From owner-freebsd-pf@FreeBSD.ORG  Thu Sep 16 03:52:07 2004
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 674)
	id 790FA16A4CF; Thu, 16 Sep 2004 03:52:07 +0000 (GMT)
Delivered-To: mlaier@vampire.homelinux.org
Received: (qmail 41284 invoked by uid 1005); 29 Sep 2003 13:42:23 -0000
Delivered-To: max@vampire.homelinux.org
Received: (qmail 41280 invoked from network); 29 Sep 2003 13:42:22 -0000
Received: from moutng.kundenserver.de (212.227.126.187)
  by pd9e398ed.dip.t-dialin.net with SMTP; 29 Sep 2003 13:42:22 -0000
Received: from [212.227.126.164] (helo=mxng11.kundenserver.de)
	by moutng.kundenserver.de with esmtp (Exim 3.35 #1)
	id 1A3zBh-0000Ah-00
	for max@vampire.homelinux.org; Mon, 29 Sep 2003 16:39:45 +0200
Received: from [206.53.239.180] (helo=turing.freelists.org)
	by mxng11.kundenserver.de with esmtp (Exim 3.35 #1)
	id 1A3zBb-0000Qo-00
	for max@love2party.net; Mon, 29 Sep 2003 16:39:39 +0200
Received: from turing (localhost [127.0.0.1])ESMTP
	id 3A2BA390BDF; Mon, 29 Sep 2003 09:32:44 -0500 (EST)
Received: with ECARTIS (v1.0.0; list pf4freebsd);
	Mon, 29 Sep 2003 09:32:38 -0500 (EST)
X-Original-To: pf4freebsd@freelists.org
Delivered-To: pf4freebsd@freelists.org
Received: from moutng.kundenserver.de (moutng.kundenserver.de
	[212.227.126.189])ESMTP id DB13B390BCB
	for <pf4freebsd@freelists.org>; Mon, 29 Sep 2003 09:32:37 -0500 (EST)
Received: from [212.227.126.162] (helo=mrelayng.kundenserver.de)
	by moutng.kundenserver.de with esmtp (Exim 3.35 #1)
	id 1A3z8w-0001WE-00; Mon, 29 Sep 2003 16:36:54 +0200
Received: from [217.227.152.237] (helo=maxlap)
	by mrelayng.kundenserver.de with asmtp (Exim 3.35 #1)
	id 1A3z8v-00058q-00; Mon, 29 Sep 2003 16:36:53 +0200
From: Max Laier <max@love2party.net>
X-Mailer: The Bat! (v2.00.6) Business
X-Priority: 3 (Normal)
Message-ID: <177168532476.20030929163728@love2party.net>
To: Tom Danielsen <tom@mnemonic.no>
In-Reply-To: <20030929140917.GL22669@mnemonic.no>
References: <20030929140917.GL22669@mnemonic.no>
MIME-Version: 1.0
Content-type: text/plain;
  charset=us-ascii
X-archive-position: 165
X-ecartis-version: Ecartis v1.0.0
Sender: pf4freebsd-bounce@freelists.org
Errors-To: pf4freebsd-bounce@freelists.org
X-original-sender: max@love2party.net
Precedence: normal
X-list: pf4freebsd
Content-Transfer-Encoding: quoted-printable
X-UID: 280
X-Length: 3549
X-Mailman-Approved-At: Thu, 16 Sep 2004 03:55:52 +0000
cc: pf4freebsd@freelists.org
Subject: [pf4freebsd] Re: Authenticating gateway
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.1
Reply-To: pf4freebsd@freelists.org
List-Id: Technical discussion and general questions about packet filter (pf)
	<freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
Date: Thu, 16 Sep 2004 03:52:07 -0000
X-Original-Date: Mon, 29 Sep 2003 16:37:28 +0200
X-List-Received-Date: Thu, 16 Sep 2004 03:52:07 -0000

Hello Tom,

Monday, September 29, 2003, 4:09:17 PM, you wrote:
TD> is there an easy-to-implement way to have the gateway authenticate
TD> each outbound connection?  Somewhat like authpf, but
TD>     1. authenticate to gateway
TD>     2. gateway adds rule
TD>     3. one (1) outbound connection
TD>     4. gateway removes the rule, but keeps the state entries

Hmmm ... sound a bit obscure to me. How would you make sure that the
same user does not re-authenticate and opens another connection?

I'd go for the following approach:
1. Authenticate
2. Add a rule with "(max 1)" (see the "STATEFUL TRACKING OPTIONS"
   section of pf.conf(5)). This way you can make sure that you really
   get one connection per user.
3. One outbound connection at a time ... that's not 100% what you asked
   for, though.
4. No need to remove the rule, as the user can't create more than one
   connection.

I hope this matches your needs.

--=20
Best regards,
 Max                            mailto:max@love2party.net