authpf is a user shell for authenticating gateways.
Wut?
authpf(8)
is a user shell (think bash or ksh) for authenticating gateways.
It is used to dynamically create pf(4) rules when a user authenticates. These rules will be removed when the user exits their session.
All users who successfully authenticate will be given their own pf rules and tables. These need to be anchored in your pf.conf
with an anchor
entry:
anchor "authpf/*"
Once a user authenticates their IP address is added to the authpf_users
table (must be defined) and a user specific file is parsed to create the pf rules.
Definition of the authpf_users
table:
table <authpf_users> persist
If you don’t like the default names, you can use /etc/authpf/authpf.conf
to specify the table / anchor names you do want. Weirdo.
Side Note - This file must exist for authpf to work!
All user rule templates go in /etc/authpf/users/$USER
For example:
# cat /etc/authpf/users/abieber
pass from $user_ip
#
abieber
to pass all traffic from his IP address!Group templates go in .. you guessed it! /etc/authpf/groups/$GROUP/
Rules can be configured globally with /etc/authpf/authpf.rules
Side Note - This file must also exist for authpf to work!
Shamelessly taken straight from authpf(8):
internal_if="fxp1"
ipsec_gw="10.2.3.4"
# rdr ftp for proxying by ftp-proxy(8)
match in on $internal_if proto tcp from $user_ip to any port 21 \
rdr-to 127.0.0.1 port 8021
# allow out ftp, ssh, www and https only, and allow user to negotiate
# ipsec with the ipsec server.
pass in log quick on $internal_if proto tcp from $user_ip to any \
port { 21, 22, 80, 443 }
pass in quick on $internal_if proto tcp from $user_ip to any \
port { 21, 22, 80, 443 }
pass in quick proto udp from $user_ip to $ipsec_gw port = isakmp
pass in quick proto esp from $user_ip to $ipsec_gw
........
queue rootq on $ext_if bandwidth 1000M max 1000M
queue defq parent rootq bandwidth 1000M default
queue jerk parent rootq bandwidth 1K max 1K burst 6K for 500ms
........
match proto tcp from !<authpf_users> to any set queue jerk
........
Say you have a firewall that is only allowing the following list of outbound traffic:
"{ftp, ssh, domain, http, https}"
Obviously everything that isn’t going over one of these ports will be blocked.
But sometimes it isn’t obvious why something isn’t working.
A quick method for troubleshooting is to create a user that has all traffic passed without restrictions.
# cat /etc/authpf/users/abieber
pass from $user_ip
#
Now when ever abieber authenticates with the gateway, it will create a rule that allows all of his traffic to flow freely!