2 .\" $OpenBSD: authpf.8,v 1.38 2005/01/04 09:57:04 jmc Exp $
4 .\" Copyright (c) 2002 Bob Beck (beck@openbsd.org>. All rights reserved.
6 .\" Redistribution and use in source and binary forms, with or without
7 .\" modification, are permitted provided that the following conditions
9 .\" 1. Redistributions of source code must retain the above copyright
10 .\" notice, this list of conditions and the following disclaimer.
11 .\" 2. Redistributions in binary form must reproduce the above copyright
12 .\" notice, this list of conditions and the following disclaimer in the
13 .\" documentation and/or other materials provided with the distribution.
14 .\" 3. The name of the author may not be used to endorse or promote products
15 .\" derived from this software without specific prior written permission.
17 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18 .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19 .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20 .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21 .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22 .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23 .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 .Nd authenticating gateway user shell
38 is a user shell for authenticating gateways.
41 rules when a user authenticates and starts a session with
43 and to undo these changes when the user's session exits.
44 It is designed for changing filter and translation rules for an individual
45 source IP address as long as a user maintains an active
48 Typical use would be for a gateway that authenticates users before
49 allowing them Internet use, or a gateway that allows different users into
52 logs the successful start and end of a session to
54 This, combined with properly set up filter rules and secure switches,
55 can be used to ensure users are held accountable for their network traffic.
58 can add filter and translation rules using the syntax described in
63 system be enabled and a
65 file system be mounted at
69 can also maintain the list of IP address of connected users
74 is meant to be used with users who can connect via
79 retrieves the client's connecting IP address via the
81 environment variable and, after performing additional access checks,
82 reads a template file to determine what filter and translation rules
84 On session exit the same rules that were added at startup are removed.
88 process stores its rules in a separate ruleset inside a
96 name "authpf" is used, and the ruleset names equal the username and PID of the
98 processes as "username(pid)".
99 The following rules need to be added to the main ruleset
101 in order to cause evaluation of any
104 .Bd -literal -offset indent
105 nat-anchor "authpf/*"
106 rdr-anchor "authpf/*"
107 binat-anchor "authpf/*"
111 The "/*" at the end of the anchor name is required for
113 to process the rulesets attached to the anchor by
115 .Sh FILTER AND TRANSLATION RULES
116 Filter and translation rules for
118 use the same format described in
120 The only difference is that these rules may (and probably should) use
123 which is assigned the connecting IP address whenever
126 Additionally, the macro
128 is assigned the user name.
130 Filter and translation rules are stored in a file called
132 This file will first be searched for in
133 .Pa /etc/authpf/users/$USER/
136 Only one of these files will be used if both are present.
138 Per-user rules from the
139 .Pa /etc/authpf/users/$USER/
140 directory are intended to be used when non-default rules
141 are needed on an individual user basis.
142 It is important to ensure that a user can not write or change
143 these configuration files.
147 file must exist in one of the above locations for
151 Options are controlled by the
152 .Pa /etc/authpf/authpf.conf
154 If the file is empty, defaults are used for all
155 configuration options.
156 The file consists of pairs of the form
159 Currently, the allowed values are as follows:
164 name instead of "authpf".
168 name instead of "authpf_users".
171 On successful invocation,
173 displays a message telling the user he or she has been authenticated.
174 It will additionally display the contents of the file
175 .Pa /etc/authpf/authpf.message
176 if the file exists and is readable.
178 There exist two methods for providing additional granularity to the control
181 - it is possible to set the gateway to explicitly allow users who have
184 and deny access to only a few troublesome individuals.
185 This is done by creating a file with the banned user's login name as the
187 .Pa /etc/authpf/banned/ .
188 The contents of this file will be displayed to a banned user, thus providing
189 a method for informing the user that they have been banned, and where they can
190 go and how to get there if they want to have their service restored.
191 This is the default behaviour.
193 It is also possible to configure
195 to only allow specific users access.
196 This is done by listing their login names, one per line, in
197 .Pa /etc/authpf/authpf.allow .
198 If "*" is found on a line, then all usernames match.
201 is unable to verify the user's permission to use the gateway, it will
202 print a brief message and die.
203 It should be noted that a ban takes precedence over an allow.
205 On failure, messages will be logged to
207 for the system administrator.
208 The user does not see these, but will be told the system is unavailable due to
209 technical difficulties.
