From owner-svn-src-projects@freebsd.org Mon Apr 1 05:53:29 2019 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8D89C1582851 for ; Mon, 1 Apr 2019 05:53:29 +0000 (UTC) (envelope-from SRS0=8Ful=SD=vega.codepro.be=kp@codepro.be) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.codepro.be", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8906F7700B; Mon, 1 Apr 2019 05:53:28 +0000 (UTC) (envelope-from SRS0=8Ful=SD=vega.codepro.be=kp@codepro.be) Received: from vega.codepro.be (unknown [172.16.1.3]) by venus.codepro.be (Postfix) with ESMTP id 0005A2E0C2; Mon, 1 Apr 2019 07:53:18 +0200 (CEST) Received: by vega.codepro.be (Postfix, from userid 1001) id F10BD260A0; Mon, 1 Apr 2019 07:53:18 +0200 (CEST) Date: Mon, 1 Apr 2019 07:53:18 +0200 From: Kristof Provost To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r345760 - in head: contrib/pf sys/netpfil/pf sbin/pfctl Message-ID: <20190401055318.GI7163@vega.codepro.be> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline X-SVN-Group: head X-SVN-Commit-Author: emaste X-SVN-Commit-Paths: in head: contrib/pf sys/netpfil/pf sbin/pfctl X-SVN-Commit-Revision: 345760 X-SVN-Commit-Repository: base Precedence: bulk X-Loop: FreeBSD.org User-Agent: Mutt/1.11.2 (2019-01-07) X-Rspamd-Queue-Id: 8906F7700B X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of SRS0=8Ful=SD=vega.codepro.be=kp@codepro.be designates 2a01:4f8:162:1127::2 as permitted sender) smtp.mailfrom=SRS0=8Ful=SD=vega.codepro.be=kp@codepro.be X-Spamd-Result: default: False [-6.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a01:4f8:162:1127::2]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PRECEDENCE_BULK(0.00)[]; DMARC_NA(0.00)[freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[3]; RCVD_TLS_LAST(0.00)[]; RCVD_IN_DNSWL_MED(-0.20)[2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.2.1.1.2.6.1.0.8.f.4.0.1.0.a.2.list.dnswl.org : 127.0.9.2]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.96)[-0.962,0]; MX_GOOD(-0.01)[mx2.codepro.be,mx1.codepro.be]; MAILLIST(-0.10)[generic]; IP_SCORE(-2.43)[ip: (-8.03), ipnet: 2a01:4f8::/29(-2.17), asn: 24940(-1.94), country: DE(-0.01)]; FORGED_SENDER(0.00)[kp@freebsd.org,SRS0=8Ful=SD=vega.codepro.be=kp@codepro.be]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; FROM_NEQ_ENVFROM(0.00)[kp@freebsd.org,SRS0=8Ful=SD=vega.codepro.be=kp@codepro.be]; FORGED_SENDER_MAILLIST(0.00)[] X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Apr 2019 05:53:30 -0000 Author: kp Date: Mon Apr 1 06:51:32 2019 New Revision: 345760 URL: https://svnweb.freebsd.org/changeset/base/345625 Log: pf: Remove obsolete pf pf in FreeBSD lags years behind OpenBSD's pf. Remove it. Users are advised to migrate to ipf. Deleted: head/contrib/pf/authpf/authpf.8 head/contrib/pf/authpf/authpf.c head/contrib/pf/authpf/pathnames.h head/contrib/pf/ftp-proxy/filter.c head/contrib/pf/ftp-proxy/filter.h head/contrib/pf/ftp-proxy/ftp-proxy.8 head/contrib/pf/ftp-proxy/ftp-proxy.c head/contrib/pf/libevent/buffer.c head/contrib/pf/libevent/evbuffer.c head/contrib/pf/libevent/event-internal.h head/contrib/pf/libevent/event.c head/contrib/pf/libevent/event.h head/contrib/pf/libevent/evsignal.h head/contrib/pf/libevent/kqueue.c head/contrib/pf/libevent/log.c head/contrib/pf/libevent/log.h head/contrib/pf/libevent/poll.c head/contrib/pf/libevent/select.c head/contrib/pf/libevent/signal.c head/contrib/pf/pflogd/pflogd.8 head/contrib/pf/pflogd/pflogd.c head/contrib/pf/pflogd/pflogd.h head/contrib/pf/pflogd/pidfile.c head/contrib/pf/pflogd/pidfile.h head/contrib/pf/pflogd/privsep.c head/contrib/pf/pflogd/privsep_fdpass.c head/contrib/pf/tftp-proxy/filter.c head/contrib/pf/tftp-proxy/filter.h head/contrib/pf/tftp-proxy/tftp-proxy.8 head/contrib/pf/tftp-proxy/tftp-proxy.c head/contrib/tcpdump/print-pflog.c head/contrib/tcpdump/print-pfsync.c head/sbin/pfctl/Makefile head/sbin/pfctl/parse.y head/sbin/pfctl/pf.os head/sbin/pfctl/pf_print_state.c head/sbin/pfctl/pfctl.8 head/sbin/pfctl/pfctl.c