Date: Thu, 05 Jul 2007 08:25:42 +0200 From: Laurent LEVIER <llevier@argosnet.com> To: freebsd-pf@freebsd.org Subject: Issue with PF on FreeBSD 6.2.5? Message-ID: <20070705062546.BF688267E13@mx.levier.org>
next in thread | raw e-mail | index | archive | help
Hi All, I am currently setting up a ChilliSpot server using the conup/condown command. Since the LAN will also be publicly available, I am using Chilli as UAM. These con* scripts are launched with additional arguments (IP address, device) when a user is authenticated ont he HotSpot This way, I can update firewall rules dynamically to allow the authenticated user to pass...or to no longer pass when session is over. Apparently, best way to solve this with pf is to use tables, since an anchor permits to add a rule, but not to delete the added rule (at least I did not find how to). But it seems it does not fully work for me. If you read at my pf.conf file at the end of this email, you will see I created a table "public_granted" that is associated with 2 rules: 1) a rdr to redirect to Squid transparently (rule is before the one redirecting transparently to Chilli authentication server) 2) a pass in quick rule to allow new user to pass through. The problem I have is: - When the public_granted table is updated with a new IP address, pf let the user pass through. - But when I delete this @IP from the table, pf keeps allowing the user to pass through. I appreciate all advices to help me solving this weird situation. Thanks in advance My pf.conf: ### Options # pf configuration set block-policy return set state-policy if-bound # localhost set skip on lo0 ### Declarations # Interface declaration if_ext="nve0" # Internet Interface if_int="bge0" # Public access Interface if_wifi="tun0" # WiFi Hotspot Interface # Subnets declaration net_public= "192.168.254.0/24" net_wifi_admin="192.168.253.252/30" # IP declaration ip_ext_me="192.168.0.100" ip_wifi_me="192.168.254.1" ip_wifi_admin_me="192.168.253.253" ip_hotspot="192.168.253.254" ### Tables! table <public_granted> ### Redirections # Squid redirection for authenticated users on Public rdr on $if_int proto tcp from <public_granted> to 0.0.0.0/0 port 80 -> localhost port 8080 rdr on $if_wifi proto tcp from <public_granted> to 0.0.0.0/0 port 80 -> localhost port 8080 # Authentication portal for Public rdr on $if_int proto tcp from $net_public to any port 80 -> $ip_wifi_me port 3990 rdr on $if_wifi proto tcp from $net_public to any port 80 -> $ip_wifi_me port 3990 ### NAT # Public to me on Internet side nat on $if_ext from $net_public to any -> $ip_ext_me ### Filtering # Hotspot is a typical network client pass out quick from any to any keep state # Who can admin me? pass in log quick on $if_ext proto tcp from any to $ip_ext_me port = 22 ## Logs from Public access side # Syslog from access point sent to me pass in log quick on $if_int proto udp from $ip_hotspot to $ip_wifi_admin_me port = 514 # DHCP pass in log quick on $if_int proto udp from $net_public to $ip_wifi_me port = 67 pass in log quick on $if_int proto udp from $net_public to $ip_wifi_me port = 68 # DNS for Public pass in log quick on $if_int proto tcp from $net_public to $ip_wifi_me port = 53 pass in log quick on $if_int proto udp from $net_public to $ip_wifi_me port = 53 # DNS for WiFi pass in log quick on $if_wifi proto tcp from $net_public to $ip_wifi_me port = 53 pass in log quick on $if_wifi proto udp from $net_public to $ip_wifi_me port = 53 # Authentication portal for Public pass in log quick on $if_int proto tcp from $net_public to $ip_wifi_me port = 3990 pass in log quick on $if_int proto tcp from $net_public to $ip_wifi_me port = 443 # Authentication portal for Wifi pass in log quick on $if_wifi proto tcp from $net_public to $ip_wifi_me port = 3990 pass in log quick on $if_wifi proto tcp from $net_public to $ip_wifi_me port = 443 # Ping is granted to authenticated users (public_granted table) pass in log quick on $if_wifi proto icmp from <public_granted> to $ip_wifi_me keep state # Closing rule for Public & WiFi block in log quick from any to $ip_wifi_me block in log quick from any to $ip_wifi_admin_me ## HotSpot LAN configuration # Table public_granted: contains granted users on Radius pass in log quick on $if_int from <public_granted> to any keep state pass in log quick on $if_wifi from <public_granted> to any keep state # Finally block & log everything block in log from any to any Laurent LEVIER Systems & Networks Senior Security Expert, CISSP CISM
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070705062546.BF688267E13>