1.\" $OpenBSD: authpf.8,v 1.30 2003/08/17 23:24:47 henning Exp $
2.\"
3.\" Copyright (c) 2002 Bob Beck (beck@openbsd.org>. All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\" 1. Redistributions of source code must retain the above copyright
9.\" notice, this list of conditions and the following disclaimer.
--- 69 unchanged lines hidden (view full) ---
79process stores its rules in a separate ruleset inside a
80.Xr pf 4
81.Pa anchor
82shared by all
83.Nm
84processes.
85By default, the
86.Pa anchor
87name "authpf" is used, and the ruleset names equal the PIDs of the
88.Nm
89processes.
90The following rules need to be added to the main ruleset
91.Pa /etc/pf.conf
92in order to cause evaluation of any
93.Nm
94rules:
95.Bd -literal -offset indent
96nat-anchor authpf
97rdr-anchor authpf
--- 160 unchanged lines hidden (view full) ---
258.Nm
259may have on the main packet filter rules, the system administrator may
260enable
261.Nm
262by creating an appropriate
263.Pa /etc/authpf/authpf.conf
264file.
265.Sh EXAMPLES
266\fBControl Files\fP - To illustrate the user-specific access control
267mechanisms, let us consider a typical user named bob.
268Normally, as long as bob can authenticate himself, the
269.Nm
270program will load the appropriate rules.
271Enter the
272.Pa /etc/authpf/banned/
273directory.
274If bob has somehow fallen from grace in the eyes of the
--- 18 unchanged lines hidden (view full) ---
293the work group is a simple matter of maintaining a list of allowed userids.
294If bob once again manages to annoy the powers-that-be, they can ban him from
295using the gateway by creating the familiar
296.Pa /etc/authpf/banned/bob
297file.
298Though bob is listed in the allow file, he is prevented from using
299this gateway due to the existence of a ban file.
300.Pp
301\fBDistributed Authentication\fP - It is often desirable to interface with a
302distributed password system rather than forcing the sysadmins to keep a large
303number of local password files in sync.
304The
305.Xr login.conf 5
306mechanism in
307.Ox
308can be used to fork the right shell.
309To make that happen,
--- 17 unchanged lines hidden (view full) ---
327 :tc=default:
328.Ed
329.Pp
330Using a default password file, all users will get
331.Nm
332as their shell except for root who will get
333.Pa /bin/csh .
334.Pp
335\fBSSH Configuration\fP - As stated earlier,
336.Xr sshd 8
337must be properly configured to detect and defeat network attacks.
338To that end, the following options should be added to
339.Xr sshd_config 5 :
340.Bd -literal -offset indent
341Protocol 2
342ClientAliveInterval 15
343ClientAliveCountMax 3
344.Ed
345.Pp
346This ensures that unresponsive or spoofed sessions are terminated within a
347minute, since a hijacker should not be able to spoof ssh keepalive messages.
348.Pp
349\fBBanners\fP - Once authenticated, the user is shown the contents of
350.Pa /etc/authpf/authpf.message .
351This message may be a screen-full of the appropriate use policy, the contents
352of
353.Pa /etc/motd
354or something as simple as the following:
355.Bd -literal -offset indent
356This means you will be held accountable by the powers that be
357for traffic originating from your machine, so please play nice.
358.Ed
359.Pp
360To tell the user where to go when the system is broken,
361.Pa /etc/authpf/authpf.problem
362could contain something like this:
363.Bd -literal -offset indent
364Sorry, there appears to be some system problem. To report this
365problem so we can fix it, please phone 1-900-314-1597 or send
366an email to remove@bulkmailerz.net.
367.Ed
368.Pp
369\fBPacket Filter Rules\fP - In areas where this gateway is used to protect a
370wireless network (a hub with several hundred ports), the default rule set as
371well as the per-user rules should probably allow very few things beyond
372encrypted protocols like
373.Xr ssh 1 ,
374.Xr ssl 8 ,
375or
376.Xr ipsec 4 .
377On a securely switched network, with plug-in jacks for visitors who are
378given authentication accounts, you might want to allow out everything.
379In this context, a secure switch is one that tries to prevent address table
380overflow attacks.
381The examples below assume a switched wired net.
382.Pp
383Example
384.Pa /etc/pf.conf :
385.Bd -literal
386# by default we allow internal clients to talk to us using
387# ssh and use us as a dns server.