head/sbin/pfctl/pfctl.h head/sbin/pfctl/pfctl_altq.c head/sbin/pfctl/pfctl_optimize.c head/sbin/pfctl/pfctl_osfp.c head/sbin/pfctl/pfctl_parser.c head/sbin/pfctl/pfctl_parser.h head/sbin/pfctl/pfctl_qstats.c head/sbin/pfctl/pfctl_radix.c head/sbin/pfctl/pfctl_table.c head/sys/modules/pf/Makefile head/sys/modules/pflog/Makefile head/sys/modules/pfsync/Makefile head/sys/netpfil/pf/if_pflog.c head/sys/netpfil/pf/if_pfsync.c head/sys/netpfil/pf/in4_cksum.c head/sys/netpfil/pf/pf.c head/sys/netpfil/pf/pf.h head/sys/netpfil/pf/pf_altq.h head/sys/netpfil/pf/pf_if.c head/sys/netpfil/pf/pf_ioctl.c head/sys/netpfil/pf/pf_lb.c head/sys/netpfil/pf/pf_mtag.h head/sys/netpfil/pf/pf_norm.c head/sys/netpfil/pf/pf_osfp.c head/sys/netpfil/pf/pf_ruleset.c head/sys/netpfil/pf/pf_table.c Index: contrib/pf/authpf/authpf.8 =================================================================== --- contrib/pf/authpf/authpf.8 (revision 345223) +++ contrib/pf/authpf/authpf.8 (working copy) @@ -1,584 +0,0 @@ -.\" $FreeBSD$ -.\" $OpenBSD: authpf.8,v 1.47 2009/01/06 03:11:50 mcbride Exp $ -.\" -.\" Copyright (c) 1998-2007 Bob Beck (beck@openbsd.org>. All rights reserved. -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.Dd January 29 2014 -.Dt AUTHPF 8 -.Os -.Sh NAME -.Nm authpf , -.Nm authpf-noip -.Nd authenticating gateway user shell -.Sh SYNOPSIS -.Nm authpf -.Nm authpf-noip -.Sh DESCRIPTION -.Nm -is a user shell for authenticating gateways. -It is used to change -.Xr pf 4 -rules when a user authenticates and starts a session with -.Xr sshd 8 -and to undo these changes when the user's session exits. -Typical use would be for a gateway that authenticates users before -allowing them Internet use, or a gateway that allows different users into -different places. -Combined with properly set up filter rules and secure switches, -.Nm -can be used to ensure users are held accountable for their network traffic. -It is meant to be used with users who can connect via -.Xr ssh 1 -only, and requires the -.Xr pf 4 -subsystem and an -.Xr fdescfs 5 -file system mounted at -.Pa /dev/fd -to be enabled. -.Pp -.Nm authpf-noip -is a user shell -which allows multiple connections to take -place from the same IP address. -It is useful primarily in cases where connections are tunneled via -the gateway system, and can be directly associated with the user name. -It cannot ensure accountability when -classifying connections by IP address; -in this case the client's IP address -is not provided to the packet filter via the -.Ar client_ip -macro or the -.Ar authpf_users -table. -Additionally, states associated with the client IP address -are not purged when the session is ended. -.Pp -To use either -.Nm -or -.Nm authpf-noip , -the user's shell needs to be set to -.Pa /usr/sbin/authpf -or -.Pa /usr/sbin/authpf-noip . -.Pp -.Nm -uses the -.Xr pf.conf 5 -syntax to change filter and translation rules for an individual -user or client IP address as long as a user maintains an active -.Xr ssh 1 -session, and logs the successful start and end of a session to -.Xr syslogd 8 . -.Nm -retrieves the client's connecting IP address via the -.Ev SSH_CLIENT -environment variable and, after performing additional access checks, -reads a template file to determine what filter and translation rules -(if any) to add, and -maintains the list of IP addresses of connected users in the -.Ar authpf_users -table. -On session exit the same rules and table entries that were added at startup -are removed, and all states associated with the client's IP address are purged. -.Pp -Each -.Nm -process stores its rules in a separate ruleset inside a -.Xr pf 4 -.Pa anchor -shared by all -.Nm -processes. -By default, the -.Pa anchor -name "authpf" is used, and the ruleset names equal the username and PID of the -.Nm -processes as "username(pid)". -The following rules need to be added to the main ruleset -.Pa /etc/pf.conf -in order to cause evaluation of any -.Nm -rules: -.Bd -literal -offset