|
|||
wow thanks alot for the explanation
i am now trying to foward non pfauth authenticated users to port 80 running on the local host. I have these in my pf.conf but still it does not work. (httpd is working verified with lynx localhost) To verify this i had to open the pf completely up. in my pf.conf I have Code:
match in log on $WRLS_IF proto tcp from ! <authpf_users> port 80 rdr-to 127.0.0.1 pass in log proto tcp from 10.2.0.0/24 to 10.2.0.5 port 80 If i type 10.2.0.5 it comes up with a generic openbsd "it worked" page |
|
||||
Above, I'd recommended (guidance 3) that you document rules to make it easier to see errors. A comment above the rule that said:
Code:
# allow the authorized client to access servers Code:
# allow clients to reach the authorized server Documentation helps. It really, really helps. Especially when you're reading your own rulesets after leaving them be for a couple of years. |
|
|||
I actually am commenting in my real pf.conf. I will start including the comments here.
What I am actually trying to do is forward non authenticated users "! <authpf_users>" to the web page no matter what website they choose (if they are not authenticated) |
|
||||
Quote:
However, I will point you to the Traffic Redirection chapter of the PF Users Guide for further .. guidance. Note that rdr-to, like nat-to, matches with an assigned interface. So if you use it, you should use "on <interface>". I use rdr-to, but typically with pass rules, rather than match. |
|
|||
I see the pass in and the redirection to 127.0.0.1:80 and then i see a whole bunch of dns blocks to 4.4.4.4:53.
i guess the question is, is the dns blocking the connection from even happening how do i resolve the dns www.whatever.com to be forwarded to 127.0.0.1? |
|
||||
Here's an example of a real rdr-to from one of my firewalls. There is a pass inbound, with redirection, and also an outbound pass. These are separate, because the rule matching the inbound traffic is not the same as the outbound traffic, so two rules are used.
I also include https (destination port 443) which you have not yet considered for your ruleset so far. Code:
# redirect web and ident services to the MASTER server: # pass in log quick on $external_nic proto tcp from any to any \ port {www https ident} rdr-to $master pass out log quick proto tcp from any to $master port {www https ident} Edited to add: The rdr-to needs an "on <interface>", which is really why there are two rules -- the second rule permits the traffic to pass on other interfaces. The "in" and "out" are active, but are really there as documentation for me, more than for any effect. Last edited by jggimi; 16th July 2014 at 03:57 AM. Reason: fixed a thinko. and a typo. Then added more explanation. |
|
||||
Quote:
Quote:
|
|
||||
If you're ever concerned about unauthorized traffic getting past your firewall using the domain name resolution destination ports (UDP 53, TCP 53), you have some choices. You could:
Last edited by jggimi; 16th July 2014 at 12:09 PM. Reason: typos. Always typos. |
|
|||
Quote:
Can I configure bind to play nice with authpf? If the user is authenticated cache the nslookup (of it not, look it up from 4.4.4.4). If the user has not authenticated then route them to some kind of dummy dns? |
|
||||
You could use BIND, but there are replacements which may be easier to configure, maintain, manage, and use. One of those is unbound(8), a caching DNS resolver which moved from ports to the base OS in -current (and the upcoming 5.6) in March. If you're running -release/-stable, unbound is in ports. Michael Lucas has a brief howto on his blog.
Quote:
Quote:
A PF-based solution will not cause problems for an eventually authorized client. Last edited by jggimi; 16th July 2014 at 03:41 PM. Reason: typos. typos. typos. typos. topys. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Wireless Setup With AuthPF Help | EverydayDiesel | OpenBSD Security | 3 | 2nd July 2014 11:38 PM |
authpf setup | dbach | OpenBSD General | 14 | 19th January 2013 04:25 AM |
authpf, authpf.rules unable to modify filters | kbeaucha | OpenBSD Security | 16 | 10th May 2012 09:46 PM |
transparent firewall & authpf? | ll2ollvll3o | OpenBSD General | 2 | 10th April 2012 12:42 AM |
Exempting clients from AuthPF | Kristijan | NetBSD Security | 1 | 12th July 2008 12:09 AM |