388internal_if=\&"fxp1\&"
389gateway_addr=\&"10.0.1.1\&"
390nat-anchor authpf
391rdr-anchor authpf
392binat-anchor authpf
393block in on $internal_if from any to any
394pass in quick on $internal_if proto tcp from any to $gateway_addr \e
395 port = ssh
396pass in quick on $internal_if proto udp from any to $gateway_addr \e
397 port = domain
398anchor authpf
399.Ed
400.Pp
401Example
402.Pa /etc/authpf/authpf.rules :
403.Bd -literal
404# no real restrictions here, basically turn the network jack off or on.
405
406external_if = \&"xl0\&"
407internal_if = \&"fxp0\&"
408
409pass in log quick on $internal_if proto tcp from $user_ip to any \e
410 keep state
411pass in quick on $internal_if from $user_ip to any
412.Ed
413.Pp
414Another example
415.Pa /etc/authpf/authpf.rules
416for an insecure network (such as a public wireless network) where
417we might need to be a bit more restrictive.
418.Bd -literal
419internal_if=\&"fxp1\&"
420ipsec_gw=\&"10.2.3.4\&"
421
422# rdr ftp for proxying by ftp-proxy(8)
423rdr on $internal_if proto tcp from $user_ip to any port 21 \e
424 -> 127.0.0.1 port 8081
425
426# allow out ftp, ssh, www and https only, and allow user to negotiate
427# ipsec with the ipsec server.
428pass in log quick on $internal_if proto tcp from $user_ip to any \e
429 port { 21, 22, 80, 443 } flags S/SA
430pass in quick on $internal_if proto tcp from $user_ip to any \e
431 port { 21, 22, 80, 443 }
432pass in quick proto udp from $user_ip to $ipsec_gw port = isakmp \e
433 keep state
434pass in quick proto esp from $user_ip to $ipsec_gw
435.Ed
436.Sh FILES
437.Bl -tag -width "/etc/authpf/authpf.conf" -compact
438.It Pa /etc/authpf/authpf.conf
439.It Pa /etc/authpf/authpf.allow
440.It Pa /etc/authpf/authpf.rules
441.It Pa /etc/authpf/authpf.message
442.It Pa /etc/authpf/authpf.problem
443.El
--- 20 unchanged lines hidden ---
2.\"
3.\" Copyright (c) 2002 Bob Beck (beck@openbsd.org>. All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\" 1. Redistributions of source code must retain the above copyright
9.\" notice, this list of conditions and the following disclaimer.
--- 69 unchanged lines hidden (view full) ---
79process stores its rules in a separate ruleset inside a
80.Xr pf 4
81.Pa anchor
82shared by all
83.Nm
84processes.
85By default, the
86.Pa anchor
87name "authpf" is used, and the ruleset names equal the PIDs of the
88.Nm
89processes.
90The following rules need to be added to the main ruleset
91.Pa /etc/pf.conf
92in order to cause evaluation of any
93.Nm
94rules:
95.Bd -literal -offset indent
96nat-anchor authpf
97rdr-anchor authpf
--- 160 unchanged lines hidden (view full) ---
258.Nm
259may have on the main packet filter rules, the system administrator may
260enable
261.Nm
262by creating an appropriate
263.Pa /etc/authpf/authpf.conf
264file.
265.Sh EXAMPLES
266\fBControl Files\fP - To illustrate the user-specific access control
267mechanisms, let us consider a typical user named bob.
268Normally, as long as bob can authenticate himself, the
269.Nm
270program will load the appropriate rules.
271Enter the
272.Pa /etc/authpf/banned/
273directory.
274If bob has somehow fallen from grace in the eyes of the
--- 18 unchanged lines hidden (view full) ---
293the work group is a simple matter of maintaining a list of allowed userids.
294If bob once again manages to annoy the powers-that-be, they can ban him from
295using the gateway by creating the familiar
296.Pa /etc/authpf/banned/bob
297file.
298Though bob is listed in the allow file, he is prevented from using
299this gateway due to the existence of a ban file.
300.Pp
301\fBDistributed Authentication\fP - It is often desirable to interface with a
302distributed password system rather than forcing the sysadmins to keep a large
303number of local password files in sync.
304The
305.Xr login.conf 5
306mechanism in
307.Ox
308can be used to fork the right shell.