indent -nat-anchor "authpf/*" -rdr-anchor "authpf/*" -binat-anchor "authpf/*" -anchor "authpf/*" -.Ed -.Pp -The "/*" at the end of the anchor name is required for -.Xr pf 4 -to process the rulesets attached to the anchor by -.Nm authpf . -.Sh FILTER AND TRANSLATION RULES -Filter and translation rules for -.Nm -use the same format described in -.Xr pf.conf 5 . -The only difference is that these rules may (and probably should) use -the macro -.Em user_ip , -which is assigned the connecting IP address whenever -.Nm -is run. -Additionally, the macro -.Em user_id -is assigned the user name. -.Pp -Filter and translation rules are stored in a file called -.Pa authpf.rules . -This file will first be searched for in -.Pa /etc/authpf/users/$USER/ -and then in -.Pa /etc/authpf/ . -Only one of these files will be used if both are present. -.Pp -Per-user rules from the -.Pa /etc/authpf/users/$USER/ -directory are intended to be used when non-default rules -are needed on an individual user basis. -It is important to ensure that a user can not write or change -these configuration files. -.Pp -The -.Pa authpf.rules -file must exist in one of the above locations for -.Nm -to run. -.Sh CONFIGURATION -Options are controlled by the -.Pa /etc/authpf/authpf.conf -file. -If the file is empty, defaults are used for all -configuration options. -The file consists of pairs of the form -.Li name=value , -one per line. -Currently, the allowed values are as follows: -.Bl -tag -width Ds -.It anchor=name -Use the specified -.Pa anchor -name instead of "authpf". -.It table=name -Use the specified -.Pa table -name instead of "authpf_users". -.El -.Sh USER MESSAGES -On successful invocation, -.Nm -displays a message telling the user he or she has been authenticated. -It will additionally display the contents of the file -.Pa /etc/authpf/authpf.message -if the file exists and is readable. -.Pp -There exist two methods for providing additional granularity to the control -offered by -.Nm -- it is possible to set the gateway to explicitly allow users who have -authenticated to -.Xr ssh 1 -and deny access to only a few troublesome individuals. -This is done by creating a file with the banned user's login name as the -filename in -.Pa /etc/authpf/banned/ . -The contents of this file will be displayed to a banned user, thus providing -a method for informing the user that they have been banned, and where they can -go and how to get there if they want to have their service restored. -This is the default behaviour. -.Pp -It is also possible to configure -.Nm -to only allow specific users access. -This is done by listing their login names, one per line, in -.Pa /etc/authpf/authpf.allow . -A group of users can also be indicated by prepending "%" to the group name, -and all members of a login class can be indicated by prepending "@" to the -login class name. -If "*" is found on a line, then all usernames match. -If -.Nm -is unable to verify the user's permission to use the gateway, it will -print a brief message and die. -It should be noted that a ban takes precedence over an allow. -.Pp -On failure, messages will be logged to -.Xr syslogd 8 -for the system administrator. -The user does not see these, but will be told the system is unavailable due to -technical difficulties. -The contents of the file -.Pa /etc/authpf/authpf.problem -will also be displayed if the file exists and is readable. -.Sh CONFIGURATION ISSUES -.Nm -maintains the changed filter rules as long as the user maintains an -active session. -It is important to remember however, that the existence -of this session means the user is authenticated. -Because of this, it is important to configure -.Xr sshd 8 -to ensure the security of the session, and to ensure that the network -through which users connect is secure. -.Xr sshd 8 -should be configured to use the -.Ar ClientAliveInterval -and -.Ar ClientAliveCountMax -parameters to ensure that a ssh session is terminated quickly if -it becomes