From owner-freebsd-questions@FreeBSD.ORG Mon Apr 3 09:47:11 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ACF7916A401 for ; Mon, 3 Apr 2006 09:47:11 +0000 (UTC) (envelope-from nvass@teledomenet.gr) Received: from matrix.teledomenet.gr (dns1.teledomenet.gr [213.142.128.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id B00E743D4C for ; Mon, 3 Apr 2006 09:47:09 +0000 (GMT) (envelope-from nvass@teledomenet.gr) Received: from [192.168.1.71] ([192.168.1.71]) by matrix.teledomenet.gr (8.12.10/8.12.10) with ESMTP id k339l7uq019775; Mon, 3 Apr 2006 12:47:07 +0300 From: Nikos Vassiliadis To: freebsd-questions@freebsd.org Date: Mon, 3 Apr 2006 12:46:35 +0300 User-Agent: KMail/1.9.1 References: <20060403073449.1238.qmail@web51602.mail.yahoo.com> In-Reply-To: <20060403073449.1238.qmail@web51602.mail.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200604031246.36323.nvass@teledomenet.gr> Cc: Mark Jayson Alvarez Subject: Re: ipfw plus authentication??? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Apr 2006 09:47:11 -0000 On Monday 03 April 2006 10:34, Mark Jayson Alvarez wrote: > Hi > > I am looking for ways to manage our LAN by having each user register the= ir > ipaddress, mac address, workstation os, etc. in our ldap directory. Now in > our pcrouter, the users will first send his login credentials to the > pcrouter, and then the pcrouter will check against ldap if this login is > correct, and if it is, then it will now do an ldapsearch/compare operation > to see if the source address (ip/mac) of the user trying to gain network > access is indeed belongs to that user. Only then, the ipfw ruleset will be > changed to allow traffic originating from this source address... > Does it have to be LDAP and ipfw? there is authpf which... Introduction Authpf(8) is a user shell for authenticating gateways. An authenticating=20 gateway is just like a regular network gateway (a.k.a. a router) except tha= t=20 users must first authenticate themselves to the gateway before it will allo= w=20 traffic to pass through it. When a user's shell is set to /usr/sbin/authpf= =20 (i.e., instead of setting a user's shell to ksh(1), csh(1), etc) and the us= er=20 logs in using SSH, authpf will make the necessary changes to the active pf(= 4)=20 ruleset so that the user's traffic is passed through the filter and/or=20 translated using Network Address Translation or redirection. Once the user= =20 logs out or their session is disconnected, authpf will remove any rules=20 loaded for the user and kill any stateful connections the user has open.=20 Because of this, the ability of the user to pass traffic through the gatewa= y=20 only exists while the user keeps their SSH session open. =46rom here: http://www.openbsd.org/faq/pf/authpf.html Ofcourse this does not cover the IP|MAC address checking you mentioned, but I don't see how this enhances security. It will be easy for a user to=20 change his IP|MAC address. HTH, Nikos > Anyone have gone with this solution before?? > > Thanks > > > --------------------------------- > Blab-away for as little as 1=C2=A2/min. Make PC-to-Phone Calls using Yah= oo! > Messenger with Voice. _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org"