|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
Authenticating NATed users - authpf-noip?
Our users avail themselves of a local wireless network that is administered by another group. Until recently we used authpf to authenticate users coming in from the wireless through our firewall. Each user had an authpf.rules file in /etc/authpf/users/UserID that specified what they could get to based on their userID, and it used their IP address in the pass rules.
That worked until the wireless network switched from routable addresses to unroutable/private and NAT. Now I need to find a way to handle multiple users coming from what looks like one (or a few) addresses and the first option that came up is authpf-noip I've looked around a bit, but haven't found many examples of the changes. What's thrown me off a bit is that our old authpf.rules were usually a collection of "pass in" rules, but the example in Mark Uemura's write up and in the man page use "pass out" rules. They also refer to tunneling, which I had not planned to do. If this is a pass-out rule, how does the remote user connect? Are there other examples or explanations out there I'm missing? Or can someone suggest another option (OpenIKED?) Thanks kmb Last edited by kbeaucha; 28th August 2014 at 09:33 PM. Reason: Grammar |
|
||||
Were you referring to this write up? If so, Mark states:
Quote:
If you don't get a lot of responses here -- and I don't expect you will -- you may wish to take your question to a wider audience, such as the Project's misc@ mailing list. |
|
|||
I missed that part of the article - thanks for pointing that out.
You're right in that the tunneling solution is likely too limited for what we're doing. I've since been told to explore VPN solutions. kmb |
|
||||
|
|
|||
Although I'm getting a little off topic now, how does the current iked support multiple incoming sessions?
I found some reference to the "pseudo-dhcp" code that would allow you to define a pool/range of IP addresses in iked.conf for incoming users not being written yet. I assume that this function would be required to handle multiple simultaneous sessions from remote users. |
|
||||
I don't know enough about iked to answer current configuration questions, much less answer questions about planned features that have not been written. For both of those, I'll refer you to the misc@ mailing list.
All I know about iked is what I can infer from iked(8) and iked.conf(5). From the latter, I know that an internal DHCP server can be utilized for further configuration definitions, and config dhcpd-server address is used to provision iked to send the address to the peer when configuration payloads are transferred. Last edited by jggimi; 8th September 2014 at 11:04 PM. Reason: clarity |
|
|||
So far I have no hands-on experience. All I'm coming up with is based on what I've read online from other users and in the man pages.
As good as the man pages are, my eyes do tend to cross a bit when reading them and trying to be sure how to apply them. I had been looking over the "config" options, and had come across the "config dhcp-server address" option, which I had planned to use to push some config info out to the clients. When it came to assigning an IP address to the field clients' sessions, what I was trying to figure out was whether "config address address/prefix" was working, or how to make the single-address "config address address" option work with multiple field users. In the meanwhile, management has decided to let the group managing the wireless network provide VPN services to us. They run a centralized Cisco VPN service. Wireless clients will hit their site, which will then present a single address to our firewall. That won't give us the same kind of fine-grained control we used to have, but it gives us time to play around with iked without being pressed to go online quickly. |
|
|||
I'm not familiar with misc@ - How do I get there?
|
|
||||
The misc@ mailing list is the "general purpose" list for the OpenBSD Project. Approximately half of the Project members (developers) are active on this list.
http://www.openbsd.org/mail.html You do not need to be subscribed to post, but you will want to subscribe in order to be able to hold a discussion. An Email client that can send plain text messages is needed. Note also, that any attachments sent to this list will be automatically removed. |
|
|||
Thanks. I'll check it out.
kmb |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
AuthPF Configuration | EverydayDiesel | OpenBSD Security | 30 | 16th July 2014 03:37 PM |
authpf setup | dbach | OpenBSD General | 14 | 19th January 2013 04:25 AM |
authpf, authpf.rules unable to modify filters | kbeaucha | OpenBSD Security | 16 | 10th May 2012 09:46 PM |
Mac OS X Lion fails to check passwords when authenticating via LDAP | J65nko | News | 0 | 23rd August 2011 07:20 PM |
Chroot Noip client | kallistoteles | Guides | 0 | 8th August 2010 03:12 PM |