I'm trying to use authpf to have some people I know authenticate to my PF firewall, and have their user_id trigger a rdr-anchor to direct their rsync to a specified server.
/etc/authpf/authpf.rules is empty
Though I would rather simply change user's shell individually, I did add this to login.conf as a 'just-in-case' measure. Please let me know if I can get rid of this if I'm going to change user's shells as I add them.
I ran cap_mkdb /etc/login.conf without errors...
User's shell is set to /usr/sbin/authpf
And finally the $user rule to be added...
Any help would be greatly appreciated.
Code:
root@kif:/etc/authpf/users/liberty.roofing # cat /root/firewall.d/pf.conf
############ Global Options #######################
ext_if="em0"
int_if="re0"
set block-policy return
set loginterface $ext_if
set skip on lo
services="{ 80, 9987 } "
icmp_types="echoreq"
localnet="192.168.1.0/24"
ext_ip="*.*.*.*"
int_ip="192.168.1.1"
table <us.blocks> persist file "/root/firewall.d/us.blocks"
table <aliens> persist file "/root/firewall.d/aliens.blocks"
table <bruteforce> persist file "/root/firewall.d/bruteforce"
table <asshole.ips> persist file "/root/firewall.d/asshole.ips"
table <trusted.ips> persist file "/root/firewall.d/trusted.ips"
table <authpf_users> persist
################ End Global Options ################
########### Traffic Normalization ##################
scrub in on $ext_if all fragment reassemble
scrub out on $ext_if all fragment reassemble
####################################################
####### NAT RULE GOES BEFORE ALL FILTERS ! ! #######
nat on $ext_if from $localnet to any -> ($ext_if)
####################################################
## REDIRECT RULES AFTER NAT AND BEFORE FILTERS !! ##
rdr-anchor "authpf/*" from <authpf_users>
####################################################
################## Filters #########################
block in log all
block drop log quick inet from <bruteforce>
block drop log quick on $ext_if inet from $localnet to <aliens>
block drop in log quick on $ext_if inet from <aliens> to $ext_ip
block drop in log quick on $ext_if inet from ! <us.blocks> to $ext_ip
block drop in log quick on $ext_if inet from <asshole.ips> to $ext_ip
pass in log on $ext_if inet proto tcp from any \
to { $ext_ip, $localnet } port 22 \
flags S/SA keep state \
(max-src-conn 5, max-src-conn-rate 3/9, \
overload <bruteforce> flush global)
pass in on $ext_if inet from { $localnet, $ext_ip } to any
pass out on $ext_if inet from $ext_ip to any
pass in on $int_if inet from any to any
pass out on $int_if inet from any to any
pass in log on $ext_if inet proto {udp, tcp} from any \
to $ext_ip port $services
anchor "authpf/*"
####################################################
################### <END OF FILE> ##################
####################################################/etc/authpf/authpf.rules is empty
Code:
root@kif:/etc/authpf # cat /etc/authpf/authpf.rules
root@kif:/etc/authpf #Though I would rather simply change user's shell individually, I did add this to login.conf as a 'just-in-case' measure. Please let me know if I can get rid of this if I'm going to change user's shells as I add them.
Code:
root@kif:/etc/authpf # cat /etc/login.conf
# login.conf - login class capabilities database.
#
# Remember to rebuild the database after each change to this file:
#
# cap_mkdb /etc/login.conf
#
default:\
:shell=/bin/sh:
authpf:\
:shell=/usr/sbin/authpf:\
:tc=default:
root@kif:/etc/authpf #I ran cap_mkdb /etc/login.conf without errors...
User's shell is set to /usr/sbin/authpf
Code:
root@kif:/etc/authpf # cat /etc/passwd | grep liberty
liberty.roofing:*:1006:1007:Liberty Roofing:/home/liberty.roofing:/usr/sbin/authpfAnd finally the $user rule to be added...
Code:
root@kif:/etc/authpf/users/liberty.roofing # cat /etc/authpf/users/liberty.roofing/authpf.rules
rdr on $ext_if inet proto tcp from $user_ip to port 22 -> 192.168.1.11
pass in log quick on $ext_if inet proto tcp from $user_ip to port 22Any help would be greatly appreciated.