The Archives

  • 28.Feb.09
    Using $|=1 in real life, for squidGuard shell | pfortuny | (0)
    In a previous minipost I mentioned Perl's $|=1 'autoflush output' option, which autoflushes all output. This is relevant in IPC more than in interactive scripts (these are USUALLY autoflushed, although any threaded program will show you differently). In the Squid configuration at a local firewall where authpf is used, the system does not only filter connections per-user (which is authpf's job), but it also authenticates them to squid via authpf. The relevant configuration lines in /etc/squid/squid.conf are: # next line needed to read the /var/authpf directory cache_effective_group authpf external_acl_type check_authpf children=15 %SRC /usr/local/bin/ acl authpf external check_authpf They tell Squid to get the IP's (%SRC) ...
  • 09.Jan.09
    Authpf: authenticated routing and firewalling on OpenBSD network, security, shell | pfortuny | (0)
    In our detailed description of OpenBSD's packet filter (here and there) we mentioned authpf, and spoke of it as a useful tool, but what is it use? I tend to understand it as an instrument for authenticated routing, that is, a way to provide routing (and firewalling etc...) services only to authenticated users. Think of a corporate setting with different users having access to different services according to their identities (and not according to their computer's IPs, which may well be dynamic or different). For example, user boss may access the firm's MAIN smb (ports 139, 435) server and any http ...
  • 20.Nov.08
    pf, OpenBSD’s [p]acket [f]ilter (2) network, security | pfortuny | (1)
    We introduced OpenBSD's pf in a previous post. In the present one, we are going to start commenting a full-featured firewall configuration which uses quite a few of pf's functionalities: macros, lists, anchors... As we said then, OpenBSD's FAQ contains the complete and detailed documentation. Here is the complete set [but for those related to authpf] of firewall rules, usually stored at /etc/pf.conf (bear with me for the long quote, but I'd rather comment a complete file than do it in parts). # 0) Start: macros and tables ext_if="rl0" int_if="vr0" ext_services = "{smtp www 222}" in_services = "{ssh smtp domain www}" always_open ...