authpf.8 (126353) | authpf.8 (130614) |
---|---|
1.\" $OpenBSD: authpf.8,v 1.30 2003/08/17 23:24:47 henning Exp $ | 1.\" $OpenBSD: authpf.8,v 1.31 2003/12/10 04:10:37 beck Exp $ |
2.\" 3.\" Copyright (c) 2002 Bob Beck (beck@openbsd.org>. All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. --- 69 unchanged lines hidden (view full) --- 79process stores its rules in a separate ruleset inside a 80.Xr pf 4 81.Pa anchor 82shared by all 83.Nm 84processes. 85By default, the 86.Pa anchor | 2.\" 3.\" Copyright (c) 2002 Bob Beck (beck@openbsd.org>. All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. --- 69 unchanged lines hidden (view full) --- 79process stores its rules in a separate ruleset inside a 80.Xr pf 4 81.Pa anchor 82shared by all 83.Nm 84processes. 85By default, the 86.Pa anchor |
87name "authpf" is used, and the ruleset names equal the PIDs of the | 87name "authpf" is used, and the ruleset names equal the username and PID of the |
88.Nm | 88.Nm |
89processes. | 89processes as "username(pid)". |
90The following rules need to be added to the main ruleset 91.Pa /etc/pf.conf 92in order to cause evaluation of any 93.Nm 94rules: 95.Bd -literal -offset indent 96nat-anchor authpf 97rdr-anchor authpf --- 160 unchanged lines hidden (view full) --- 258.Nm 259may have on the main packet filter rules, the system administrator may 260enable 261.Nm 262by creating an appropriate 263.Pa /etc/authpf/authpf.conf 264file. 265.Sh EXAMPLES | 90The following rules need to be added to the main ruleset 91.Pa /etc/pf.conf 92in order to cause evaluation of any 93.Nm 94rules: 95.Bd -literal -offset indent 96nat-anchor authpf 97rdr-anchor authpf --- 160 unchanged lines hidden (view full) --- 258.Nm 259may have on the main packet filter rules, the system administrator may 260enable 261.Nm 262by creating an appropriate 263.Pa /etc/authpf/authpf.conf 264file. 265.Sh EXAMPLES |
266\fBControl Files\fP - To illustrate the user-specific access control | 266.Sy Control Files 267\- To illustrate the user-specific access control |
267mechanisms, let us consider a typical user named bob. 268Normally, as long as bob can authenticate himself, the 269.Nm 270program will load the appropriate rules. 271Enter the 272.Pa /etc/authpf/banned/ 273directory. 274If bob has somehow fallen from grace in the eyes of the --- 18 unchanged lines hidden (view full) --- 293the work group is a simple matter of maintaining a list of allowed userids. 294If bob once again manages to annoy the powers-that-be, they can ban him from 295using the gateway by creating the familiar 296.Pa /etc/authpf/banned/bob 297file. 298Though bob is listed in the allow file, he is prevented from using 299this gateway due to the existence of a ban file. 300.Pp | 268mechanisms, let us consider a typical user named bob. 269Normally, as long as bob can authenticate himself, the 270.Nm 271program will load the appropriate rules. 272Enter the 273.Pa /etc/authpf/banned/ 274directory. 275If bob has somehow fallen from grace in the eyes of the --- 18 unchanged lines hidden (view full) --- 294the work group is a simple matter of maintaining a list of allowed userids. 295If bob once again manages to annoy the powers-that-be, they can ban him from 296using the gateway by creating the familiar 297.Pa /etc/authpf/banned/bob 298file. 299Though bob is listed in the allow file, he is prevented from using 300this gateway due to the existence of a ban file. 301.Pp |
301\fBDistributed Authentication\fP - It is often desirable to interface with a | 302.Sy Distributed Authentication 303\- It is often desirable to interface with a |
302distributed password system rather than forcing the sysadmins to keep a large 303number of local password files in sync. 304The 305.Xr login.conf 5 306mechanism in 307.Ox 308can be used to fork the right shell. 309To make that happen, --- 17 unchanged lines hidden (view full) --- 327 :tc=default: 328.Ed 329.Pp 330Using a default password file, all users will get 331.Nm 332as their shell except for root who will get 333.Pa /bin/csh . 334.Pp | 304distributed password system rather than forcing the sysadmins to keep a large 305number of local password files in sync. 306The 307.Xr login.conf 5 308mechanism in 309.Ox 310can be used to fork the right shell. 311To make that happen, --- 17 unchanged lines hidden (view full) --- 329 :tc=default: 330.Ed 331.Pp 332Using a default password file, all users will get 333.Nm 334as their shell except for root who will get 335.Pa /bin/csh . 336.Pp |
