PF Authpf setup

Hello fellow PF users,

I am facing a weird issue using authpf(8).

Hereunder what I'm trying to achieve and some details of the configuration and the issue I'm facing.

In order to achieve some compliance I have few constraints to match:

Normal users are using the firewall as a normal gateway, no authpf(8) involve.
Power users needs to get through a dual factor authentication and use the firewall as a bastion to access production system and use privileged accounts.

Retain solution:

No change on the normal users ruleset.
Power user will use a specific authpf(8) account along with Pam + Google authenticator and have a dedicated ruleset.
Few anchors already exist and work.


Code:
[root@cerbere /etc/authpf]# uname -a
FreeBSD cerbere.Traveldoo.local 9.3-RELEASE-p33 FreeBSD 9.3-RELEASE-p33 #0: Thu Jan 14 00:48:15 UTC 2016  root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386

authpf(8) has been setup to use per user ruleset according to authpf(8)
authpf.conf is empty

When my first authpf(8) user logged in, his ruleset is loaded and working.
However when a second authpf users comes in for some reason traffic got denied by ruleset from another pf user, see below:

Working user cedricpf
Code:
[10:50] 00:00:00.000000 rule 51.cedricpf(27530).167/0(match): pass in on em0: 172.16.3.2.56320 > 192.168.211.10.3389: Flags [ S], seq 64915780, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0


Non Working user guillaumepf:
Code:
[10:50] 00:00:00.000000 rule 51.cedricpf(27530).167/0(match): block in on em0: 172.16.3.8.56320 > 192.168.211.10.3389: Flags [ S], seq 64915790, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

Do you guys already face such issue?
 
A bit more information on this.
I fall back to a global authpf(8) ruleset and it seems to work.

From my understanding, it seems, that for some reason the <authpf_users> table wasn't freed at all and wasn't keeping track of logged in users.

However i would love to have a per user configuration of authpf(8), if any of you have some insights ?
 
Back
Top