[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OpenBSD 3.4: authpf problem

To: misc@openbsd.org
Subject: OpenBSD 3.4: authpf problem
From: Anthony Schlemmer <aschlemm@comcast.net>
Date: Sat, 1 Nov 2003 15:52:27 -0800
Content-Disposition: inline
Organization: Comcast.Net
User-Agent: KMail/1.5.1

I've got a firewall with 3 NICs in it that I'm trying to setup as a WIFI 
gateway with the following network setup:

sis0 - Connects to my internal 192.168.1.x network
tx1 - Connects to my Linksys 802.11g access point using a. All systems 
are on a 192.168.2.x subnet.
tx0 - Connects to my ISP and has NAT rules for both 192.168.1.x and 
192.168.2.x subnets.

I've got a default blocking rule which denies any access to my internal 
network from the WIFI network. My /etc/pf.conf file includes the 
following:

int_if = "sis0"
ext_if = "tx0"
wifi_if = "tx1"

scrub out on $ext_if all random-id
scrub in on $ext_if all

block in log on $ext_if
block out log on $ext_if
block in log on $wifi_if from any to $int_if:network

anchor authpf in on $wifi_if

I've got some other rules that allow non-authenticated users access to 
my name server and allows SSH access. I also have rules that allow all 
traffic out the external interface. With this setup I have unrestricted 
access to all systems outside my network, and local access is limited 
to name service and SSH on the gateway with all access denied to the 
internal network on sis0 without being logged into the gateway.

I've setup a user that uses "/usr/sbin/authpf" for their login shell but 
when I attempt to do an SSH login from an 802.11 system the session 
connects, the contents of the "/etc/motd" file is displayed and then 
the session closes. 

I've got an /etc/authpf/authpf.allow file setup with my userid and I 
have an /etc/authpf/authpf.rules file that looks like so:

wifi_if="tx1"

pass in quick on $wifi_if proto { udp, icmp } from $user_ip to any keep 
state
pass in quick on $wifi_if proto tcp from $user_ip to any flags S/SA keep 
state

>From my reading it sounds as if my SSH session should stay open and my 
firewall rules would be modified so it would then be possible for me to 
access all system internal or external from the wireless LAN side of 
the gateway. I've never used "authpf" before and my web searches 
haven't been fruitful in finding any help to this problem. I don't get 
any error message in the /var/log/messages file either.

Thanks,

Tony


-- 
Anthony Schlemmer
aschlemm@comcast.net

Follow-Ups:
- Re: OpenBSD 3.4: authpf problem
  - From: Anthony Schlemmer <aschlemm@comcast.net>
- Re: OpenBSD 3.4: authpf problem
  - From: Magnus Bodin <magnus@bodin.org>

Prev by Date: Installing midnight commander (mc) on 3.3
Next by Date: Re: French reseller can't sell OpenBSD
Prev by thread: Re: Installing midnight commander (mc) on 3.3
Next by thread: Re: OpenBSD 3.4: authpf problem
Index(es):
- Date
- Thread