this example?
Code:
anchor "authpf/*" in on wi0


Sorry for so many questions and thanks in advance for your time helping me.
Reply With Quote
  #2   (View Single Post)  
Old 1st July 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

1. The "auth_web" server is where requests from an unauthenticated user to any IP address's destination port 80 are routed. That local server can place a static page telling the user to authenticate, etc. Once a user is authenticated (this means having an active SSH console session to an authpf login shell on the server running PF), this traffic is no longer intercepted and can go where the user intended.

2. The authpf_users table is described in both the AuthPF chapter of the PF User's Guide and in the authpf(8) man page. I'll quote from the Guide.
Quote:
In addition to the $user_ip macro, authpf will make use of the authpf_users table (if it exists) for storing the IP addresses of all authenticated users. Be sure to define the table before using it...
3. This is the author's known external (Internet) static address. See the comments above the last two rules in that HOWTO, where the macro is used. We try not to put our actual Internet address in public forums when we share our rulesets. Weaknesses might be discovered and exploited. The Internet is a dangerous place.

4. Anchor options are discussed in the Anchor chapter of the PF User's Guide. I'd mentioned this chapter to you two days ago, in your thread on scheduling connections.

----

Many years ago, I ran something similar in the pre-WPA days, when WEP was the only "hardware" encryption available and was known to be insecure.

I later replaced the authpf solution with an IPSec solution, as it was easier for the client -- no SSH session to maintain, and its encryption wasn't proven to be broken like WEP.

The IPSec solution was later replaced with WPA2, as clients could include systems that did not have IPSec capabilities.
Reply With Quote
  #3   (View Single Post)  
Old 1st July 2014
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 124
Default

Thanks for your help!

Quote:
Originally Posted by jggimi View Post
1. The "auth_web" server is where requests from an unauthenticated user to any IP address's destination port 80 are routed. That local server can place a static page telling the user to authenticate, etc. Once a user is authenticated (this means having an active SSH console session to an authpf login shell on the server running PF), this traffic is no longer intercepted and can go where the user intended.
So if the web service was running on the same machine i would just put 127.0.0.1 for the auth_web variable?


Quote:
Originally Posted by jggimi View Post
2. The authpf_users table is described in both the AuthPF chapter of the PF User's Guide and in the authpf(8) man page. I'll quote from the Guide.
Code:
In addition to the $user_ip macro, authpf will make use of the authpf_users table (if it exists) for storing the IP addresses of all authenticated users. Be sure to define the table before using it...
The best I can tell this table is created in memory and maintained by openbsd as long as I add this line to my pf.conf. If someone logs on via ssh then somehow it will know to add the user to this table?
Code:
table <authpf_users> persist

Quote:
Originally Posted by jggimi View Post
3. This is the author's known external (Internet) static address. See the comments above the last two rules in that HOWTO, where the macro is used. We try not to put our actual Internet address in public forums when we share our rulesets. Weaknesses might be discovered and exploited. The Internet is a dangerous place.
Being that is the case, I would say that the variable needs to be $ext_if instead of an external ip address.?.


Quote:
Originally Posted by jggimi View Post
4. Anchor options are discussed in the Anchor chapter of the PF User's Guide. I'd mentioned this chapter to you two days ago, in your thread on scheduling connections.
Unfortunately I have been stuck on creating tables. I have been reading and I am trying to understand how to implement them better before I actually do one.
The best I can tell some are created in memory and defined in the actual config file and others are files that are saved on the hard drive. I will experiment with these a bit later but at the moment I am still learning.
Reply With Quote
  #4   (View Single Post)  
Old 2nd July 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by EverydayDiesel View Post
So if the web service was running on the same machine i would just put 127.0.0.1 for the auth_web variable?
yes
Quote:
The best I can tell this table is created in memory and maintained by openbsd as long as I add this line to my pf.conf. If someone logs on via ssh then somehow it will know to add the user to this table?
yes
Quote:
Being that is the case, I would say that the variable needs to be $ext_if instead of an external ip address.?.
I would think it depends upon your needs. The syntax of those final two rules use from and to with IP addresses. You can only use an interface with modifiers that translate to blocks of addresses or special addresses: :network, :broadcast, or :peer. If you want to block an interface, you need to use the on <interface> option.
Quote:
Unfortunately I have been stuck on creating tables. I have been reading and I am trying to understand how to implement them better before I actually do one.
Practice. Play on an OpenBSD workstation, or in a virtual machine. You'll figure it out more easily if you have one.
Quote:
The best I can tell some are created in memory and defined in the actual config file and others are files that are saved on the hard drive.
They are all maintained in memory. There are four ways to add addresses to tables:
  1. Scripted within a pf.conf directly, from a list.
  2. Read in from a file named in a pf.conf.
  3. Added by pfctl command
  4. Read in from a file via a pfctl command.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
authpf setup dbach OpenBSD General 14 19th January 2013 04:25 AM
authpf, authpf.rules unable to modify filters kbeaucha OpenBSD Security 16 10th May 2012 09:46 PM
transparent firewall & authpf? ll2ollvll3o OpenBSD General 2 10th April 2012 12:42 AM
Question regarding wireless setup stealintv FreeBSD General 5 19th September 2008 07:36 PM
Wireless + wired = confused network setup davidgurvich FreeBSD General 3 27th May 2008 06:10 PM


All times are GMT. The time now is 09:16 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick