| authpf.8 (157214) | authpf.8 (171172) |
|---|---|
| 1.\" $FreeBSD: head/contrib/pf/authpf/authpf.8 157214 2006-03-28 15:26:16Z mlaier $ 2.\" $OpenBSD: authpf.8,v 1.38 2005/01/04 09:57:04 jmc Exp $ | 1.\" $FreeBSD: head/contrib/pf/authpf/authpf.8 171172 2007-07-03 12:30:03Z mlaier $ 2.\" $OpenBSD: authpf.8,v 1.43 2007/02/24 17:21:04 beck Exp $ |
| 3.\" | 3.\" |
| 4.\" Copyright (c) 2002 Bob Beck (beck@openbsd.org>. All rights reserved. | 4.\" Copyright (c) 1998-2007 Bob Beck (beck@openbsd.org>. All rights reserved. |
| 5.\" | 5.\" |
| 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. The name of the author may not be used to endorse or promote products 15.\" derived from this software without specific prior written permission. | 6.\" Permission to use, copy, modify, and distribute this software for any 7.\" purpose with or without fee is hereby granted, provided that the above 8.\" copyright notice and this permission notice appear in all copies. |
| 16.\" | 9.\" |
| 17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 10.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| 27.\" 28.Dd March 28, 2006 29.Dt AUTHPF 8 30.Os 31.Sh NAME 32.Nm authpf 33.Nd authenticating gateway user shell 34.Sh SYNOPSIS --- 190 unchanged lines hidden (view full) --- 225.Ar ClientAliveInterval 226and 227.Ar ClientAliveCountMax 228parameters to ensure that a ssh session is terminated quickly if 229it becomes unresponsive, or if arp or address spoofing is used to 230hijack the session. 231Note that TCP keepalives are not sufficient for 232this, since they are not secure. | 17.\" 18.Dd March 28, 2006 19.Dt AUTHPF 8 20.Os 21.Sh NAME 22.Nm authpf 23.Nd authenticating gateway user shell 24.Sh SYNOPSIS --- 190 unchanged lines hidden (view full) --- 215.Ar ClientAliveInterval 216and 217.Ar ClientAliveCountMax 218parameters to ensure that a ssh session is terminated quickly if 219it becomes unresponsive, or if arp or address spoofing is used to 220hijack the session. 221Note that TCP keepalives are not sufficient for 222this, since they are not secure. |
| 233Also note that | 223Also note that the various SSH tunnelling mechanisms, 224such as |
| 234.Ar AllowTcpForwarding | 225.Ar AllowTcpForwarding |
| 226and 227.Ar PermitTunnel , |
|
| 235should be disabled for 236.Nm 237users to prevent them from circumventing restrictions imposed by the 238packet filter ruleset. 239.Pp 240.Nm 241will remove state table entries that were created during a user's 242session. --- 181 unchanged lines hidden (view full) --- 424\- This example 425.Pa /etc/authpf/authpf.rules 426makes no real restrictions; it turns the IP address on and off, logging 427TCP connections. 428.Bd -literal 429external_if = "xl0" 430internal_if = "fxp0" 431 | 228should be disabled for 229.Nm 230users to prevent them from circumventing restrictions imposed by the 231packet filter ruleset. 232.Pp 233.Nm 234will remove state table entries that were created during a user's 235session. --- 181 unchanged lines hidden (view full) --- 417\- This example 418.Pa /etc/authpf/authpf.rules 419makes no real restrictions; it turns the IP address on and off, logging 420TCP connections. 421.Bd -literal 422external_if = "xl0" 423internal_if = "fxp0" 424 |
| 432pass in log quick on $internal_if proto tcp from $user_ip to any \e 433 keep state | 425pass in log quick on $internal_if proto tcp from $user_ip to any |
| 434pass in quick on $internal_if from $user_ip to any 435.Ed 436.Pp 437.Sy For a wireless or shared net 438\- This example 439.Pa /etc/authpf/authpf.rules 440could be used for an insecure network (such as a public wireless network) where 441we might need to be a bit more restrictive. 442.Bd -literal 443internal_if="fxp1" 444ipsec_gw="10.2.3.4" 445 446# rdr ftp for proxying by ftp-proxy(8) 447rdr on $internal_if proto tcp from $user_ip to any port 21 \e | 426pass in quick on $internal_if from $user_ip to any 427.Ed 428.Pp 429.Sy For a wireless or shared net 430\- This example 431.Pa /etc/authpf/authpf.rules 432could be used for an insecure network (such as a public wireless network) where 433we might need to be a bit more restrictive. 434.Bd -literal 435internal_if="fxp1" 436ipsec_gw="10.2.3.4" 437 438# rdr ftp for proxying by ftp-proxy(8) 439rdr on $internal_if proto tcp from $user_ip to any port 21 \e |
| 448 -> 127.0.0.1 port 8081 | 440 -> 127.0.0.1 port 8021 |
| 449 450# allow out ftp, ssh, www and https only, and allow user to negotiate 451# ipsec with the ipsec server. 452pass in log quick on $internal_if proto tcp from $user_ip to any \e | 441 442# allow out ftp, ssh, www and https only, and allow user to negotiate 443# ipsec with the ipsec server. 444pass in log quick on $internal_if proto tcp from $user_ip to any \e |
