DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 28th August 2014
kbeaucha kbeaucha is offline
Port Guard
 
Join Date: May 2008
Posts: 36
Default Authenticating NATed users - authpf-noip?

Our users avail themselves of a local wireless network that is administered by another group. Until recently we used authpf to authenticate users coming in from the wireless through our firewall. Each user had an authpf.rules file in /etc/authpf/users/UserID that specified what they could get to based on their userID, and it used their IP address in the pass rules.

That worked until the wireless network switched from routable addresses to unroutable/private and NAT. Now I need to find a way to handle multiple users coming from what looks like one (or a few) addresses and the first option that came up is authpf-noip

I've looked around a bit, but haven't found many examples of the changes. What's thrown me off a bit is that our old authpf.rules were usually a collection of "pass in" rules, but the example in Mark Uemura's write up and in the man page use "pass out" rules. They also refer to tunneling, which I had not planned to do. If this is a pass-out rule, how does the remote user connect?

Are there other examples or explanations out there I'm missing?

Or can someone suggest another option (OpenIKED?)

Thanks
kmb

Last edited by kbeaucha; 28th August 2014 at 09:33 PM. Reason: Grammar
Reply With Quote
  #2   (View Single Post)  
Old 29th August 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Were you referring to this write up? If so, Mark states:
Quote:
Note that you only really want to use authpf-noip in tunnelling situations. That is, for inbound connections to internal resources such as internal workstations or POP/SMTP mail tunnelled through OpenSSH.
That may be a more limited scenario than you envision.

If you don't get a lot of responses here -- and I don't expect you will -- you may wish to take your question to a wider audience, such as the Project's misc@ mailing list.
Reply With Quote
  #3   (View Single Post)  
Old 29th August 2014
kbeaucha kbeaucha is offline
Port Guard
 
Join Date: May 2008
Posts: 36
Default

I missed that part of the article - thanks for pointing that out.

You're right in that the tunneling solution is likely too limited for what we're doing.

I've since been told to explore VPN solutions.

kmb
Reply With Quote
  #4   (View Single Post)  
Old 29th August 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Perhaps you could use your existing IPSec implementation as a starting point for new VPN services.

You mention OpenIKED above, and I noted that during development of 5.6-release, the iked(8) man page had its CAVEATS finally section removed -- the Project now considers it production ready.
Reply With Quote
  #5   (View Single Post)  
Old 8th September 2014
kbeaucha kbeaucha is offline
Port Guard
 
Join Date: May 2008
Posts: 36
Default

Although I'm getting a little off topic now, how does the current iked support multiple incoming sessions?

I found some reference to the "pseudo-dhcp" code that would allow you to define a pool/range of IP addresses in iked.conf for incoming users not being written yet. I assume that this function would be required to handle multiple simultaneous sessions from remote users.
Reply With Quote
  #6   (View Single Post)  
Old 8th September 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I don't know enough about iked to answer current configuration questions, much less answer questions about planned features that have not been written. For both of those, I'll refer you to the misc@ mailing list.

All I know about iked is what I can infer from iked(8) and iked.conf(5). From the latter, I know that an internal DHCP server can be utilized for further configuration definitions, and config dhcpd-server address is used to provision iked to send the address to the peer when configuration payloads are transferred.

Last edited by jggimi; 8th September 2014 at 11:04 PM. Reason: clarity
Reply With Quote
  #7   (View Single Post)  
Old 9th September 2014
kbeaucha kbeaucha is offline
Port Guard
 
Join Date: May 2008
Posts: 36
Default

So far I have no hands-on experience. All I'm coming up with is based on what I've read online from other users and in the man pages.

As good as the man pages are, my eyes do tend to cross a bit when reading them and trying to be sure how to apply them.

I had been looking over the "config" options, and had come across the "config dhcp-server address" option, which I had planned to use to push some config info out to the clients. When it came to assigning an IP address to the field clients' sessions, what I was trying to figure out was whether "config address address/prefix" was working, or how to make the single-address "config address address" option work with multiple field users.

In the meanwhile, management has decided to let the group managing the wireless network provide VPN services to us. They run a centralized Cisco VPN service. Wireless clients will hit their site, which will then present a single address to our firewall. That won't give us the same kind of fine-grained control we used to have, but it gives us time to play around with iked without being pressed to go online quickly.
Reply With Quote
  #8   (View Single Post)  
Old 9th September 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

You can count the number of IPSec users on this forum with one hand, and have spare fingers left over. You'll reach a much larger audience on misc@, and that will include iked users. All I know of iked is how to spell it, and therefore I won't be any help to you.

If you are comfortable with C, the source for iked can be found in /usr/src/sbin/iked. You will find DHCP mentioned in ikev2.{c,h} and parse.y.
Reply With Quote
  #9   (View Single Post)  
Old 9th September 2014
kbeaucha kbeaucha is offline
Port Guard
 
Join Date: May 2008
Posts: 36
Default

I'm not familiar with misc@ - How do I get there?
Reply With Quote
Old 9th September 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

The misc@ mailing list is the "general purpose" list for the OpenBSD Project. Approximately half of the Project members (developers) are active on this list.

http://www.openbsd.org/mail.html

You do not need to be subscribed to post, but you will want to subscribe in order to be able to hold a discussion.

An Email client that can send plain text messages is needed. Note also, that any attachments sent to this list will be automatically removed.
Reply With Quote
Old 9th September 2014
kbeaucha kbeaucha is offline
Port Guard
 
Join Date: May 2008
Posts: 36
Default

Thanks. I'll check it out.

kmb
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
AuthPF Configuration EverydayDiesel OpenBSD Security 30 16th July 2014 03:37 PM
authpf setup dbach OpenBSD General 14 19th January 2013 04:25 AM
authpf, authpf.rules unable to modify filters kbeaucha OpenBSD Security 16 10th May 2012 09:46 PM
Mac OS X Lion fails to check passwords when authenticating via LDAP J65nko News 0 23rd August 2011 07:20 PM
Chroot Noip client kallistoteles Guides 0 8th August 2010 03:12 PM


All times are GMT. The time now is 04:49 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick