authpf is a user shell for authenticating gateways.
Wut?
- What is authpf?
- Why would you want to use it?
- What does a basic deployment look like?
- What crazy stuff could you do with it?
authpf(8)
is a user shell (think bash or ksh) for authenticating gateways.
It is used to dynamically create pf(4) rules when a user authenticates. These rules will be removed when the user exits their session.
- To grant trusted users more access through a OpenBSD Firewall.
- To create a "Walled garden" WiFi access point.
- To restrict access to specific ports on a remote host to a single IP.
- Can be helpful in troubleshooting firewall connection issues (more on this later).
All users who successfully authenticate will be given their own pf rules and tables. These need to be anchored in your pf.conf
with an anchor
entry:
anchor "authpf/*"
Once a user authenticates their IP address is added to the authpf_users
table (must be defined) and a user specific file is parsed to create the pf rules.
Definition of the authpf_users
table:
table <authpf_users> persist
If you don't like the default names, you can use /etc/authpf/authpf.conf
to specify the table / anchor names you do want. Weirdo.
Side Note - This file must exist for authpf to work!
All user rule templates go in /etc/authpf/users/$USER
For example:
# cat /etc/authpf/users/abieber
pass from $user_ip
#
Group templates go in .. you guessed it! /etc/authpf/groups/$GROUP/
Rules can be configured globally with /etc/authpf/authpf.rules
Side Note - This file must also exist for authpf to work!
Shamelessly taken straight from authpf(8):
internal_if="fxp1"
ipsec_gw="10.2.3.4"
# rdr ftp for proxying by ftp-proxy(8)
match in on $internal_if proto tcp from $user_ip to any port 21 \
rdr-to 127.0.0.1 port 8021
# allow out ftp, ssh, www and https only, and allow user to negotiate
# ipsec with the ipsec server.
pass in log quick on $internal_if proto tcp from $user_ip to any \
port { 21, 22, 80, 443 }
pass in quick on $internal_if proto tcp from $user_ip to any \
port { 21, 22, 80, 443 }
pass in quick proto udp from $user_ip to $ipsec_gw port = isakmp
pass in quick proto esp from $user_ip to $ipsec_gw
- Built to allow users basic connection to the network.
- Allows for users to negotiate ipsec and "break free from the chains"
- But only after they have authenticated with authpf!
- Escaping bandwidth throttling.
........
queue rootq on $ext_if bandwidth 1000M max 1000M
queue defq parent rootq bandwidth 1000M default
queue jerk parent rootq bandwidth 1K max 1K burst 6K for 500ms
........
match proto tcp from !<authpf_users> to any set queue jerk
........
Say you have a firewall that is only allowing the following list of outbound traffic:
"{ftp, ssh, domain, http, https}"
Obviously everything that isn't going over one of these ports will be blocked.
But sometimes it isn't obvious why something isn't working.
- Some web pages load content over non-standard ports.
- Websockets!
A quick method for troubleshooting is to create a user that has all traffic passed without restrictions.
# cat /etc/authpf/users/abieber
pass from $user_ip
#
Now when ever abieber authenticates with the gateway, it will create a rule that allows all of his traffic to flow freely!
- Rule order is extremely important!
- Giving a user unrestricted access might be a bad idea!
- What if there is some malicious JavaScript that runs on a web page they visit.. XMLHttpRequest can open a socket to just about any port!