| 453 port { 21, 22, 80, 443 } flags S/SA | 445 port { 21, 22, 80, 443 } |
| 454pass in quick on $internal_if proto tcp from $user_ip to any \e 455 port { 21, 22, 80, 443 } | 446pass in quick on $internal_if proto tcp from $user_ip to any \e 447 port { 21, 22, 80, 443 } |
| 456pass in quick proto udp from $user_ip to $ipsec_gw port = isakmp \e 457 keep state | 448pass in quick proto udp from $user_ip to $ipsec_gw port = isakmp |
| 458pass in quick proto esp from $user_ip to $ipsec_gw 459.Ed 460.Pp 461.Sy Dealing with NAT 462\- The following 463.Pa /etc/authpf/authpf.rules 464shows how to deal with NAT, using tags: 465.Bd -literal 466ext_if = "fxp1" 467ext_addr = 129.128.11.10 468int_if = "fxp0" 469# nat and tag connections... 470nat on $ext_if from $user_ip to any tag $user_ip -> $ext_addr 471pass in quick on $int_if from $user_ip to any | 449pass in quick proto esp from $user_ip to $ipsec_gw 450.Ed 451.Pp 452.Sy Dealing with NAT 453\- The following 454.Pa /etc/authpf/authpf.rules 455shows how to deal with NAT, using tags: 456.Bd -literal 457ext_if = "fxp1" 458ext_addr = 129.128.11.10 459int_if = "fxp0" 460# nat and tag connections... 461nat on $ext_if from $user_ip to any tag $user_ip -> $ext_addr 462pass in quick on $int_if from $user_ip to any |
| 472pass out log quick on $ext_if tagged $user_ip keep state | 463pass out log quick on $ext_if tagged $user_ip |
| 473.Ed 474.Pp 475With the above rules added by 476.Nm , 477outbound connections corresponding to each users NAT'ed connections 478will be logged as in the example below, where the user may be identified 479from the ruleset name. 480.Bd -literal --- 9 unchanged lines hidden (view full) --- 490settings can be implemented without an anchor by just using the "authpf_users" 491.Pa table . 492For example, the following 493.Xr pf.conf 5 494lines will give SMTP and IMAP access to logged in users: 495.Bd -literal 496table <authpf_users> persist 497pass in on $ext_if proto tcp from <authpf_users> \e | 464.Ed 465.Pp 466With the above rules added by 467.Nm , 468outbound connections corresponding to each users NAT'ed connections 469will be logged as in the example below, where the user may be identified 470from the ruleset name. 471.Bd -literal --- 9 unchanged lines hidden (view full) --- 481settings can be implemented without an anchor by just using the "authpf_users" 482.Pa table . 483For example, the following 484.Xr pf.conf 5 485lines will give SMTP and IMAP access to logged in users: 486.Bd -literal 487table <authpf_users> persist 488pass in on $ext_if proto tcp from <authpf_users> \e |
| 498 to port { smtp imap } keep state | 489 to port { smtp imap } |
| 499.Ed 500.Pp 501It is also possible to use the "authpf_users" 502.Pa table 503in combination with anchors. 504For example, 505.Xr pf 4 506processing can be sped up by looking up the anchor --- 10 unchanged lines hidden (view full) --- 517.It Pa /etc/authpf/authpf.rules 518.It Pa /etc/authpf/authpf.message 519.It Pa /etc/authpf/authpf.problem 520.El 521.Sh SEE ALSO 522.Xr pf 4 , 523.Xr pf.conf 5 , 524.Xr fdescfs 5 , | 490.Ed 491.Pp 492It is also possible to use the "authpf_users" 493.Pa table 494in combination with anchors. 495For example, 496.Xr pf 4 497processing can be sped up by looking up the anchor --- 10 unchanged lines hidden (view full) --- 508.It Pa /etc/authpf/authpf.rules 509.It Pa /etc/authpf/authpf.message 510.It Pa /etc/authpf/authpf.problem 511.El 512.Sh SEE ALSO 513.Xr pf 4 , 514.Xr pf.conf 5 , 515.Xr fdescfs 5 , |
| 516.Xr securelevel 7 , |
|
| 525.Xr ftp-proxy 8 526.Sh HISTORY 527The 528.Nm 529program first appeared in 530.Ox 3.1 . 531.Sh BUGS 532Configuration issues are tricky. 533The authenticating 534.Xr ssh 1 535connection may be secured, but if the network is not secured the user may 536expose insecure protocols to attackers on the same network, or enable other 537attackers on the network to pretend to be the user by spoofing their IP 538address. 539.Pp 540.Nm 541is not designed to prevent users from denying service to other users. | 517.Xr ftp-proxy 8 518.Sh HISTORY 519The 520.Nm 521program first appeared in 522.Ox 3.1 . 523.Sh BUGS 524Configuration issues are tricky. 525The authenticating 526.Xr ssh 1 527connection may be secured, but if the network is not secured the user may 528expose insecure protocols to attackers on the same network, or enable other 529attackers on the network to pretend to be the user by spoofing their IP 530address. 531.Pp 532.Nm 533is not designed to prevent users from denying service to other users. |