210 The contents of the file
211 .Pa /etc/authpf/authpf.problem
212 will also be displayed if the file exists and is readable.
213 .Sh CONFIGURATION ISSUES
215 maintains the changed filter rules as long as the user maintains an
217 It is important to remember however, that the existence
218 of this session means the user is authenticated.
219 Because of this, it is important to configure
221 to ensure the security of the session, and to ensure that the network
222 through which users connect is secure.
224 should be configured to use the
225 .Ar ClientAliveInterval
227 .Ar ClientAliveCountMax
228 parameters to ensure that a ssh session is terminated quickly if
229 it becomes unresponsive, or if arp or address spoofing is used to
231 Note that TCP keepalives are not sufficient for
232 this, since they are not secure.
234 .Ar AllowTcpForwarding
235 should be disabled for
237 users to prevent them from circumventing restrictions imposed by the
238 packet filter ruleset.
241 will remove state table entries that were created during a user's
243 This ensures that there will be no unauthenticated traffic
244 allowed to pass after the controlling
246 session has been closed.
249 is designed for gateway machines which typically do not have regular
250 (non-administrative) users using the machine.
251 An administrator must remember that
253 can be used to modify the filter rules through the environment in
254 which it is run, and as such could be used to modify the filter rules
255 (based on the contents of the configuration files) by regular
257 In the case where a machine has regular users using it, as well
260 as their shell, the regular users should be prevented from running
263 .Pa /etc/authpf/authpf.allow
265 .Pa /etc/authpf/banned/
269 modifies the packet filter and address translation rules, and because
270 of this it needs to be configured carefully.
272 will not run and will exit silently if the
273 .Pa /etc/authpf/authpf.conf
275 After considering the effect
277 may have on the main packet filter rules, the system administrator may
280 by creating an appropriate
281 .Pa /etc/authpf/authpf.conf
285 \- To illustrate the user-specific access control
286 mechanisms, let us consider a typical user named bob.
287 Normally, as long as bob can authenticate himself, the
289 program will load the appropriate rules.
291 .Pa /etc/authpf/banned/
293 If bob has somehow fallen from grace in the eyes of the
294 powers-that-be, they can prohibit him from using the gateway by creating
296 .Pa /etc/authpf/banned/bob
297 containing a message about why he has been banned from using the network.
298 Once bob has done suitable penance, his access may be restored by moving or
300 .Pa /etc/authpf/banned/bob .
302 Now consider a workgroup containing alice, bob, carol and dave.
304 wireless network which they would like to protect from unauthorized use.
305 To accomplish this, they create the file
306 .Pa /etc/authpf/authpf.allow
307 which lists their login ids, one per line.
308 At this point, even if eve could authenticate to
310 she would not be allowed to use the gateway.
311 Adding and removing users from
312 the work group is a simple matter of maintaining a list of allowed userids.
313 If bob once again manages to annoy the powers-that-be, they can ban him from
314 using the gateway by creating the familiar
315 .Pa /etc/authpf/banned/bob
317 Though bob is listed in the allow file, he is prevented from using
318 this gateway due to the existence of a ban file.
320 .Sy Distributed Authentication
321 \- It is often desirable to interface with a
322 distributed password system rather than forcing the sysadmins to keep a large
323 number of local password files in sync.
328 can be used to fork the right shell.
331 should have entries that look something like this:
332 .Bd -literal -offset indent
333 shell-default:shell=/bin/csh
337 :shell=/usr/sbin/authpf
350 Using a default password file, all users will get
352 as their shell except for root who will get
355 .Sy SSH Configuration
356 \- As stated earlier,
358 must be properly configured to detect and defeat network attacks.
359 To that end, the following options should be added to
361 .Bd -literal -offset indent
363 ClientAliveInterval 15
364 ClientAliveCountMax 3
367 This ensures that unresponsive or spoofed sessions are terminated within a
368 minute, since a hijacker should not be able to spoof ssh keepalive messages.
371 \- Once authenticated, the user is shown the contents of
372 .Pa /etc/authpf/authpf.message .
373 This message may be a screen-full of the appropriate use policy, the contents
376 or something as simple as the following:
377 .Bd -literal -offset indent
378 This means you will be held accountable by the powers that be
379 for traffic originating from your machine, so please play nice.
