Hi to all.
I would like to obtain an authenticating gateway by
using OpenBSD with PF+AUTHPF+CARP.
What I would like to do is this:
for every user that make logging it must be associated a determinated IP
address
of the external network and not only one like as for the natting.
( for example
userA -- IP_external_network_A
userB -- IP_external_network_B
userC -- IP_external_network_C
userD -- IP_external_network_D
)
I prepared two machine, one as master and one as slave ( for redudancy ).
For every IP address assigned to the user
( that is different from the IP address of the master and the slave)
I used the CARP configuration
ifconfig carpN vhid N pass mypassword carpdev xl0 \
advskew 100 ip_external_network netmask 255.255.255.0
N = 1,2,3,....,254
( advskew 100 only on slave )
I activated the MASTER configuration ( net.inet.carp.preempt = 1 )
QUESTIONS
1) is possible that it works (actually the two interface cards
( master_xl0 and slave_xl0 )
are on a switch and curiosly some IP are normally
( state MASTER on the master server and state SLAVE on the slave server)
and others remain MASTER even on the slave machine
( for exemple the CARP interface carp24 is MASTER on the master machine
and SLAVE on the slave machine while
the carp interface carp53 is MASTER on the master machine and the
slave machine and so on )
Why ?
2) I should increase the NMBCLUSTERS value and USERS value ?
3) some one has just tried this kind of configuration?
Follows the configuration file
that I am using for the tests.
-------------------------------------
--------PF.CONF
-------------------------------------
# MACRO
int_if = "sk0"
ext_if = "xl0"
#priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
priv_nets = "{ 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
my_net = "{ XXX.XXX.XXX.XXX/24 }"
#
table <ip_if_int> { IP_ADDRESS_INTERNAL_NET_CARD }
table <my_users> { INTERNAL_NET }
# options
#set block-policy drop
set loginterface $ext_if
# scrub
scrub in all
#NAT
nat-anchor "authpf/*"
# proxy FTP
nat-anchor "ftp-proxy/*"
#RDR
rdr-anchor "authpf/*"
#proxy FTP
rdr-anchor "ftp-proxy/*"
#
block in all
block out all
#LOOPBACK
pass quick on lo0 all
#CARP
pass on $int_if proto carp keep state
pass on $ext_if proto carp keep state
#USER MUST LOGGING
pass in log (all) on $int_if proto tcp from <my_users> to <ip_if_int>
port ssh flags S/SA keep state
#OUT TRAFFIC FROM AUTHENTICATION GATEWAY
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
#RESPONDING PING
pass in on $ext_if proto icmp all keep state
#USER
anchor "authpf/*"
#FTP USER
anchor "ftp-proxy/*"
#BLOCK ALL minus MY_NET
block in log (all) on $int_if proto { tcp, udp } from !<my_net> to any
-----------------------------------
--------- AUTHPF.RULES
----------------------------------
# MACRO
int_if = "sk0"
ext_if = "xl0"
#
ext_addr = IP_ADDRESS_UNIQUE_FOR_USER
#NAT
nat on $ext_if from $user_ip to any tag $user_ip -> $ext_addr
#RDR
rdr on $int_if proto tcp from $user_ip to any port 21 -> $ext_addr \
port 8021
pass in log (all) quick on $int_if proto {tcp,udp,icmp} from $user_ip
to any
pass out log (all) on $ext_if proto {tcp,udp,icmp} tagged $user_ip
modulate state flags S/SA
#FTP-PROXY
pass out proto tcp from $ext_addr to any port 21
------------------------------------------------------