unresponsive, or if arp or address spoofing is used to -hijack the session. -Note that TCP keepalives are not sufficient for -this, since they are not secure. -Also note that the various SSH tunnelling mechanisms, -such as -.Ar AllowTcpForwarding -and -.Ar PermitTunnel , -should be disabled for -.Nm -users to prevent them from circumventing restrictions imposed by the -packet filter ruleset. -.Pp -.Nm -will remove state table entries that were created during a user's -session. -This ensures that there will be no unauthenticated traffic -allowed to pass after the controlling -.Xr ssh 1 -session has been closed. -.Pp -.Nm -is designed for gateway machines which typically do not have regular -(non-administrative) users using the machine. -An administrator must remember that -.Nm -can be used to modify the filter rules through the environment in -which it is run, and as such could be used to modify the filter rules -(based on the contents of the configuration files) by regular -users. -In the case where a machine has regular users using it, as well -as users with -.Nm -as their shell, the regular users should be prevented from running -.Nm -by using the -.Pa /etc/authpf/authpf.allow -or -.Pa /etc/authpf/banned/ -facilities. -.Pp -.Nm -modifies the packet filter and address translation rules, and because -of this it needs to be configured carefully. -.Nm -will not run and will exit silently if the -.Pa /etc/authpf/authpf.conf -file does not exist. -After considering the effect -.Nm -may have on the main packet filter rules, the system administrator may -enable -.Nm -by creating an appropriate -.Pa /etc/authpf/authpf.conf -file. -.Sh EXAMPLES -.Sy Control Files -\- To illustrate the user-specific access control -mechanisms, let us consider a typical user named bob. -Normally, as long as bob can authenticate himself, the -.Nm -program will load the appropriate rules. -Enter the -.Pa /etc/authpf/banned/ -directory. -If bob has somehow fallen from grace in the eyes of the -powers-that-be, they can prohibit him from using the gateway by creating -the file -.Pa /etc/authpf/banned/bob -containing a message about why he has been banned from using the network. -Once bob has done suitable penance, his access may be restored by moving or -removing the file -.Pa /etc/authpf/banned/bob . -.Pp -Now consider a workgroup containing alice, bob, carol and dave. -They have a -wireless network which they would like to protect from unauthorized use. -To accomplish this, they create the file -.Pa /etc/authpf/authpf.allow -which lists their login ids, group prepended with "%", or login class -prepended with "@", one per line. -At this point, even if eve could authenticate to -.Xr sshd 8 , -she would not be allowed to use the gateway. -Adding and removing users from -the work group is a simple matter of maintaining a list of allowed userids. -If bob once again manages to annoy the powers-that-be, they can ban him from -using the gateway by creating the familiar -.Pa /etc/authpf/banned/bob -file. -Though bob is listed in the allow file, he is prevented from using -this gateway due to the existence of a ban file. -.Pp -.Sy Distributed Authentication -\- It is often desirable to interface with a -distributed password system rather than forcing the sysadmins to keep a large -number of local password files in sync. -The -.Xr login.conf 5 -mechanism in -.Ox -can be used to fork the right shell. -To make that happen, -.Xr login.conf 5 -should have entries that look something like this: -.Bd -literal -offset indent -shell-default:shell=/bin/csh - -default:\e - ... - :shell=/usr/sbin/authpf - -daemon:\e - ... - :shell=/bin/csh:\e - :tc=default: - -staff:\e - ... - :shell=/bin/csh:\e - :tc=default: -.Ed -.Pp -Using a default password file, all users will get -.Nm -as their shell except for root who will get -.Pa /bin/csh . -.Pp -.Sy SSH Configuration -\- As stated earlier, -.Xr sshd 8 -must be properly configured to detect and defeat