Stock install of OpenBSD 5.0 (no patches)
Quick Overview
--------------
Dual homed OpenBSD 5.0 with two interfaces, em0 is the internal network,
em1 is the external network and the default gateway knows how to send
packets
to 10.0.0/8 (an external test subnet). The testing was done in a
self-contained sandbox.
When an Authpf client connects, its internal ip is nat'd to the external ip.
It appears that nat-to rules invoked in authpf.rules persist in the
state table as Established and are not culled when the Authpf session
terminates.
For example, even though the [email protected] has terminated its
Authpf session, this state table entry persists:
all tcp 128.100.32.224:53153 (172.31.0.13:49200) -> 10.0.0.254:22
ESTABLISHED:ESTABLISHED
More Specifically
-----------------
Contents of /etc/pf.conf
int_if = "em0"
ext_if = "em1"
table <authpf_users> persist
block drop all
anchor "authpf/*"
pass quick on $int_if proto tcp from 172.31.0.0/16 to { 172.31.0.254,
172.31.1.254 } port = 22
pass out quick on $ext_if all
Contents of /etc/authpf/users/user-cdf/authpf.rules
int_if = "em0"
ext_if = "em1"
ext_ip = "128.100.32.224"
match out on $ext_if from $user_ip to any nat-to $ext_ip
pass in quick on $int_if from $user_ip to any
Contents of /etc/hostname.em0
inet 172.31.0.254 255.255.0.0
inet alias 172.31.1.254 255.255.255.255
Contents of /etc/hostname.em1
inet 128.100.32.224 255.255.255.0 128.100.32.255
Contents of /etc/mygate
128.100.32.103
Contents of state table when [email protected] connected via Authpf and
making an SSH connection to 10.0.0.254:
pfctl -ss | egrep '172.31.0.13'
all tcp 172.31.0.254:22 <- 172.31.0.13:49203 ESTABLISHED:ESTABLISHED
all tcp 10.0.0.254:22 <- 172.31.0.13:49205 ESTABLISHED:ESTABLISHED
all tcp 128.100.32.224:59127 (172.31.0.13:49205) -> 10.0.0.254:22
ESTABLISHED:ESTABLISHED
Contents of stable table after [email protected] has terminated authpf
connection:
pfctl -ss | egrep '172.31.0.13'
all tcp 128.100.32.224:59127 (172.31.0.13:49205) -> 10.0.0.254:22
ESTABLISHED:ESTABLISHED
