network, security, shell

Authpf: authenticated routing and firewalling on OpenBSD

In our detailed description of OpenBSD’s packet filter (here and there) we mentioned authpf, and spoke of it as a useful tool, but what is it use? I tend to understand it as an instrument for authenticated routing, that is, a way to provide routing (and firewalling etc…) services only to authenticated users.

Think of a corporate setting with different users having access to different services according to their identities (and not according to their computer’s IPs, which may well be dynamic or different). For example, user boss may access the firm’s MAIN smb (ports 139, 435) server and any http (port 80) server out there, but user dilbert may only access the firm’s MAIN smtp (port 25) server, because he is basically an untrusted users. The problem is that both boss and dilbert use the same computers and even unconfigured laptops they bring from home, so that you need to route their connections according to their identities.

This can be easily done with authpf. If the router (firewall) before MAIN is called Ogate, one would create users boss and dilbert, with passwords and login shells authpf (which is a specific login shell in OpenBSD). The would be given (obviously) those login/password pairs and, basically, Ogate would just let inward connections on port 22 (the ssh port).

Configuring authpf is a matter of minutes. The main directories and files in this setting would be


apart, obviusly, from pf‘s configuration file /etc/pf.conf.

The /etc/authpf/authpf.conf may well be empty, but must exist in order for authpf to work. The /etc/authpf/authpf.rules is the default set of rules which will be used if a specific file for a users is not present (in our example, it may be empty). There is an /etc/authpf/users/ directory containing, if necessary, a directory per special user in which to find the specific authpf.rules file relative to that user. Again in our example, these files would look like:

# cat < /etc/authpf/users/boss/authpf.rules
pass in quick on $inside proto {tcp, udp} from $user_ip to $MAIN port {http, 139, 445}


# cat < /etc/authpf/users/dilbert/authpf.rules
pass in quick on $inside proto tcp from $user_ip to $MAIN port {smtp}

Assuming that the firewall has already been configured to let any traffic pass from the router to the outside, once it has got in. Also, authpf needs to be treated as an anchor in that file. The details can be found at OpenBSD's FAQ, but basically one needs to create an authpf_users persistent table and to call authpf as an anchor:

table <authpf_users> persist
pass in quick on $inside proto {tcp, udp} from  to $dns_servers port domain
anchor "authpf/*"

(This is just a simplified example). The configuration is a bit more complicated than what we have explained, but having a per-user routing service pays in the long run (you can fine-grain your routing and firewalling a lot, and taking advantage of pf's logging capabilities, you can easily trace misbehaviours and possible configuration/routing mistakes.

Having such a fine-grained per-user routing is worth the extra effort (and the ease of maintenance, being IP-independent). Read the FAQ's to be truly enlightened.

speak up

Add your comment below, or trackback from your own site.

Subscribe to these comments.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*Required Fields