Hello fellow PF users,
I am facing a weird issue using authpf(8).
Hereunder what I'm trying to achieve and some details of the configuration and the issue I'm facing.
In order to achieve some compliance I have few constraints to match:
Normal users are using the firewall as a normal gateway, no authpf(8) involve.
Power users needs to get through a dual factor authentication and use the firewall as a bastion to access production system and use privileged accounts.
Retain solution:
No change on the normal users ruleset.
Power user will use a specific authpf(8) account along with Pam + Google authenticator and have a dedicated ruleset.
Few anchors already exist and work.
authpf(8) has been setup to use per user ruleset according to authpf(8)
authpf.conf is empty
When my first authpf(8) user logged in, his ruleset is loaded and working.
However when a second authpf users comes in for some reason traffic got denied by ruleset from another pf user, see below:
Working user cedricpf
Non Working user guillaumepf:
Do you guys already face such issue?
I am facing a weird issue using authpf(8).
Hereunder what I'm trying to achieve and some details of the configuration and the issue I'm facing.
In order to achieve some compliance I have few constraints to match:
Normal users are using the firewall as a normal gateway, no authpf(8) involve.
Power users needs to get through a dual factor authentication and use the firewall as a bastion to access production system and use privileged accounts.
Retain solution:
No change on the normal users ruleset.
Power user will use a specific authpf(8) account along with Pam + Google authenticator and have a dedicated ruleset.
Few anchors already exist and work.
Code:
[root@cerbere /etc/authpf]# uname -a
FreeBSD cerbere.Traveldoo.local 9.3-RELEASE-p33 FreeBSD 9.3-RELEASE-p33 #0: Thu Jan 14 00:48:15 UTC 2016 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386
authpf(8) has been setup to use per user ruleset according to authpf(8)
authpf.conf is empty
When my first authpf(8) user logged in, his ruleset is loaded and working.
However when a second authpf users comes in for some reason traffic got denied by ruleset from another pf user, see below:
Working user cedricpf
Code:
[10:50] 00:00:00.000000 rule 51.cedricpf(27530).167/0(match): pass in on em0: 172.16.3.2.56320 > 192.168.211.10.3389: Flags [ S], seq 64915780, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
Non Working user guillaumepf:
Code:
[10:50] 00:00:00.000000 rule 51.cedricpf(27530).167/0(match): block in on em0: 172.16.3.8.56320 > 192.168.211.10.3389: Flags [ S], seq 64915790, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
Do you guys already face such issue?