|
|||
Exempting clients from AuthPF
Hi all,
I'm running NetBSD with pf and authpf for my firewall. I wrote the rules myself, which have seemed to work well for the past year or so. AuthPF is only used for wireless clients coming through my WLAN. The problem I'm facing is I want to exempt a client from having to authorize against the AuthPF and bypass the rules. The client is an iPhone (192.168.1.15). Now here is the weird part...This has been working fine for a good year with my Nokia. Today I got the new iPhone, and in DHCP all I did was remove the MAC address of the Nokia and replaced it with the MAC of the iPhone. Restarted DHCP and told the iPhone to renew the lease. This all worked fine and it obtained the correct IP. However, when I try and browse, all my requests are being redirected (as per my rules for non-authenticated users). Nothing in the pf.conf changed, so I'm not sure where the issue is. The only thing that changed was the phone (and the browser used) and the MAC address in DHCP. Below is my /etc/pf.conf ... Any insight is much appreciated. Code:
########## # Macros # ########## ext_if="ppp0" int_if="fxp0" wi_if="fxp1" adsl_if="sip0" homer="192.168.0.2" krusty="192.168.1.1" auth_web="192.168.0.10" phone="192.168.1.15" routable="{ 192.168.0.0/24, 192.168.1.0/24 }" nonroutable="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }" ########### # Options # ########### set block-policy drop set loginterface $ext_if ######### # Scrub # ######### scrub no-df random-id fragment reassemble ########## # Tables # ########## table <authpf_users> persist ########### # NAT/RDR # ########### nat on $ext_if from $routable to any -> ($ext_if) nat on $adsl_if from $routable to any -> ($adsl_if) # Azureus rdr on $ext_if proto tcp from any to any port 61980 -> $homer port 61980 rdr on $ext_if proto udp from any to any port 61980 -> $homer port 61980 # uTorrent rdr on $ext_if proto tcp from any to any port 10394 -> $homer port 10394 rdr on $ext_if proto udp from any to any port 10394 -> $homer port 10394 # WWW redirect for non-AuthPF users rdr on $wi_if proto tcp from ! <authpf_users> to any port 80 -> $auth_web # WWW from Internet to krusty ***TEMP*** #rdr on $ext_if proto tcp from any to any port 80 -> $auth_web # uTorrent Web-UI # rdr on $ext_if proto tcp from any to any port 8181 -> $homer port 8181 ################ # Filter Rules # ################ pass out quick keep state pass quick on lo0 # Azureus pass in quick on $ext_if proto tcp from any to any port 61980 flags S/SA keep state pass in quick on $ext_if proto udp from any to any port 61980 # uTorrent pass in quick on $ext_if proto tcp from any to any port 10394 flags S/SA keep state pass in quick on $ext_if proto udp from any to any port 10394 # SSH pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA keep state # Non routable block drop in quick on $ext_if from $nonroutable to any block drop out quick on $ext_if from any to $nonroutable # DNS, SSH & WWW-redirect for wireless so user can AuthPF pass in quick on $wi_if proto udp from 192.168.1.0/24 to any port 53 pass in quick on $wi_if proto tcp from 192.168.1.0/24 to $krusty port 22 flags S/SA keep state pass in quick on $wi_if proto tcp from ! <authpf_users> to any port 80 flags S/SA keep state # Mobile WiFi access pass in quick on $wi_if from $phone to any flags S/SA keep state # WWW from Internet to krusty ***TEMP*** #pass in quick on $ext_if proto tcp from any to any port 80 flags S/SA keep state # uTorrent Web-UI # pass in quick on $ext_if proto tcp from any to any port 8181 flags S/SA keep state # AuthPF anchor anchor "authpf/*" # Drop All block in quick on $wi_if block in quick on $ext_if |
|
|||
Ok, and for some reason...I get up this morning, and it works.
No changes made apart from the ones stated below. -Kristijan |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Sapm control from relaying allowed clients (out bound spam) | osman | General software and network | 0 | 8th May 2009 05:26 AM |
Configuring authpf freebsd | kasse | FreeBSD General | 0 | 7th February 2009 12:32 PM |
torrent clients are driving me nuts | graudeejs | FreeBSD General | 28 | 9th January 2009 12:43 PM |
FreeBSD server, Windows clients, daily backups | Weaseal | FreeBSD General | 4 | 25th December 2008 05:50 PM |