network attacks. -To that end, the following options should be added to -.Xr sshd_config 5 : -.Bd -literal -offset indent -Protocol 2 -ClientAliveInterval 15 -ClientAliveCountMax 3 -.Ed -.Pp -This ensures that unresponsive or spoofed sessions are terminated within a -minute, since a hijacker should not be able to spoof ssh keepalive messages. -.Pp -.Sy Banners -\- Once authenticated, the user is shown the contents of -.Pa /etc/authpf/authpf.message . -This message may be a screen-full of the appropriate use policy, the contents -of -.Pa /etc/motd -or something as simple as the following: -.Bd -literal -offset indent -This means you will be held accountable by the powers that be -for traffic originating from your machine, so please play nice. -.Ed -.Pp -To tell the user where to go when the system is broken, -.Pa /etc/authpf/authpf.problem -could contain something like this: -.Bd -literal -offset indent -Sorry, there appears to be some system problem. To report this -problem so we can fix it, please phone 1-900-314-1597 or send -an email to remove@bulkmailerz.net. -.Ed -.Pp -.Sy Packet Filter Rules -\- In areas where this gateway is used to protect a -wireless network (a hub with several hundred ports), the default rule set as -well as the per-user rules should probably allow very few things beyond -encrypted protocols like -.Xr ssh 1 , -.Xr ssl 8 , -or -.Xr ipsec 4 . -On a securely switched network, with plug-in jacks for visitors who are -given authentication accounts, you might want to allow out everything. -In this context, a secure switch is one that tries to prevent address table -overflow attacks. -.Pp -Example -.Pa /etc/pf.conf : -.Bd -literal -# by default we allow internal clients to talk to us using -# ssh and use us as a dns server. -internal_if="fxp1" -gateway_addr="10.0.1.1" -nat-anchor "authpf/*" -rdr-anchor "authpf/*" -binat-anchor "authpf/*" -block in on $internal_if from any to any -pass in quick on $internal_if proto tcp from any to $gateway_addr \e - port = ssh -pass in quick on $internal_if proto udp from any to $gateway_addr \e - port = domain -anchor "authpf/*" -.Ed -.Pp -.Sy For a switched, wired net -\- This example -.Pa /etc/authpf/authpf.rules -makes no real restrictions; it turns the IP address on and off, logging -TCP connections. -.Bd -literal -external_if = "xl0" -internal_if = "fxp0" - -pass in log quick on $internal_if proto tcp from $user_ip to any -pass in quick on $internal_if from $user_ip to any -.Ed -.Pp -.Sy For a wireless or shared net -\- This example -.Pa /etc/authpf/authpf.rules -could be used for an insecure network (such as a public wireless network) where -we might need to be a bit more restrictive. -.Bd -literal -internal_if="fxp1" -ipsec_gw="10.2.3.4" - -# rdr ftp for proxying by ftp-proxy(8) -rdr on $internal_if proto tcp from $user_ip to any port 21 \e - -> 127.0.0.1 port 8021 - -# allow out ftp, ssh, www and https only, and allow user to negotiate -# ipsec with the ipsec server. -pass in log quick on $internal_if proto tcp from $user_ip to any \e - port { 21, 22, 80, 443 } -pass in quick on $internal_if proto tcp from $user_ip to any \e - port { 21, 22, 80, 443 } -pass in quick proto udp from $user_ip to $ipsec_gw port = isakmp -pass in quick proto esp from $user_ip to $ipsec_gw -.Ed -.Pp -.Sy Dealing with NAT -\- The following -.Pa /etc/authpf/authpf.rules -shows how to deal with NAT, using tags: -.Bd -literal -ext_if = "fxp1" -ext_addr = 129.128.11.10 -int_if = "fxp0" -# nat and tag connections... -nat on $ext_if from $user_ip to any tag $user_ip -> $ext_addr -pass in quick on $int_if from $user_ip to any -pass out log quick on $ext_if tagged $user_ip -.Ed -.Pp -With the above rules added by -.Nm , -outbound connections corresponding to each users NAT'ed connections -will be logged as in the example below, where the user may be identified -from the ruleset name. -.Bd -literal -# tcpdump -n -e -ttt -i pflog0 -Oct 31 19:42:30.296553 rule 0.bbeck(20267).1/0(match): pass