On Thu, 27 Nov 2014 17:09:02 +0100 Martin Hanson <[email protected]> wrote: > Hi > > So I am looking into authpf and I am wondering about some real world > applications. > > I have a bunch of users, but I also have just a bunch of machines. > > The machines cannot login via SSH and should not try to do so (via some > script or otherwise). However, these machines needs access 24/7.
then authpf may not be what you need. the purpose of authpf is to ensure that the person needing outside access has to authenticate first, and it needs ssh. > > So I was thinking about fixing rules to those machines before any > anchors for users, but I cannot see how this provides any security at > all - and bear with me if I am overlooking something. > > If say machine 192.168.0.2 and 192.168.0.3 needs unrestricted access to > the net, then wont it be as easy as "Joe" changing his machines IP > address to 192.168.0.2 to gain access without authentication? theoretically this is possible, but only if the original machine holding the ip was down. just as a nameserver converts to an ip, the ip is converted to a MAC-address, which is associated with the NIC. if you want you can permantly associate an ip with a mac, that way another machine cannot use that ip address, even if the rightful holder is down. see arp(8). > > And what about other kinds of access? Now I get a brand new box in that > needs a fresh installation of some Linux distribution that we install > over HTTP. This new box doesn't come with a SSH console and the install > disk doesn't provide a console with SSH during installation. this is not a problem, you can configure a gateway to allow any access you want. you can't use authpf for this however, but you could restrict the machine being updated to only use http and only to a particular address if you want. pf is VERY flexible. the pf firewall tutorial is here: http://home.nuug.no/~peter/pf/en/long-firewall.html > > Then I am beginning to see signs of "network segmentation" in my head, > but that kindda makes authpf more or less useless then - unless I need > to grant different people different access on the same segment I can > just segment the entire net. > > Anyway, I hope I make sense! :) > > How do you use authpf in real life? just like the man page says. that way you can know who is using the network as opposed to what (machine) is using it. > > Kind regards.