382 To tell the user where to go when the system is broken,
383 .Pa /etc/authpf/authpf.problem
384 could contain something like this:
385 .Bd -literal -offset indent
386 Sorry, there appears to be some system problem. To report this
387 problem so we can fix it, please phone 1-900-314-1597 or send
388 an email to remove@bulkmailerz.net.
391 .Sy Packet Filter Rules
392 \- In areas where this gateway is used to protect a
393 wireless network (a hub with several hundred ports), the default rule set as
394 well as the per-user rules should probably allow very few things beyond
395 encrypted protocols like
400 On a securely switched network, with plug-in jacks for visitors who are
401 given authentication accounts, you might want to allow out everything.
402 In this context, a secure switch is one that tries to prevent address table
408 # by default we allow internal clients to talk to us using
409 # ssh and use us as a dns server.
411 gateway_addr="10.0.1.1"
412 nat-anchor "authpf/*"
413 rdr-anchor "authpf/*"
414 binat-anchor "authpf/*"
415 block in on $internal_if from any to any
416 pass in quick on $internal_if proto tcp from any to $gateway_addr \e
418 pass in quick on $internal_if proto udp from any to $gateway_addr \e
423 .Sy For a switched, wired net
425 .Pa /etc/authpf/authpf.rules
426 makes no real restrictions; it turns the IP address on and off, logging
432 pass in log quick on $internal_if proto tcp from $user_ip to any \e
434 pass in quick on $internal_if from $user_ip to any
437 .Sy For a wireless or shared net
439 .Pa /etc/authpf/authpf.rules
440 could be used for an insecure network (such as a public wireless network) where
441 we might need to be a bit more restrictive.
446 # rdr ftp for proxying by ftp-proxy(8)
447 rdr on $internal_if proto tcp from $user_ip to any port 21 \e
448 -> 127.0.0.1 port 8081
450 # allow out ftp, ssh, www and https only, and allow user to negotiate
451 # ipsec with the ipsec server.
452 pass in log quick on $internal_if proto tcp from $user_ip to any \e
453 port { 21, 22, 80, 443 } flags S/SA
454 pass in quick on $internal_if proto tcp from $user_ip to any \e
455 port { 21, 22, 80, 443 }
456 pass in quick proto udp from $user_ip to $ipsec_gw port = isakmp \e
458 pass in quick proto esp from $user_ip to $ipsec_gw
463 .Pa /etc/authpf/authpf.rules
464 shows how to deal with NAT, using tags:
467 ext_addr = 129.128.11.10
469 # nat and tag connections...
470 nat on $ext_if from $user_ip to any tag $user_ip -> $ext_addr
471 pass in quick on $int_if from $user_ip to any
472 pass out log quick on $ext_if tagged $user_ip keep state
475 With the above rules added by
477 outbound connections corresponding to each users NAT'ed connections
478 will be logged as in the example below, where the user may be identified
479 from the ruleset name.
481 # tcpdump -n -e -ttt -i pflog0
482 Oct 31 19:42:30.296553 rule 0.bbeck(20267).1/0(match): pass out on fxp1: \e
483 129.128.11.10.60539 > 198.137.240.92.22: S 2131494121:2131494121(0) win \e
484 16384 <mss 1460,nop,nop,sackOK> (DF)
487 .Sy Using the authpf_users table
490 settings can be implemented without an anchor by just using the "authpf_users"
492 For example, the following
494 lines will give SMTP and IMAP access to logged in users:
496 table <authpf_users> persist
497 pass in on $ext_if proto tcp from <authpf_users> \e
498 to port { smtp imap } keep state
501 It is also possible to use the "authpf_users"
503 in combination with anchors.
506 processing can be sped up by looking up the anchor
507 only for packets coming from logged in users:
509 table <authpf_users> persist
510 anchor "authpf/*" from <authpf_users>
511 rdr-anchor "authpf/*" from <authpf_users>
514 .Bl -tag -width "/etc/authpf/authpf.conf" -compact
515 .It Pa /etc/authpf/authpf.conf
516 .It Pa /etc/authpf/authpf.allow
517 .It Pa /etc/authpf/authpf.rules
518 .It Pa /etc/authpf/authpf.message
519 .It Pa /etc/authpf/authpf.problem
529 program first appeared in
532 Configuration issues are tricky.
535 connection may be secured, but if the network is not secured the user may
536 expose insecure protocols to attackers on the same network, or enable other
537 attackers on the network to pretend to be the user by spoofing their IP
541 is not designed to prevent users from denying service to other users.