335\fBSSH Configuration\fP - As stated earlier, | 337.Sy SSH Configuration 338\- As stated earlier, |
336.Xr sshd 8 337must be properly configured to detect and defeat network attacks. 338To that end, the following options should be added to 339.Xr sshd_config 5 : 340.Bd -literal -offset indent 341Protocol 2 342ClientAliveInterval 15 343ClientAliveCountMax 3 344.Ed 345.Pp 346This ensures that unresponsive or spoofed sessions are terminated within a 347minute, since a hijacker should not be able to spoof ssh keepalive messages. 348.Pp | 339.Xr sshd 8 340must be properly configured to detect and defeat network attacks. 341To that end, the following options should be added to 342.Xr sshd_config 5 : 343.Bd -literal -offset indent 344Protocol 2 345ClientAliveInterval 15 346ClientAliveCountMax 3 347.Ed 348.Pp 349This ensures that unresponsive or spoofed sessions are terminated within a 350minute, since a hijacker should not be able to spoof ssh keepalive messages. 351.Pp |
349\fBBanners\fP - Once authenticated, the user is shown the contents of | 352.Sy Banners 353\- Once authenticated, the user is shown the contents of |
350.Pa /etc/authpf/authpf.message . 351This message may be a screen-full of the appropriate use policy, the contents 352of 353.Pa /etc/motd 354or something as simple as the following: 355.Bd -literal -offset indent 356This means you will be held accountable by the powers that be 357for traffic originating from your machine, so please play nice. 358.Ed 359.Pp 360To tell the user where to go when the system is broken, 361.Pa /etc/authpf/authpf.problem 362could contain something like this: 363.Bd -literal -offset indent 364Sorry, there appears to be some system problem. To report this 365problem so we can fix it, please phone 1-900-314-1597 or send 366an email to remove@bulkmailerz.net. 367.Ed 368.Pp | 354.Pa /etc/authpf/authpf.message . 355This message may be a screen-full of the appropriate use policy, the contents 356of 357.Pa /etc/motd 358or something as simple as the following: 359.Bd -literal -offset indent 360This means you will be held accountable by the powers that be 361for traffic originating from your machine, so please play nice. 362.Ed 363.Pp 364To tell the user where to go when the system is broken, 365.Pa /etc/authpf/authpf.problem 366could contain something like this: 367.Bd -literal -offset indent 368Sorry, there appears to be some system problem. To report this 369problem so we can fix it, please phone 1-900-314-1597 or send 370an email to remove@bulkmailerz.net. 371.Ed 372.Pp |
369\fBPacket Filter Rules\fP - In areas where this gateway is used to protect a | 373.Sy Packet Filter Rules 374\- In areas where this gateway is used to protect a |
370wireless network (a hub with several hundred ports), the default rule set as 371well as the per-user rules should probably allow very few things beyond 372encrypted protocols like 373.Xr ssh 1 , 374.Xr ssl 8 , 375or 376.Xr ipsec 4 . 377On a securely switched network, with plug-in jacks for visitors who are 378given authentication accounts, you might want to allow out everything. 379In this context, a secure switch is one that tries to prevent address table 380overflow attacks. | 375wireless network (a hub with several hundred ports), the default rule set as 376well as the per-user rules should probably allow very few things beyond 377encrypted protocols like 378.Xr ssh 1 , 379.Xr ssl 8 , 380or 381.Xr ipsec 4 . 382On a securely switched network, with plug-in jacks for visitors who are 383given authentication accounts, you might want to allow out everything. 384In this context, a secure switch is one that tries to prevent address table 385overflow attacks. |
381The examples below assume a switched wired net. | |
382.Pp 383Example 384.Pa /etc/pf.conf : 385.Bd -literal 386# by default we allow internal clients to talk to us using 387# ssh and use us as a dns server. | 386.Pp 387Example 388.Pa /etc/pf.conf : 389.Bd -literal 390# by default we allow internal clients to talk to us using 391# ssh and use us as a dns server. |
388internal_if=\&"fxp1\&" 389gateway_addr=\&"10.0.1.1\&" | 392internal_if="fxp1" 393gateway_addr="10.0.1.1" |
