[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

authpf and rdr


I have at home an OpenBSD 3.1 firewall (due to upgrade to 3.2 soon), which has 4 legs, one of which is a wireless interface.
Now currently I allow only traffic from this leg from users/ips that have authenticated by ssh/authpf. This works perfectly in theory but in reality it always turns out that the folks that bring their notebook with them don't have putty or any recent ssh client installed. I find myself often then running around with a floppy disk copying putty on their notebooks which I would like to avoid with a more "chique" solution as described below:

Why not redirect all outgoing web connections from the wireless leg with the following line to an internal website carrying a short introduction and putty to download:

rdr on wi0 from any to any port 80 -> port 80

This way the user just opens his browser et voila.
And thats great, all outgoing requests go to this website. Cool so far.

But here it gets complicated. After the user downloaded putty and authenticated himself with a valid account, how could I remove the above rule or make it obsolete so that the user actually can reach external or internal websites on port 80 ?
The only I've come up is to quasi superseed this rule by specifying a proxy somewhere like in authpf.nat

rdr on wi0 from to any to any port 80 -> port 8080

But I would really like to just remove the above ruleset for authenticated users.
Either I am overlooking something trivial or I am just not "innovative" enough ;)
So has anybody and idea how I could solve this ?
If I missed an important manual or web page please let me know and accept my apologies for wasting your time, I really did my best searching the archives and reading man pages.

Christoph Schneeberger