out on fxp1: \e -129.128.11.10.60539 > 198.137.240.92.22: S 2131494121:2131494121(0) win \e -16384 (DF) -.Ed -.Pp -.Sy Using the authpf_users table -\- Simple -.Nm -settings can be implemented without an anchor by just using the "authpf_users" -.Pa table . -For example, the following -.Xr pf.conf 5 -lines will give SMTP and IMAP access to logged in users: -.Bd -literal -table persist -pass in on $ext_if proto tcp from \e - to port { smtp imap } -.Ed -.Pp -It is also possible to use the "authpf_users" -.Pa table -in combination with anchors. -For example, -.Xr pf 4 -processing can be sped up by looking up the anchor -only for packets coming from logged in users: -.Bd -literal -table persist -anchor "authpf/*" from -rdr-anchor "authpf/*" from -.Ed -.Pp -.Sy Tunneled users -\- normally -.Nm -allows only one session per client IP address. -However in some cases, such as when connections are tunneled via -.Xr ssh 1 -or -.Xr ipsec 4 , -the connections can be authorized based on the userid of the user instead of -the client IP address. -In this case it is appropriate to use -.Nm authpf-noip -to allow multiple users behind a NAT gateway to connect. -In the -.Pa /etc/authpf/authpf.rules -example below, the remote user could tunnel a remote desktop session to their -workstation: -.Bd -literal -internal_if="bge0" -workstation_ip="10.2.3.4" - -pass out on $internal_if from (self) to $workstation_ip port 3389 \e - user $user_id -.Ed -.Sh FILES -.Bl -tag -width "/etc/authpf/authpf.conf" -compact -.It Pa /etc/authpf/authpf.conf -.It Pa /etc/authpf/authpf.allow -.It Pa /etc/authpf/authpf.rules -.It Pa /etc/authpf/authpf.message -.It Pa /etc/authpf/authpf.problem -.El -.Sh SEE ALSO -.Xr pf 4 , -.Xr fdescfs 5 , -.Xr pf.conf 5 , -.Xr securelevel 7 , -.Xr ftp-proxy 8 -.Sh HISTORY -The -.Nm -program first appeared in -.Ox 3.1 . -.Sh BUGS -Configuration issues are tricky. -The authenticating -.Xr ssh 1 -connection may be secured, but if the network is not secured the user may -expose insecure protocols to attackers on the same network, or enable other -attackers on the network to pretend to be the user by spoofing their IP -address. -.Pp -.Nm -is not designed to prevent users from denying service to other users. Index: contrib/pf/authpf/pathnames.h =================================================================== --- contrib/pf/authpf/pathnames.h (revision 345223) +++ contrib/pf/authpf/pathnames.h (working copy) @@ -1,39 +0,0 @@ -/* $OpenBSD: pathnames.h,v 1.8 2008/02/14 01:49:17 mcbride Exp $ */ - -/* - * Copyright (C) 2002 Chris Kuethe (ckuethe@ualberta.ca) - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#define PATH_CONFFILE "/etc/authpf/authpf.conf" -#define PATH_ALLOWFILE "/etc/authpf/authpf.allow" -#define PATH_PFRULES "/etc/authpf/authpf.rules" -#define PATH_PROBLEM "/etc/authpf/authpf.problem" -#define PATH_MESSAGE "/etc/authpf/authpf.message" -#define PATH_USER_DIR "/etc/authpf/users" -#define PATH_BAN_DIR "/etc/authpf/banned" -#define PATH_DEVFILE "/dev/pf" -#define PATH_PIDFILE "/var/authpf" -#define PATH_AUTHPF_SHELL "/usr/sbin/authpf" -#define PATH_AUTHPF_SHELL_NOIP "/usr/sbin/authpf-noip" -#define PATH_PFCTL "/sbin/pfctl" Index: contrib/pf/ftp-proxy/filter.c =================================================================== --- contrib/pf/ftp-proxy/filter.c (revision 345223) +++ contrib/pf/ftp-proxy/filter.c (working copy) @@ -1,393 +0,0 @@ -/* $OpenBSD: filter.c,v 1.8 2008/06/13 07:25:26 claudio Exp $ */ - -/* - * Copyright (c) 2004, 2005 Camiel Dobbelaar, - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include -#include - -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include - -#include "filter.h" - -/* From netinet/in.h, but only _KERNEL_ gets them. */ -#define satosin(sa) ((struct sockaddr_in *)(sa)) -#define satosin6(sa) ((struct sockaddr_in6 *)(sa)) - -enum { TRANS_FILTER = 0, TRANS_NAT, TRANS_RDR, TRANS_SIZE }; - -int prepare_rule(u_int32_t, int, struct sockaddr *, struct sockaddr *, - u_int16_t); -int server_lookup4(struct sockaddr_in *, struct sockaddr_in *, - struct sockaddr_in *); -int server_lookup6(struct sockaddr_in6 *, struct sockaddr_in6 *, - struct sockaddr_in6 *); - -static struct pfioc_pooladdr pfp; -static struct pfioc_rule pfr; -static struct pfioc_trans pft; -static struct pfioc_trans_e pfte[TRANS_SIZE]; -static int dev, rule_log; -static const char *qname, *tagname; - -int -add_filter(u_int32_t id, u_int8_t dir, struct sockaddr *src, - struct sockaddr *dst, u_int16_t d_port) -{ - if (!src || !dst || !d_port) { - errno = EINVAL; - return (-1); - } - - if (prepare_rule(id, PF_RULESET_FILTER, src, dst, d_port) == -1) - return (-1); - - pfr.rule.direction = dir; - if (ioctl(dev, DIOCADDRULE, &pfr) == -1) - return (-1); - - return (0); -} - -int -add_nat(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, - u_int16_t d_port, struct sockaddr *nat, u_int16_t nat_range_low, - u_int16_t nat_range_high) -{ - if (!src || !dst || !d_port || !nat || !nat_range_low || - (src->sa_family != nat->sa_family)) { - errno = EINVAL; - return (-1); - } - - if (prepare_rule(id, PF_RULESET_NAT, src, dst, d_port) == -1) - return (-1); - - if (nat->sa_family == AF_INET) { - memcpy(&pfp.addr.addr.v.a.addr.v4, - &satosin(nat)->sin_addr.s_addr, 4); - memset(&pfp.addr.addr.v.a.mask.addr8, 255, 4); - } else { - memcpy(&pfp.addr.addr.v.a.addr.v6, - &satosin6(nat)->sin6_addr.s6_addr, 16); - memset(&pfp.addr.addr.v.a.mask.addr8, 255, 16); - } - if (ioctl(dev, DIOCADDADDR, &pfp) == -1) - return (-1); - - pfr.rule.rpool.proxy_port[0] = nat_range_low; - pfr.rule.rpool.proxy_port[1] = nat_range_high; - if (ioctl(dev, DIOCADDRULE, &pfr) == -1) - return (-1); - - return (0); -} - -int -add_rdr(u_int32_t id, struct sockaddr *src, struct sockaddr *dst, - u_int16_t d_port, struct sockaddr *rdr, u_int16_t rdr_port) -{ - if (!src || !dst || !d_port || !rdr || !rdr_port || - (src->sa_family != rdr->sa_family)) { - errno = EINVAL; - return (-1); - } - - if (prepare_rule(id, PF_RULESET_RDR, src, dst, d_port) == -1) - return (-1); - - if (rdr->sa_family == AF_INET) { - memcpy(&pfp.addr.addr.v.a.addr.v4, - &satosin(rdr)->sin_addr.s_addr, 4); - memset(&pfp.addr.addr.v.a.mask.addr8, 255, 4); - } else { - memcpy(&pfp.addr.addr.v.a.addr.v6, - &satosin6(rdr)->sin6_addr.s6_addr, 16); - memset(&pfp.addr.addr.v.a.mask.addr8, 255, 16); - } - if (ioctl(dev, DIOCADDADDR, &pfp) == -1) - return (-1); - - pfr.rule.rpool.proxy_port[0] = rdr_port; - if (ioctl(dev, DIOCADDRULE, &pfr) == -1) - return (-1); - - return (0); -} - -int -do_commit(void) -{ - if (ioctl(dev, DIOCXCOMMIT, &pft) == -1) - return (-1); - - return (0); -} - -int -do_rollback(void) -{ - if (ioctl(dev, DIOCXROLLBACK, &pft) == -1) - return (-1); - - return (0); -} - -void -init_filter(const char *opt_qname, const char *opt_tagname, int opt_verbose) -{ - struct pf_status status; - - qname = opt_qname; - tagname = opt_tagname; - - if (opt_verbose == 1) - rule_log = PF_LOG; - else if (opt_verbose == 2) - rule_log = PF_LOG_ALL; - - dev = open("/dev/pf", O_RDWR); - if (dev == -1) - err(1, "open /dev/pf"); - if (ioctl(dev, DIOCGETSTATUS, &status) == -1) - err(1, "DIOCGETSTATUS"); - if (!status.running) - errx(1, "pf is disabled"); -} - -int -prepare_commit(u_int32_t id) -{ - char an[PF_ANCHOR_NAME_SIZE]; - int i; - - memset(&pft, 0, sizeof pft); - pft.size = TRANS_SIZE; - pft.esize = sizeof pfte[0]; - pft.array = pfte; - - snprintf(an, PF_ANCHOR_NAME_SIZE, "%s/%d.%d", FTP_PROXY_ANCHOR, - getpid(), id); - for (i = 0; i < TRANS_SIZE; i++) { - memset(&pfte[i], 0, sizeof pfte[0]); - strlcpy(pfte[i].anchor, an, PF_ANCHOR_NAME_SIZE); - switch (i) { - case TRANS_FILTER: - pfte[i].rs_num = PF_RULESET_FILTER; - break; - case TRANS_NAT: - pfte[i].rs_num = PF_RULESET_NAT; - break; - case TRANS_RDR: - pfte[i].rs_num = PF_RULESET_RDR; - break; - default: - errno = EINVAL; - return (-1); - } - } - - if (ioctl(dev, DIOCXBEGIN, &pft) == -1) - return (-1); - - return (0); -} - -int -prepare_rule(u_int32_t id, int rs_num, struct sockaddr *src, - struct sockaddr *dst, u_int16_t d_port) -{ - char an[PF_ANCHOR_NAME_SIZE]; - - if ((src->sa_family != AF_INET && src->sa_family != AF_INET6) || - (src->sa_family != dst->sa_family)) { - errno = EPROTONOSUPPORT; - return (-1); - } - - memset(&pfp, 0, sizeof pfp); - memset(&pfr, 0, sizeof pfr); - snprintf(an, PF_ANCHOR_NAME_SIZE, "%s/%d.