Nope. That's how it is supposed to work.
The point of authpf is for the user to say "this IP
is me" - if that IP could perhaps not be him, well, this
is not an application for authpf. I.E. if your users
are coming in from a NAT, you should rethink what you
are doing.
-Bob
* Chris Youb <[EMAIL PROTECTED]> [2007-06-25 15:15]:
> When multiple users with the same source IP want access through the firewall
> authpf grants access to the newly authenticating user and kicks off the
> previous user. Is there a way to turn off this behaviour so both users
> maintain authpf tables?
>
> Works:
> 1a. [EMAIL PROTECTED] -> authpf -> maintains logon
> 1b. [EMAIL PROTECTED] -> authpf -> logs on
>
> Doesn't Work:
> 2a. [EMAIL PROTECTED] -> authpf -> gets kicked off
> 2b. [EMAIL PROTECTED] -> authpf -> logs on
>
>
> Real-life example:
>
> Step #1 xuser authenticates from IP_1; xuser has access to firewall
> firewall# pfctl -s Anchors -v
> authpf
> authpf/bfisher(25933)
> authpf/xuser(1308)
> authpf/rarthur(15647)
> authpf/schatterjee(31961)
>
> Step #2 cyoub authenticates from IP_2; both xuser and cyoub have access to
> firewall
> firewall# pfctl -s Anchors -v
> authpf
> authpf/bfisher(25933)
> authpf/cyoub(2104)
> authpf/xuser(1308)
> authpf/rarthur(15647)
> authpf/schatterjee(31961)
>
> Step #3 cyoub authenticates from IP_1; ONLY cyoub has access to firewall as
> he was the last to login. xuser is kicked off???
> firewall# pfctl -s Anchors -v
> authpf
> authpf/bfisher(25933)
> authpf/cyoub(27921)
> authpf/rarthur(15647)
> authpf/schatterjee(31961)
>
> firewall# pfctl -a "authpf/cyoub(27921)" -s rules
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.0.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.4.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.8.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.12.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.20.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.20.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.80.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.48.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.4.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.28.0/22 flags S/SA keep
> state
> --
> View this message in context:
> http://www.nabble.com/authpf-allows-only-one-user-from-the-same-source-ip--kicks-off-previous-user-tf3978999.html#a11295667
> Sent from the openbsd user - misc mailing list archive at Nabble.com.
>
--
#!/usr/bin/perl
if ((not 0 && not 1) != (! 0 && ! 1)) {
print "Larry and Tom must smoke some really primo stuff...\n";
}