390nat-anchor authpf 391rdr-anchor authpf 392binat-anchor authpf 393block in on $internal_if from any to any 394pass in quick on $internal_if proto tcp from any to $gateway_addr \e 395 port = ssh 396pass in quick on $internal_if proto udp from any to $gateway_addr \e 397 port = domain 398anchor authpf 399.Ed 400.Pp | 394nat-anchor authpf 395rdr-anchor authpf 396binat-anchor authpf 397block in on $internal_if from any to any 398pass in quick on $internal_if proto tcp from any to $gateway_addr \e 399 port = ssh 400pass in quick on $internal_if proto udp from any to $gateway_addr \e 401 port = domain 402anchor authpf 403.Ed 404.Pp |
401Example 402.Pa /etc/authpf/authpf.rules : | 405.Sy For a switched, wired net 406\- This example 407.Pa /etc/authpf/authpf.rules 408makes no real restrictions; it turns the IP address on and off, logging 409TCP connections. |
403.Bd -literal | 410.Bd -literal |
404# no real restrictions here, basically turn the network jack off or on. | 411external_if = "xl0" 412internal_if = "fxp0" |
405 | 413 |
406external_if = \&"xl0\&" 407internal_if = \&"fxp0\&" 408 | |
409pass in log quick on $internal_if proto tcp from $user_ip to any \e 410 keep state 411pass in quick on $internal_if from $user_ip to any 412.Ed 413.Pp | 414pass in log quick on $internal_if proto tcp from $user_ip to any \e 415 keep state 416pass in quick on $internal_if from $user_ip to any 417.Ed 418.Pp |
414Another example | 419.Sy For a wireless or shared net 420\- This example |
415.Pa /etc/authpf/authpf.rules | 421.Pa /etc/authpf/authpf.rules |
416for an insecure network (such as a public wireless network) where | 422could be used for an insecure network (such as a public wireless network) where |
417we might need to be a bit more restrictive. 418.Bd -literal | 423we might need to be a bit more restrictive. 424.Bd -literal |
419internal_if=\&"fxp1\&" 420ipsec_gw=\&"10.2.3.4\&" | 425internal_if="fxp1" 426ipsec_gw="10.2.3.4" |
421 422# rdr ftp for proxying by ftp-proxy(8) 423rdr on $internal_if proto tcp from $user_ip to any port 21 \e 424 -> 127.0.0.1 port 8081 425 426# allow out ftp, ssh, www and https only, and allow user to negotiate 427# ipsec with the ipsec server. 428pass in log quick on $internal_if proto tcp from $user_ip to any \e 429 port { 21, 22, 80, 443 } flags S/SA 430pass in quick on $internal_if proto tcp from $user_ip to any \e 431 port { 21, 22, 80, 443 } 432pass in quick proto udp from $user_ip to $ipsec_gw port = isakmp \e 433 keep state 434pass in quick proto esp from $user_ip to $ipsec_gw 435.Ed | 427 428# rdr ftp for proxying by ftp-proxy(8) 429rdr on $internal_if proto tcp from $user_ip to any port 21 \e 430 -> 127.0.0.1 port 8081 431 432# allow out ftp, ssh, www and https only, and allow user to negotiate 433# ipsec with the ipsec server. 434pass in log quick on $internal_if proto tcp from $user_ip to any \e 435 port { 21, 22, 80, 443 } flags S/SA 436pass in quick on $internal_if proto tcp from $user_ip to any \e 437 port { 21, 22, 80, 443 } 438pass in quick proto udp from $user_ip to $ipsec_gw port = isakmp \e 439 keep state 440pass in quick proto esp from $user_ip to $ipsec_gw 441.Ed |
442.Pp 443.Sy Dealing with NAT 444\- The following 445.Pa /etc/authpf/authpf.rules 446shows how to deal with NAT, using tags: 447.Bd -literal 448ext_if = "fxp1" 449ext_addr = 129.128.11.10 450int_if = "fxp0" 451# nat and tag connections... 452nat on $ext_if from $user_ip to any tag $user_ip -> $ext_addr 453pass in quick on $int_if from $user_ip to any 454pass out log quick on $ext_if tagged $user_ip keep state 455.Ed 456.Pp 457With the above rules added by 458.Nm , 459outbound connections corresponding to each users NAT'ed connections 460will be logged as in the example below, where the user may be identified 461from the ruleset name. 462.Bd -literal 463# tcpdump -n -e -ttt -i pflog0 464Oct 31 19:42:30.296553 rule 0.bbeck(20267).1/0(match): pass out on fxp1: \e 465129.128.11.10.60539 > 198.137.240.92.22: S 2131494121:2131494121(0) win \e 46616384 <mss 1460,nop,nop,sackOK> (DF) 467.Ed |
|
436.Sh FILES 437.Bl -tag -width "/etc/authpf/authpf.conf" -compact 438.It Pa /etc/authpf/authpf.conf 439.It Pa /etc/authpf/authpf.allow 440.It Pa /etc/authpf/authpf.rules 441.It Pa /etc/authpf/authpf.message 442.It Pa /etc/authpf/authpf.problem 443.El --- 20 unchanged lines hidden --- | 468.Sh FILES 469.Bl -tag -width "/etc/authpf/authpf.conf" -compact 470.It Pa /etc/authpf/authpf.conf 471.It Pa /etc/authpf/authpf.allow 472.It Pa /etc/authpf/authpf.rules 473.It Pa /etc/authpf/authpf.message 474.It Pa /etc/authpf/authpf.problem 475.El --- 20 unchanged lines hidden --- |