%d", FTP_PROXY_ANCHOR, - getpid(), id); - strlcpy(pfp.anchor, an, PF_ANCHOR_NAME_SIZE); - strlcpy(pfr.anchor, an, PF_ANCHOR_NAME_SIZE); - - switch (rs_num) { - case PF_RULESET_FILTER: - pfr.ticket = pfte[TRANS_FILTER].ticket; - break; - case PF_RULESET_NAT: - pfr.ticket = pfte[TRANS_NAT].ticket; - break; - case PF_RULESET_RDR: - pfr.ticket = pfte[TRANS_RDR].ticket; - break; - default: - errno = EINVAL; - return (-1); - } - if (ioctl(dev, DIOCBEGINADDRS, &pfp) == -1) - return (-1); - pfr.pool_ticket = pfp.ticket; - - /* Generic for all rule types. */ - pfr.rule.af = src->sa_family; - pfr.rule.proto = IPPROTO_TCP; - pfr.rule.src.addr.type = PF_ADDR_ADDRMASK; - pfr.rule.dst.addr.type = PF_ADDR_ADDRMASK; - if (src->sa_family == AF_INET) { - memcpy(&pfr.rule.src.addr.v.a.addr.v4, - &satosin(src)->sin_addr.s_addr, 4); - memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 4); - memcpy(&pfr.rule.dst.addr.v.a.addr.v4, - &satosin(dst)->sin_addr.s_addr, 4); - memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 4); - } else { - memcpy(&pfr.rule.src.addr.v.a.addr.v6, - &satosin6(src)->sin6_addr.s6_addr, 16); - memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 16); - memcpy(&pfr.rule.dst.addr.v.a.addr.v6, - &satosin6(dst)->sin6_addr.s6_addr, 16); - memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 16); - } - pfr.rule.dst.port_op = PF_OP_EQ; - pfr.rule.dst.port[0] = htons(d_port); - - switch (rs_num) { - case PF_RULESET_FILTER: - /* - * pass [quick] [log] inet[6] proto tcp \ - * from $src to $dst port = $d_port flags S/SA keep state - * (max 1) [queue qname] [tag tagname] - */ - pfr.rule.action = PF_PASS; - pfr.rule.quick = 1; - pfr.rule.log = rule_log; - pfr.rule.keep_state = 1; - pfr.rule.flags = TH_SYN; - pfr.rule.flagset = (TH_SYN|TH_ACK); - pfr.rule.max_states = 1; - if (qname != NULL) - strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname); - if (tagname != NULL) { - pfr.rule.quick = 0; - strlcpy(pfr.rule.tagname, tagname, - sizeof pfr.rule.tagname); - } - break; - case PF_RULESET_NAT: - /* - * nat inet[6] proto tcp from $src to $dst port $d_port -> $nat - */ - pfr.rule.action = PF_NAT; - break; - case PF_RULESET_RDR: - /* - * rdr inet[6] proto tcp from $src to $dst port $d_port -> $rdr - */ - pfr.rule.action = PF_RDR; - break; - default: - errno = EINVAL; - return (-1); - } - - return (0); -} - -int -server_lookup(struct sockaddr *client, struct sockaddr *proxy, - struct sockaddr *server) -{ - if (client->sa_family == AF_INET) - return (server_lookup4(satosin(client), satosin(proxy), - satosin(server))); - - if (client->sa_family == AF_INET6) - return (server_lookup6(satosin6(client), satosin6(proxy), - satosin6(server))); - - errno = EPROTONOSUPPORT; - return (-1); -} - -int -server_lookup4(struct sockaddr_in *client, struct sockaddr_in *proxy, - struct sockaddr_in *server) -{ - struct pfioc_natlook pnl; - - memset(&pnl, 0, sizeof pnl); - pnl.direction = PF_OUT; - pnl.af = AF_INET; - pnl.proto = IPPROTO_TCP; - memcpy(&pnl.saddr.v4, &client->sin_addr.s_addr, sizeof pnl.saddr.v4); - memcpy(&pnl.daddr.v4, &proxy->sin_addr.s_addr, sizeof pnl.daddr.v4); - pnl.sport = client->sin_port; - pnl.dport = proxy->sin_port; - - if (ioctl(dev, DIOCNATLOOK, &pnl) == -1) - return (-1); - - memset(server, 0, sizeof(struct sockaddr_in)); - server->sin_len = sizeof(struct sockaddr_in); - server->sin_family = AF_INET; - memcpy(&server->sin_addr.s_addr, &pnl.rdaddr.v4, - sizeof server->sin_addr.s_addr); - server->sin_port = pnl.rdport; *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***