309To make that happen,
--- 17 unchanged lines hidden (view full) ---
327 :tc=default:
328.Ed
329.Pp
330Using a default password file, all users will get
331.Nm
332as their shell except for root who will get
333.Pa /bin/csh .
334.Pp
335\fBSSH Configuration\fP - As stated earlier,
336.Xr sshd 8
337must be properly configured to detect and defeat network attacks.
338To that end, the following options should be added to
339.Xr sshd_config 5 :
340.Bd -literal -offset indent
341Protocol 2
342ClientAliveInterval 15
343ClientAliveCountMax 3
344.Ed
345.Pp
346This ensures that unresponsive or spoofed sessions are terminated within a
347minute, since a hijacker should not be able to spoof ssh keepalive messages.
348.Pp
349\fBBanners\fP - Once authenticated, the user is shown the contents of
350.Pa /etc/authpf/authpf.message .
351This message may be a screen-full of the appropriate use policy, the contents
352of
353.Pa /etc/motd
354or something as simple as the following:
355.Bd -literal -offset indent
356This means you will be held accountable by the powers that be
357for traffic originating from your machine, so please play nice.
358.Ed
359.Pp
360To tell the user where to go when the system is broken,
361.Pa /etc/authpf/authpf.problem
362could contain something like this:
363.Bd -literal -offset indent
364Sorry, there appears to be some system problem. To report this
365problem so we can fix it, please phone 1-900-314-1597 or send
366an email to remove@bulkmailerz.net.
367.Ed
368.Pp
369\fBPacket Filter Rules\fP - In areas where this gateway is used to protect a
370wireless network (a hub with several hundred ports), the default rule set as
371well as the per-user rules should probably allow very few things beyond
372encrypted protocols like
373.Xr ssh 1 ,
374.Xr ssl 8 ,
375or
376.Xr ipsec 4 .
377On a securely switched network, with plug-in jacks for visitors who are
378given authentication accounts, you might want to allow out everything.
379In this context, a secure switch is one that tries to prevent address table
380overflow attacks.
381The examples below assume a switched wired net.
382.Pp
383Example
384.Pa /etc/pf.conf :
385.Bd -literal
386# by default we allow internal clients to talk to us using
387# ssh and use us as a dns server.
388internal_if=\&"fxp1\&"
389gateway_addr=\&"10.0.1.1\&"
390nat-anchor authpf
391rdr-anchor authpf
392binat-anchor authpf
393block in on $internal_if from any to any
394pass in quick on $internal_if proto tcp from any to $gateway_addr \e
395 port = ssh
396pass in quick on $internal_if proto udp from any to $gateway_addr \e
397 port = domain
398anchor authpf
399.Ed
400.Pp
401Example
402.Pa /etc/authpf/authpf.rules :
403.Bd -literal
404# no real restrictions here, basically turn the network jack off or on.
405
406external_if = \&"xl0\&"
407internal_if = \&"fxp0\&"
408
409pass in log quick on $internal_if proto tcp from $user_ip to any \e
410 keep state
411pass in quick on $internal_if from $user_ip to any
412.Ed
413.Pp
414Another example
415.Pa /etc/authpf/authpf.rules
416for an insecure network (such as a public wireless network) where
417we might need to be a bit more restrictive.
418.Bd -literal
419internal_if=\&"fxp1\&"
420ipsec_gw=\&"10.2.3.4\&"
421
422# rdr ftp for proxying by ftp-proxy(8)
423rdr on $internal_if proto tcp from $user_ip to any port 21 \e
424 -> 127.0.0.1 port 8081
425
426# allow out ftp, ssh, www and https only, and allow user to negotiate
427# ipsec with the ipsec server.
428pass in log quick on $internal_if proto tcp from $user_ip to any \e
429 port { 21, 22, 80, 443 } flags S/SA
430pass in quick on $internal_if proto tcp from $user_ip to any \e
431 port { 21, 22, 80, 443 }
432pass in quick proto udp from $user_ip to $ipsec_gw port = isakmp \e
433 keep state
434pass in quick proto esp from $user_ip to $ipsec_gw
435.Ed
436.Sh FILES
437.Bl -tag -width "/etc/authpf/authpf.conf" -compact
438.It Pa /etc/authpf/authpf.conf
439.It Pa /etc/authpf/authpf.allow
440.It Pa /etc/authpf/authpf.rules
441.It Pa /etc/authpf/authpf.message
442.It Pa /etc/authpf/authpf.problem
443.El
--- 20 unchanged lines hidden ---