|
|
|||
Using authpf to access a network
Hi I'm having a little trouble getting my solution to work.
I have a VM with two interfaces network vlan 10 and network vlan 20. I want users to SSH to the IP on network vlan 10 so they are authenticated to access network vlan 20. I have authpf working but I don't know how to incorporate this into the pf rules to open up access for that user to the network. Can some please help. Thanks |
|
|||
Quote:
I used the rdr-to but the only examples I find pertain to redirecting to an IP and not a whole network in the DMZ. Am I approaching this incorrectly? So as I explained from my client I ssh to lets say 192.168.100.1 this authenticates me with authpf to enter the DMZ network 192.168.14.0/24. I can't seem to get this working. This is what I have done so far: authpf is running and I have a blank authpf.rules file globally. I have allowed incoming ssh and ping for the interface that holds the IP 192.168.100.1 from there I am lost.... I read that you have to use anchors etc but I cannot seem to figure this out. Do you or are there any real world examples that will help me? Many thanks in anticipation! |
|
|||
Quote:
pf.conf Code:
# Interfaces extif="em0" intif="em1" # Variables allowed_tcp_ports="{ ssh, https, rdp }" set block-policy drop set loginterface $extif set skip on lo # Block all Incoming Traffic block all # Allow temporary ICMP on ext interface pass in on $extif inet proto icmp to ($extif) icmp-type 8 code 0 keep state pass in on $extif proto tcp to ($extif) port $allowed_tcp_ports Code:
extif = "em0" allowed_tcp_ports="{ ssh, https, rdp }" pass out on $extif inet proto tcp from any to any port $allowed_tcp_ports |
|
|||
oh and my test is to try and ssh to a machine in the DMZ for example
ssh user@192.168.14.10 But I cannot reach this machine at all |
|
||||
I can't tell from what you've posted what your DMZ is. Your rules only have an internal and external interface. You permit ssh, https, and rdp inbound on the external interface in your main ruleset, and it must be destined for the OpenBSD machine. That is the only TCP traffic permitted.
|
|
|||
Quote:
So I use this bsd machine as the gateway from my exposed LAN to the DMZ. I want to be able to ssh authpf to the bsd box. Then once authenticated I can ssh into any box in the DMZ. I feel my rules do not reflect this. |
|
||||
It's not a mess. It is readable, and your intent is understandable.
|
|
|||
Quote:
/etc/authpf/users/myuser/authpf.rules Code:
pass out on $intif inet proto tcp from $user_ip to any port $allowed_tcp_ports |
|
||||
Your auth.rules file should include a pass that allows ssh traffic through your internal interface. Such as:
Code:
allowed_tcp_ports="{ ssh, https, rdp }" pass proto tcp from $user_ip to any port $allowed_tcp_ports
|
|
|||
Quote:
|
|
|||
I will tell you what issue I am facing.
I have enabled forwarding on the sysctl.conf file. I have created a test route from my desktop machine to go to the test vm vai the gateway I created. The ports are open but I am unable to ping the endpoint client. This is the icmp rule I have in authpf: Code:
pass out on egress inet proto icmp icmp-type echoreq no state |
|
|||
Quote:
From my local machine I added a route to another VM 192.168.0.254 via the gateway 192.168.15.5 (The bsd machine with authpf) Once authenticated I am able to ssh to the IP 192.168.0.254. When I remove that route and I add the following route. ip route add 192.168.0.0/16 via 192.168.15.5 I cannot log into any other server in that subnet not even 192.168.0.254 Any ideas? |
|
|||
I am adding this to my linux box to explicitly state that if I want to access the 192.168.0.0/16 network I should use the gateway 192.168.15.5
|
|
||||
Routing and routes can be confusing. Please excuse the routing explanation below, but I am hoping it will provide some clarity. PF block rules can behave like routing errors between networks, so this explanation does not include any discussion of PF.
Code:
[System A] - network 1 - [Router B] - network 2 - [Router D] - {the internet} - [System E] | [System C] # route add default <address of Router B on network 1> where the keyword "default" is equivalent to 0.0.0.0/0. Any IP packet destined for an address not on network 1 will be sent to Router B for routing to all other networks, such as System C on network 2, or to System E somewhere on the internet.On OpenBSD, the default route is assigned statically with a mygate(5) file, or dynamically via a DHCP server. Router B is aware of two networks: network 1 and network 2, because it has NICs provisioned on both networks. But it needs a default route: through Router D. In route(8) terms, this would be # route add default <address of Router D on network 2> . With this knowledge, any traffic it receives to be forwarded to System A on network 1 will be sent directly to it through its NIC on network 1. Likewise, any traffic it receives to be forwarded to System C on network 2 would be sent directly to it through its NIC on network 2. But any traffic it receives for networks other than 1 or 2 would be forwarded to Router D for further distribution. System C on network 2 has direct access to the two routers B and D. It will need a default route through Router D. If System C needs to communicate with System A on network 1, it will need a route to network 1 added. In route(8) terms, that additional route would be # route add <network 1> <address of Router B on network 2> . This additional route can be added via a DHCP server, or can be added statically. If System C is an OpenBSD system, a !route command is added to a hostname.if(5) file to add a static route.Router D is aware of network 2 and its internet connection. Its default route will be through the ISP, either dynamically with DHCP or statically. But it has no knowledge of network 1 unless a route to it is provisioned. In route(8) terms, this would be # route add <network 1> <address of Router B on network 2> .
Last edited by jggimi; 25th July 2019 at 07:25 PM. Reason: clarity for the ASCII "picture", and typos. And another typo. Thanks IdOp!!! |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Alix3d2 + Mikrotik R52nM Wifi Access point network performance | jkusniar | OpenBSD General | 3 | 13th January 2015 07:59 AM |
AuthPF Configuration | EverydayDiesel | OpenBSD Security | 30 | 16th July 2014 03:37 PM |
authpf setup | dbach | OpenBSD General | 14 | 19th January 2013 04:25 AM |
authpf, authpf.rules unable to modify filters | kbeaucha | OpenBSD Security | 16 | 10th May 2012 09:46 PM |
PF cannot access Internet from internal network | gpatrick | OpenBSD Security | 3 | 29th August 2010 10:59 PM |