On 22 May 2009 at 16:37, Aaron Martinez wrote: > > On 22 May 2009 at 15:05, Aaron Martinez wrote: > > > >> Hi All, > >> > >> I am setting up an openbsd 4.5 stable based pf firewall and was > >> wondering if there is a way to make it so only certain users could log > >> in from certain IP addresses. I have authpf set up and working well, > >> but the problem is if someone that isn't coming from one of my "safe" ip > >> addresses, i don't want them to be able to log in using a login name > >> that has a standard shell like ksh. I saw the "Match" statement for > >> sshd but it looks like the only things that can be set are: > >> AllowAgentForwarding, AllowTcpForwarding, Banner, ChrootDirectory, > >> ForceCommand, GatewayPorts, GSSAPIAuthentication, > >> HostbasedAuthentication, KbdInteractiveAuthentication, > >> KerberosAuthentication, MaxAuthTries, MaxSessions, > >> PasswordAuthentication, PermitEmptyPasswords, PermitOpen, > >> PermitRootLogin, RhostsRSAAuthentication, RSAAuthentication, > >> X11DisplayOffset, X11Forwarding and X11UseLocalHost. none of which > >> would allow for what i'm trying. (if i'm understanding this correctly) > >> > >> > >> I'm trying to have authpf authenticate people before they are able to > >> use certain services behind the firewall, i.e. pptp server, pop server > >> etc., while allowing certain people from static IP addresses to actually > >> log into the openbsd firewall. > > > > You did say you are setting up a pf firewall, so why not use its > > firewalling functionality to limit those services to the specific > > _static IP addresses_? This is one of the simplest use cases for pf! > > > >> Any ideas greatly appreciated. > >> > >> > >> Thanks in advance. > >> > >> Aaron Martinez > > > > > > I don't want to limit the services behind the firewall to certain IP > addressed, only to people that can authenticate with authpf at the > firewall, they can be at any IP. Then after they authenticate a rule is > loaded to allow their IP to get to the pop or pptp server behind the > firewall. > > The safe addresses are for people that need to do administration on the fw > and have an account on the fw system itself that has a shell other than > authpf.
What kind of firewall would it be if it could not protect itself? Ergo, my original suggestion still holds. Please review the pf FAQ and other documentation, they contain a number of examples to do exactly what you are asking. > Thanks.
