Re: authpf

[Rudolfo Munguia <rudog@primenet.com>]

You know, it's funny you should mention the man page because.....

I started out with the man page example verbatim, except of my course for
my site info:

from pf.conf:

ExtInt = "fxp0"

from authpf.rules:

pass in quick log on $ExtInt_if proto tcp from $user_ip/32 to any keep
state
pass in quick on $ExtInt_if from $user_ip/32 to any

Declaring no value for $user_ip on the understanding that the actual value
was retrieved from the SSH_CLIENT env_var

And would see this upon login:

/tmp/authpfrules.xxxxxxx:x: syntax error

And then went through and replaced 1 variable at a time and re-attampted
to login, then went through and started simplifying the rule until I got
to:

from authpf.rules:

pass in quick on $ExtInt from any to any

What is even more funny at this point is that in my desperation I have
tried:

pass in all

Totally bypassing any and all security at this point, and still received:

/tmp/authpfrules.xxxxxxx:x: syntax error

At which point just to see if something was by chance 'stuck' I simply:

$rm authpf.rules

and finally got no 'syntax error' message upon login, but then of course
it was pointless to login.

To clarify; My external interface (fxp0) attaches directly to our hosting
companies switch port, My Internal interface (we1) goes directly to the
switch supporting our 4 servers.

We are implementing (hopefully) authpf to allow the Server Admins to start
working from home so we can close our office and cut expenses from
office@$1450/month+T1@$790/month down to cablemodems@$245/month+hosting
company@$600/month.

I have just recently completed migrating the servers from FreeBSD4.4 to
OpenBSD3.0 then promptly cvs'd to the 3.1 patch branch and ran make obj &&
make build when I got the news about authpf + the apache chunk exploit.

In others words I am not completely ignant, inebriated at times,
unconcious at others, yes.

rudog@primenet.com
'If you're not living on the edge, then you're taking up too much space'

On Sun, 23 Jun 2002, Chris Kuethe wrote:

> On Sun, 23 Jun 2002, Rudolfo Munguia wrote:
> 
> > Hello again,
> >
> > I have implemented things as directed and have run into something that
> > seems utterly silly;
> >
> > Here is my authpf.rules for the test user:
> >
> > pass in quick on $ExtInt from any to any
> >
> > And here is the response I receive upon login:
> >
> > /tmp/authpfrules.VlY6590:5: syntax error
> >
> > I have been through this one rule and the man pages for both pf and authpf
> > several times over the past 4 hours,
> >
> > I think I'm about to cry...
> 
> have you defined "ExtInt" anywhere.  six pieces of blowfish sushi
> says that if you put 'ExtInt="fxp0"' (or whatever interface you're
> using) at the top, the problem will go away.
> 
> and actually that rule should read (if you have an intel nic):
> 
> 	pass in quick on fxp0 from $user_ip to any keep state
> 
> 
> CK
> 
> -- 
> Chris Kuethe, GCIA CISSP: Secure Systems Specialist - U of A CNS
>       office: 157 General Services Bldg.    +1.780.492.8135
>               chris.kuethe@[pyxis.cns.]ualberta.ca
> 
> No trees were destroyed in the sending of this contaminant free message; we
> do concede a significant number of electrons may have been inconvenienced.