Date: Mon, 3 Apr 2006 12:46:35 +0300 From: Nikos Vassiliadis <nvass@teledomenet.gr> To: freebsd-questions@freebsd.org Cc: Mark Jayson Alvarez <jay2xra@yahoo.com> Subject: Re: ipfw plus authentication??? Message-ID: <200604031246.36323.nvass@teledomenet.gr> In-Reply-To: <20060403073449.1238.qmail@web51602.mail.yahoo.com> References: <20060403073449.1238.qmail@web51602.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Monday 03 April 2006 10:34, Mark Jayson Alvarez wrote: > Hi > > I am looking for ways to manage our LAN by having each user register the= ir > ipaddress, mac address, workstation os, etc. in our ldap directory. Now in > our pcrouter, the users will first send his login credentials to the > pcrouter, and then the pcrouter will check against ldap if this login is > correct, and if it is, then it will now do an ldapsearch/compare operation > to see if the source address (ip/mac) of the user trying to gain network > access is indeed belongs to that user. Only then, the ipfw ruleset will be > changed to allow traffic originating from this source address... > Does it have to be LDAP and ipfw? there is authpf which... Introduction Authpf(8) is a user shell for authenticating gateways. An authenticating=20 gateway is just like a regular network gateway (a.k.a. a router) except tha= t=20 users must first authenticate themselves to the gateway before it will allo= w=20 traffic to pass through it. When a user's shell is set to /usr/sbin/authpf= =20 (i.e., instead of setting a user's shell to ksh(1), csh(1), etc) and the us= er=20 logs in using SSH, authpf will make the necessary changes to the active pf(= 4)=20 ruleset so that the user's traffic is passed through the filter and/or=20 translated using Network Address Translation or redirection. Once the user= =20 logs out or their session is disconnected, authpf will remove any rules=20 loaded for the user and kill any stateful connections the user has open.=20 Because of this, the ability of the user to pass traffic through the gatewa= y=20 only exists while the user keeps their SSH session open. =46rom here: http://www.openbsd.org/faq/pf/authpf.html Ofcourse this does not cover the IP|MAC address checking you mentioned, but I don't see how this enhances security. It will be easy for a user to=20 change his IP|MAC address. HTH, Nikos > Anyone have gone with this solution before?? > > Thanks > > > --------------------------------- > Blab-away for as little as 1=C2=A2/min. Make PC-to-Phone Calls using Yah= oo! > Messenger with Voice. _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200604031246.36323.nvass>