|
|||
Using authpf to access a network
Hi I'm having a little trouble getting my solution to work.
I have a VM with two interfaces network vlan 10 and network vlan 20. I want users to SSH to the IP on network vlan 10 so they are authenticated to access network vlan 20. I have authpf working but I don't know how to incorporate this into the pf rules to open up access for that user to the network. Can some please help. Thanks |
|
|||
Quote:
I used the rdr-to but the only examples I find pertain to redirecting to an IP and not a whole network in the DMZ. Am I approaching this incorrectly? So as I explained from my client I ssh to lets say 192.168.100.1 this authenticates me with authpf to enter the DMZ network 192.168.14.0/24. I can't seem to get this working. This is what I have done so far: authpf is running and I have a blank authpf.rules file globally. I have allowed incoming ssh and ping for the interface that holds the IP 192.168.100.1 from there I am lost.... I read that you have to use anchors etc but I cannot seem to figure this out. Do you or are there any real world examples that will help me? Many thanks in anticipation! |
|
|||
Quote:
pf.conf Code:
# Interfaces extif="em0" intif="em1" # Variables allowed_tcp_ports="{ ssh, https, rdp }" set block-policy drop set loginterface $extif set skip on lo # Block all Incoming Traffic block all # Allow temporary ICMP on ext interface pass in on $extif inet proto icmp to ($extif) icmp-type 8 code 0 keep state pass in on $extif proto tcp to ($extif) port $allowed_tcp_ports Code:
extif = "em0" allowed_tcp_ports="{ ssh, https, rdp }" pass out on $extif inet proto tcp from any to any port $allowed_tcp_ports |
|
|||
oh and my test is to try and ssh to a machine in the DMZ for example
ssh user@192.168.14.10 But I cannot reach this machine at all |
|
||||
It's not a mess. It is readable, and your intent is understandable.
|
|
||||
I can't tell from what you've posted what your DMZ is. Your rules only have an internal and external interface. You permit ssh, https, and rdp inbound on the external interface in your main ruleset, and it must be destined for the OpenBSD machine. That is the only TCP traffic permitted.
|
|
|||
Quote:
/etc/authpf/users/myuser/authpf.rules Code:
pass out on $intif inet proto tcp from $user_ip to any port $allowed_tcp_ports |
|
|||
Quote:
So I use this bsd machine as the gateway from my exposed LAN to the DMZ. I want to be able to ssh authpf to the bsd box. Then once authenticated I can ssh into any box in the DMZ. I feel my rules do not reflect this. |
|
||||
Quote:
Quote:
Code:
pass in on $extif proto tcp to ($extif) port $allowed_tcp_ports |
|
|||
Quote:
|
|
||||
Your auth.rules file should include a pass that allows ssh traffic through your internal interface. Such as:
Code:
allowed_tcp_ports="{ ssh, https, rdp }" pass proto tcp from $user_ip to any port $allowed_tcp_ports
|
|
|||
Quote:
|
|
|||
I will tell you what issue I am facing.
I have enabled forwarding on the sysctl.conf file. I have created a test route from my desktop machine to go to the test vm vai the gateway I created. The ports are open but I am unable to ping the endpoint client. This is the icmp rule I have in authpf: Code:
pass out on egress inet proto icmp icmp-type echoreq no state |
|
|||
Quote:
From my local machine I added a route to another VM 192.168.0.254 via the gateway 192.168.15.5 (The bsd machine with authpf) Once authenticated I am able to ssh to the IP 192.168.0.254. When I remove that route and I add the following route. ip route add 192.168.0.0/16 via 192.168.15.5 I cannot log into any other server in that subnet not even 192.168.0.254 Any ideas? |
|
|||
I am adding this to my linux box to explicitly state that if I want to access the 192.168.0.0/16 network I should use the gateway 192.168.15.5
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Alix3d2 + Mikrotik R52nM Wifi Access point network performance | jkusniar | OpenBSD General | 3 | 13th January 2015 07:59 AM |
AuthPF Configuration | EverydayDiesel | OpenBSD Security | 30 | 16th July 2014 03:37 PM |
authpf setup | dbach | OpenBSD General | 14 | 19th January 2013 04:25 AM |
authpf, authpf.rules unable to modify filters | kbeaucha | OpenBSD Security | 16 | 10th May 2012 09:46 PM |
PF cannot access Internet from internal network | gpatrick | OpenBSD Security | 3 | 29th August 2010 10:59 PM |