> On 22 May 2009 at 15:05, Aaron Martinez wrote: > >> Hi All, >> >> I am setting up an openbsd 4.5 stable based pf firewall and was >> wondering if there is a way to make it so only certain users could log >> in from certain IP addresses. I have authpf set up and working well, >> but the problem is if someone that isn't coming from one of my "safe" ip >> addresses, i don't want them to be able to log in using a login name >> that has a standard shell like ksh. I saw the "Match" statement for >> sshd but it looks like the only things that can be set are: >> AllowAgentForwarding, AllowTcpForwarding, Banner, ChrootDirectory, >> ForceCommand, GatewayPorts, GSSAPIAuthentication, >> HostbasedAuthentication, KbdInteractiveAuthentication, >> KerberosAuthentication, MaxAuthTries, MaxSessions, >> PasswordAuthentication, PermitEmptyPasswords, PermitOpen, >> PermitRootLogin, RhostsRSAAuthentication, RSAAuthentication, >> X11DisplayOffset, X11Forwarding and X11UseLocalHost. none of which >> would allow for what i'm trying. (if i'm understanding this correctly) >> >> >> I'm trying to have authpf authenticate people before they are able to >> use certain services behind the firewall, i.e. pptp server, pop server >> etc., while allowing certain people from static IP addresses to actually >> log into the openbsd firewall. > > You did say you are setting up a pf firewall, so why not use its > firewalling functionality to limit those services to the specific > _static IP addresses_? This is one of the simplest use cases for pf! > >> Any ideas greatly appreciated. >> >> >> Thanks in advance. >> >> Aaron Martinez > >
I don't want to limit the services behind the firewall to certain IP addressed, only to people that can authenticate with authpf at the firewall, they can be at any IP. Then after they authenticate a rule is loaded to allow their IP to get to the pop or pptp server behind the firewall. The safe addresses are for people that need to do administration on the fw and have an account on the fw system itself that has a shell other than authpf. Thanks.
