[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
authpf and rdr
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: authpf and rdr
- From: Christoph Schneeberger <cschnee_(_at_)_box_(_dot_)_telemedia_(_dot_)_ch>
- Date: Thu, 16 Jan 2003 16:31:25 +0100
I have at home an OpenBSD 3.1 firewall (due to upgrade to 3.2 soon),
which has 4 legs, one of which is a wireless interface.
Now currently I allow only traffic from this leg from users/ips that
have authenticated by ssh/authpf. This works perfectly in theory but in
reality it always turns out that the folks that bring their notebook
with them don't have putty or any recent ssh client installed. I find
myself often then running around with a floppy disk copying putty on
their notebooks which I would like to avoid with a more "chique"
solution as described below:
Why not redirect all outgoing web connections from the wireless leg with
the following line to an internal website carrying a short introduction
and putty to download:
rdr on wi0 from any to any port 80 -> 10.1.1.2 port 80
This way the user just opens his browser et voila.
And thats great, all outgoing requests go to this website. Cool so far.
But here it gets complicated. After the user downloaded putty and
authenticated himself with a valid account, how could I remove the above
rule or make it obsolete so that the user actually can reach external or
internal websites on port 80 ?
The only I've come up is to quasi superseed this rule by specifying a
proxy somewhere like in authpf.nat
rdr on wi0 from to any to any port 80 -> 10.1.1.1 port 8080
But I would really like to just remove the above ruleset for
Either I am overlooking something trivial or I am just not "innovative"
So has anybody and idea how I could solve this ?
If I missed an important manual or web page please let me know and
accept my apologies for wasting your time, I really did my best
searching the archives and reading man pages.