From owner-freebsd-pf@FreeBSD.ORG  Fri May 26 15:40:54 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 06F2816A508
	for <freebsd-pf@freebsd.org>; Fri, 26 May 2006 15:40:54 +0000 (UTC)
	(envelope-from dhartmei@insomnia.benzedrine.cx)
Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BA84C43D46
	for <freebsd-pf@freebsd.org>; Fri, 26 May 2006 15:40:18 +0000 (GMT)
	(envelope-from dhartmei@insomnia.benzedrine.cx)
Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1])
	by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k4QFeD75016457
	(version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO);
	Fri, 26 May 2006 17:40:13 +0200 (MEST)
Received: (from dhartmei@localhost)
	by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k4QFeClF024375;
	Fri, 26 May 2006 17:40:12 +0200 (MEST)
Date: Fri, 26 May 2006 17:40:12 +0200
From: Daniel Hartmeier <daniel@benzedrine.cx>
To: Peter =?iso-8859-1?Q?Ankerst=E5l?= <peter@pean.org>
Message-ID: <20060526154012.GT11262@insomnia.benzedrine.cx>
References: <44771631.6050901@pean.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <44771631.6050901@pean.org>
User-Agent: Mutt/1.5.10i
Cc: freebsd-pf@freebsd.org
Subject: Re: authpf.
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 26 May 2006 15:40:54 -0000

On Fri, May 26, 2006 at 04:52:33PM +0200, Peter Ankerstål wrote:

> I am using authpf for my wifi-network. But I want to redirect all of the 
> http-traffic to a webserver to show a "error message" when not 
> authenticated via authpf. But how to "remove" this rule when I 
> authenticate? As far as I know authpf just adds rules to the ruleset.

Ah, sometimes more is less :)

Assume you have a generic redirection like

  rdr on $int_if proto tcp to port 80 -> 127.0.0.1 8088

where 127.0.0.1:8088 is the web server with the error page, you can get
a particular client not redirected by adding a rule in front of it, like

  no rdr on $int_if proto tcp from 10.1.2.3 to port 80

It has to be added in front because the first matching translation rule
wins (unlike filter rules). I.e. place the rdr-anchor before the generic
redirect, and add a 'no rdr' with authpf.

Daniel